modiloader | 8614abe7235f3750a5014e381149c51f0dce2b58aea794cfd4aaef91370ace08

Analysis

max time kernel
1800s
max time network
1782s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exe
Size

1.2MB
MD5

b9aad0362d8ed8316b0ecc1cedb7fafd
SHA1

bec1947281d9f39a6bdf33c46fe1514214ec37fe
SHA256

8614abe7235f3750a5014e381149c51f0dce2b58aea794cfd4aaef91370ace08
SHA512

36eff8621ea91c081ed08116dc3dcfd19bfd970de0277790530e8807c8b5113a2df62693629d355b01a6bfb91a11ae28ca5295143072b8ac0d7d007a4360505f
SSDEEP

24576:UcVkKS/WtWrnngnnnKnanxNpDcexw6kPEmEi90YAVk8B1MxWl+2w0NNx29sWD9k9:UcB6WErnngnnnKnanzSexoNfv8B1Mk+K

Score

10^/10

modiloader aspackv2 persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2524-1523-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-1533-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-1536-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-1541-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-1554-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/4216-1556-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/4216-1558-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/4216-2996-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/4216-3539-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/4216-3544-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/4216-3558-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/4216-3559-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/4216-3560-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
C:\Users\Admin\Downloads\RCX867A.tmp	modiloader_stage2
C:\Users\Admin\Downloads\aimware.exe	modiloader_stage2
behavioral2/memory/4216-3623-0x0000000000400000-0x0000000000545000-memory.dmp	modiloader_stage2
behavioral2/memory/5088-3723-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2
behavioral2/memory/5088-3727-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2
behavioral2/memory/5088-3728-0x0000000000400000-0x000000000046A000-memory.dmp	modiloader_stage2

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\WinLocker Builder v1.4.exe	aspack_v212_v242

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Upx.exe	upx
behavioral2/memory/1120-3612-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/1120-3622-0x0000000000400000-0x000000000057E000-memory.dmp	upx
C:\Users\Admin\Downloads\aimware.exe	upx
behavioral2/memory/5088-3721-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5088-3723-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5088-3727-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/5088-3728-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aimware.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aimware.exe = "C:\\Users\\Admin\\Downloads\\aimware.exe"	aimware.exe

Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

409 raw.githubusercontent.com
410 raw.githubusercontent.com
411 raw.githubusercontent.com
408 raw.githubusercontent.com

flow	ioc
409	raw.githubusercontent.com
410	raw.githubusercontent.com
411	raw.githubusercontent.com
408	raw.githubusercontent.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exeBlueStacksInstaller.exeWinLocker Builder v1.4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	BlueStacksInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	WinLocker Builder v1.4.exe

Executes dropped EXE 6 IoCs

Processes:

BlueStacksInstaller.exeBlueStacksInstaller.exeWinLocker Builder v1.4.exeWinLocker Builder v1.4.exeUpx.exeaimware.exe

pid	process
1844	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
2524	WinLocker Builder v1.4.exe
4216	WinLocker Builder v1.4.exe
1120	Upx.exe
5088	aimware.exe

Loads dropped DLL 2 IoCs

Processes:

BlueStacksInstaller.exeBlueStacksInstaller.exe

pid process

1844 BlueStacksInstaller.exe
3668 BlueStacksInstaller.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 64 IoCs

Processes:

WinLocker Builder v1.4.exeWinLocker Builder v1.4.exefirefox.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	WinLocker Builder v1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e8005398e082303024b98265d99428e115f0000	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	WinLocker Builder v1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WinLocker Builder v1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "4"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	WinLocker Builder v1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	WinLocker Builder v1.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	WinLocker Builder v1.4.exe
Key created	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	WinLocker Builder v1.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	WinLocker Builder v1.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	WinLocker Builder v1.4.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\WinLocker Builder v1.4.exe:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\WinLocker Builder v1.4.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BlueStacksInstaller.exeBlueStacksInstaller.exeaimware.exe

pid	process
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
1844	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
3668	BlueStacksInstaller.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe
5088	aimware.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WinLocker Builder v1.4.exe

pid process

4216 WinLocker Builder v1.4.exe

pid	process
4216	WinLocker Builder v1.4.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

BlueStacksInstaller.exeBlueStacksInstaller.exefirefox.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1844	BlueStacksInstaller.exe
Token: SeDebugPrivilege	3668	BlueStacksInstaller.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeDebugPrivilege	4832	firefox.exe
Token: SeShutdownPrivilege	4452	explorer.exe
Token: SeCreatePagefilePrivilege	4452	explorer.exe
Token: SeShutdownPrivilege	4452	explorer.exe
Token: SeCreatePagefilePrivilege	4452	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exeWinLocker Builder v1.4.exe

pid	process
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
4832	firefox.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe
2524	WinLocker Builder v1.4.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4832 firefox.exe
4832 firefox.exe
4832 firefox.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

firefox.exeWinLocker Builder v1.4.exeWinLocker Builder v1.4.exe

pid process

4832 firefox.exe
4832 firefox.exe
4832 firefox.exe
4832 firefox.exe
2524 WinLocker Builder v1.4.exe
4216 WinLocker Builder v1.4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exeBlueStacksInstaller.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3480 wrote to memory of 1844	3480	BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exe	BlueStacksInstaller.exe
PID 3480 wrote to memory of 1844	3480	BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exe	BlueStacksInstaller.exe
PID 1844 wrote to memory of 3668	1844	BlueStacksInstaller.exe	BlueStacksInstaller.exe
PID 1844 wrote to memory of 3668	1844	BlueStacksInstaller.exe	BlueStacksInstaller.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4864 wrote to memory of 4832	4864	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 3404	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2744	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2744	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2744	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2744	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2744	4832	firefox.exe	firefox.exe
PID 4832 wrote to memory of 2744	4832	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exe
"C:\Users\Admin\AppData\Local\Temp\BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\BlueStacksInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\BlueStacksInstaller.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\BlueStacksInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\BlueStacksInstaller.exe" "install" "BlueStacksMicroInstaller_4.280.1.1002_native_e8c808cb017c46f465f6562b28124796.exe" "e8c808cb017c46f465f6562b28124796" "admin" "bd3b305f-516b-4deb-b339-5877a4ccce33" "170fdfa8-a7e1-465b-b429-8f1acccf5cee"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.0.612557094\1699364279" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1784 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7e363fc-a9c9-4e0b-a096-ae949fa551f6} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 1884 295a4b20a58 gpu
3⤵
PID:3404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.1.226088799\931614571" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {850cf4b4-a625-40a2-bbbc-4903a6f427a7} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 2452 29597e89058 socket
3⤵
- Checks processor information in registry
PID:2744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.2.1006635483\767660725" -childID 1 -isForBrowser -prefsHandle 2888 -prefMapHandle 2856 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94054657-66ec-400e-86ce-aa75edb17923} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 2860 295a7903558 tab
3⤵
PID:4344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.3.668213597\150779826" -childID 2 -isForBrowser -prefsHandle 3880 -prefMapHandle 3892 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40a8e58d-ea99-4d89-b645-8edfbdba7dac} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 3908 29597e79c58 tab
3⤵
PID:4372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.4.1887779263\1785356088" -childID 3 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d104d6fd-0d8c-4798-9c91-541c59f67e35} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5072 295ac088a58 tab
3⤵
PID:5396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.5.1702768952\1184194006" -childID 4 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a1a9d35-84ca-416f-bcc4-f69743005b68} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5208 295ac089358 tab
3⤵
PID:5404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.6.235048763\1705869818" -childID 5 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a27ccdf-0f97-40f9-9ae6-8f23fccc9ff6} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5400 295ac166858 tab
3⤵
PID:5412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.7.1412460818\1946140585" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5216 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6244d83-3f04-4e7a-89a1-ec25c5726d41} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5272 295a97a3158 tab
3⤵
PID:2656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.8.1906668829\1753497052" -parentBuildID 20230214051806 -prefsHandle 6036 -prefMapHandle 6020 -prefsLen 28041 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99904ae0-4177-4911-b548-8cd3dbc4f420} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 6048 295acf84b58 rdd
3⤵
PID:5912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.9.458465481\427248688" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6168 -prefMapHandle 6064 -prefsLen 28041 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b12854c2-def7-449c-8f9c-c629e0a73d9f} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 6176 295acf86c58 utility
3⤵
PID:5856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.10.751129650\2035575051" -childID 7 -isForBrowser -prefsHandle 6432 -prefMapHandle 6428 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5b10106-b0cb-48f8-b44f-19223c3630f9} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 6444 295ad134858 tab
3⤵
PID:4568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.11.1071683324\526518050" -childID 8 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5efc0dc2-f423-41e5-9d38-1521809f65ad} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 6332 295ac1d8558 tab
3⤵
PID:2164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.12.1656600063\272054944" -childID 9 -isForBrowser -prefsHandle 5616 -prefMapHandle 5664 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf96cb65-7d61-41dd-bc23-777a0b3daf71} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5060 295ad5d4e58 tab
3⤵
PID:5600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.13.576121581\1356420580" -childID 10 -isForBrowser -prefsHandle 4432 -prefMapHandle 5220 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ffa529b-0145-49a6-89d2-cf2af326fd5b} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 6680 295ad5d1858 tab
3⤵
PID:5608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.14.1019513197\939493213" -childID 11 -isForBrowser -prefsHandle 5348 -prefMapHandle 6008 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83dd19ec-60b2-4634-8f23-bd9524d0cb9c} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 10768 295acb7ad58 tab
3⤵
PID:5516

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.15.702922103\935455930" -childID 12 -isForBrowser -prefsHandle 6564 -prefMapHandle 10736 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcbc6e62-9d17-4222-9261-e34a3c782289} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 6536 295adff3a58 tab
3⤵
PID:2972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.16.171939235\238535340" -childID 13 -isForBrowser -prefsHandle 11044 -prefMapHandle 11048 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab47a9d9-190e-469a-a877-232e1c5a3d36} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 6472 295adff4358 tab
3⤵
PID:3604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.17.1957755111\1278141843" -childID 14 -isForBrowser -prefsHandle 5712 -prefMapHandle 6692 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94f72226-98a2-48ca-ad29-8ac1a76faf16} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5364 29597e41b58 tab
3⤵
PID:5640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.18.893555567\1555249495" -childID 15 -isForBrowser -prefsHandle 5308 -prefMapHandle 4960 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {957ce34e-6609-4b34-996c-11aeb4eb1d5b} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 10596 295ad799258 tab
3⤵
PID:5668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.19.217428709\2046002826" -childID 16 -isForBrowser -prefsHandle 10512 -prefMapHandle 10508 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82df6b54-3d4b-49a8-af5f-1b1adb8b9e49} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 10584 295ae22bf58 tab
3⤵
PID:400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.20.963062013\1778759471" -childID 17 -isForBrowser -prefsHandle 10340 -prefMapHandle 10336 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fea65763-99a3-41cc-8b6b-52a1894bc242} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 10324 295ae069d58 tab
3⤵
PID:4960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.21.731994853\1889421468" -childID 18 -isForBrowser -prefsHandle 10508 -prefMapHandle 10512 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56bc3ff6-bcbc-49e5-b27e-549f8715be09} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5184 295ae069158 tab
3⤵
PID:2956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.22.1050240998\1994656314" -childID 19 -isForBrowser -prefsHandle 10220 -prefMapHandle 10208 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ec2e1c2-76c4-471e-b49f-60128337bcc5} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 5116 295aeef2858 tab
3⤵
PID:5692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.23.1737735333\1673858850" -childID 20 -isForBrowser -prefsHandle 10568 -prefMapHandle 5184 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6789cecf-e28a-4ec2-ae22-2548eb260fae} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 10140 295a3ed2258 tab
3⤵
PID:5008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.24.1753904420\1750926887" -childID 21 -isForBrowser -prefsHandle 10180 -prefMapHandle 10184 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5ef94fc-513e-4784-a604-93f436227207} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 10172 295a97a3758 tab
3⤵
PID:2412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.25.1130206569\944756723" -childID 22 -isForBrowser -prefsHandle 10300 -prefMapHandle 10440 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e839c23b-01eb-459a-b7d5-c0930be2fedf} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 10148 295a97a4058 tab
3⤵
PID:5488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.26.894428361\478358097" -childID 23 -isForBrowser -prefsHandle 5076 -prefMapHandle 5680 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f544322c-86dd-4dd3-8962-38d18709fc2c} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 6776 295af123258 tab
3⤵
PID:1760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4832.27.861802398\2014078639" -childID 24 -isForBrowser -prefsHandle 5344 -prefMapHandle 10144 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1272 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3de35da3-fa59-4023-ba44-36d048f5b147} 4832 "\\.\pipe\gecko-crash-server-pipe.4832" 10420 295af063958 tab
3⤵
PID:4608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1612

C:\Users\Admin\Downloads\WinLocker Builder v1.4.exe
"C:\Users\Admin\Downloads\WinLocker Builder v1.4.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Users\Admin\Downloads\WinLocker Builder v1.4.exe
"C:\Users\Admin\Downloads\WinLocker Builder v1.4.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Users\Admin\AppData\Local\Temp\Upx.exe
"C:\Users\Admin\AppData\Local\Temp\Upx.exe" "C:\Users\Admin\Downloads\aimware.exe"
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2444

C:\Users\Admin\Downloads\aimware.exe
"C:\Users\Admin\Downloads\aimware.exe"
1⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BlueStacks\BlueStacksMicroInstaller_4.280.1.1002.log
Filesize
2KB

MD5
b985959e151c92444213790af9762e1e

SHA1
e962421f37d357e982aee36e7b576e9cbdba745e

SHA256
64d930a6c88e39f55f0443d2a6ecebfbe069e79774716d6affd37fdba0201a81

SHA512
64afa13697ce46d2097162a9b6a6efe1e18941fdf388dfa15f4e929c28276839068ceec56953c4e9683d186e7c8a639a0d89230d717010585cf8a280530ff84c

Download Submit
C:\Users\Admin\AppData\Local\Bluestacks\Logs.log
Filesize
105B

MD5
14ee48f73f0ae775d4a60b80f20f3478

SHA1
0d076bac2e9a87e46ba6ed6c33a7fca543848858

SHA256
cea59632af0d2f1742a54d5a92a9da73d2535c9b4afda20a595f3f843cc0ac16

SHA512
c794f94b61a01ca9c357983ac216d6fcadf69362727373a3abe48b8ea9e881ee22c5450624aa6955c83ac01c97f179ba5b84a71d16d2d9f4220a110ee183ff67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BlueStacksInstaller.exe.log
Filesize
2KB

MD5
0f186e94e9b99a5e2e31c2dc955346cc

SHA1
ffd9997b2db8c39f410f5d2a9f3d080f8d7523b7

SHA256
bf171a0e53a7acb766fd4f462f516bc2bab3dbc6e12b7b2423af5bae8be1fdf4

SHA512
530ea4c1e9fd6799cbb1be4f7278d4e9ce23875898164dc42650e62e8b37cd886cfa0174310541736487e58ca691a83b1079aa8780ebb7491de8da65c3433488

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmp
Filesize
27KB

MD5
12e6ed287c8d0179a685330332fa60ee

SHA1
ac3984d6d017e1b96933b9c7a539cd29f9969afc

SHA256
e2e69cca9a23347603209dedf37bedb008eeb985fa18ab669e994a2e394d5c79

SHA512
bb643b435011eca73db8794ed5cc18e7fb093de63d7f05179c742017da628ff4be511f74c839cbcdb03dbd833baf250fb0ce126bde44a89e2ae5b29193224a43

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\11509
Filesize
21KB

MD5
e2df74c2c57404e94f59364afe0d0903

SHA1
5f40cf605ada219ff6c4f542650187b2b77b428e

SHA256
c1226d7e3cacf90c38a02b227164d64ac9d26923154291620f6c50b8d65b1f1a

SHA512
531dca51063feddca185ee008d133b18d147532387674cefd1cbabb7d3f65f9676571b70b0839734ac561dd521270f45b6e0f4bf6c38a604d028fc5b39e06fdf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\118
Filesize
8KB

MD5
a3e53e032796765aa9589093c239955d

SHA1
b2cf7bfbeb95a3ad838b21be1f12b63d06d42598

SHA256
33335a269f49703f99d3f1742641df9450f3177c5e59b0e5a46b05cdb4ba330d

SHA512
18884bf0fc260bb938146f5f86e7ac74b1041fb8423bc8782847b5a0d7f01357d9e99e35f952f28ff72073d619365909a22d2a1445d645024b0cb4a4997132b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\11883
Filesize
17KB

MD5
c13503c7782661e1e0fd2a52bc0664dd

SHA1
24163e0d8ecf63d8bb3510560b52b4df36a1cf55

SHA256
a3c104b557b53db70f5c3b27a91d1b07a3bb78704d74688894303d4f739e697b

SHA512
4938c2bcf4eca5869e9a6d27f30fae46995ff62fdaf0b9fedc52535f2354942dc41de63039e49af0a014229344f517022ec6cce492ccad9e5a79121649a57985

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\16260
Filesize
16KB

MD5
29954887f5123d195a749e22c1f19cc2

SHA1
143622d3222467aad376f905e43c3a884e0988f7

SHA256
39e479797098c353022b3fb80e800e7e67978b2a9297d0e17732755826f1e553

SHA512
a1415aa5f7d2e492a8148b62dfd8604f83f2cf303d40a84ff73cb46e0b9db261d82d6f50ca8af6b074eb86efca847205925887d0e9e4a702dcce62fce0cb43a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\19824
Filesize
9KB

MD5
07e06bd512767940620ebd3fc0f7e971

SHA1
e84fc321ca6a36bc1638cfab3f198b9fd6e2f81d

SHA256
a3728690ab02f6a12852bc71d28c2387000117d3f737087970959ae1fbaaad30

SHA512
d22969f0370ba770171d5fa25c710aa329990f40b18d5e7fa987b68ba6be99e962fae6b2c154dd57a46fe771f1df20ca903726a291906917615dab42ec8f52fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\22707
Filesize
12KB

MD5
6dfc306456bcc8c62d2ba085d21f7f63

SHA1
0830c0c05d9d7866f7090c11d3b9b4815e540b9d

SHA256
3ef5352c7ca68805e465802326f58078e22cc5e1705e7db1e337218e11a246a5

SHA512
c7ec32acc7decbbe198fbc73261eec84d327788790b375ae8a5522163456b50dfc2b64eb93dcb9fb7b8a406c49b796dd20de132659b4543f7eddd3ab69bf9334

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\28593
Filesize
21KB

MD5
fcd01b9015e7a414eb6fb6d478d8f3a2

SHA1
afd0c85703ccb7826015c582c9c7f65bf726b198

SHA256
8277b95de41d4195108339257d295ac1ac9c1bd76b24b8048cc8c543ed0849a8

SHA512
6bd322308fa2880bd9a9518bae67129f2342e1fd54a1300cec1a371d3651a34784911953212d0f7645bd8ee563c2414b73ee8f6f21939fd62b2c02a1d10813bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\2955
Filesize
21KB

MD5
2eee1df13a5da2ce54cac579710f8af4

SHA1
f5f274853caa98fcf90d8079c62ef4733f5fe549

SHA256
36b4fbffb7db038513cc9eaf0d4e3c128f1096b2b53bbb85a5f940e9f9acd385

SHA512
cf09d1f574c5c8ef4b391236f983cbcac5e2e21df41ba49d6fb4031abd90b32ba911124720107aeaa36f701f310e73c7c6780bac13dfff9bb136477c88e91c10

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\29995
Filesize
21KB

MD5
ea1f58ee0ddcf6647d7a42d4a1c37934

SHA1
25566624fd406b8ba60e28255e2dd1918b2ac43f

SHA256
d0928ad2d422dd22cc7a782960cc623b4ff87950fd025a0a15bd3d70accafb48

SHA512
ea94563bc31c29f47b4f30068a58c105d0377b582cda4beac9a2155f1de4ac3a03e62282fe4e3474ca20243ab14bef38976092817b14f8a39379a95224897c22

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\9420
Filesize
12KB

MD5
8a526e856229bc286a1067c56b8d45c5

SHA1
7c2fae42bbd16304708968036ad19e9b4b56e18c

SHA256
d1eb7c009e6ed697ee45b8ce2675bda91cc8f9b019b5c043b2d0a705b6727285

SHA512
c7606b5828cdecb77aaa61e288cf89c542259512b60f79d54bdf1e57403ea83f48b888195e9e0e56691e5ff2492a156b7fb8ad4c0263fb5e5bdca9a0cdf4fd27

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\0037F283B8D748CCC1EEB184774A9FF740FA2A07
Filesize
46KB

MD5
047ef08391eeb58328fee504427057d8

SHA1
27172557d953ef19577375dc427d9173dda48dea

SHA256
9f4a99d2c1162c18fc28fc0f9d93abf6353a5e04be02c3e917afa3a212984f00

SHA512
d065a820e15df21b34f7c9630f1e0e92c13e1401cdca4a670b1badac698e72b24b6b18b0902ee2d4ea6f59eb88295e0edc045410f4b7f629e632065f203cdaec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\10469F39468858FBA4B2426809E1C94DB93D17D1
Filesize
422KB

MD5
a20ea251f2ef8199c517e30ad6477ea0

SHA1
8847fc73badbde451d4e7b45813fb0a80d73f80c

SHA256
04375e76308c3937dd792a3063010d7ac40bfb432314dd28796c16407925fb56

SHA512
ff0fd9db260bb8e0e0115098ad9ca06c54db9b6b9a2a97cbb42f5872b13223ca2c4e0c6a027389c9dc15478923b292e7a6b550ad94f5ad3b0d0687b41cbbf623

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\175FC1F27DF5030D57F8D0FF3A5E0CD7039CB332
Filesize
35KB

MD5
14991c9b2c45a6562ff9f0c1f08c3fb7

SHA1
798d42808eb9ea64662f2760cedab89d62c40d0d

SHA256
40c60d954d80894f742be3752b90348ba5ca7839314746eee4a6cd9ed7d3772e

SHA512
526e70aa762b4d9bcfddf215c3ca0abcf4509df3cd3dbce47f6157b763283aef484f5467bbbb311b120aef0bb47b8275d532c866dbc906697eb0093a5009397d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\186C95AB6EF39D38E7D72D839A6896FF58908570
Filesize
82KB

MD5
8307017bf7a9b9984c99acd7daa1245a

SHA1
7c70048203b0a18d481da9a8bbcaf98293df097a

SHA256
5ec5eb94313408edf988c41203d6f0d12b9d4f3ae1084fdfd41c36075db77919

SHA512
de4c01bca995ea61467032b211ccc1ebf537aa4e27edca4eef9fee483dbda584da37f6a7390dc3de6db8fd66421d85a57f71312c45de25cfeb91f25ad94f490a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\5DA90209A0E977CC1619187C88C5417F603D28B0
Filesize
60KB

MD5
be7e225566e45c20662979c15c417686

SHA1
4dc2aa0aa3e6e6ba3df916947935d5a72d67367d

SHA256
765bdf50affa7fd052e217738078d266ee729cdcfaaef9ab514dd720ba601d7e

SHA512
a1705e59548ee67a2b24bff5b18f11f80854067127c0ab451a26f5b4da47561f16c9ab6d76cad0808f8b90dfb9bfbf27bab4dff1a00d7d11df797a9b38f326f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\5F7C5BAD797CD29011DA2E9AFF41794C865AB8FA
Filesize
95KB

MD5
4b7fe486d5874627b987768f8fecb3c7

SHA1
fab2179ff932653de6983b17b3f69b85db96adb4

SHA256
c862c0622d8e6a999c87dfc2b6a10291f04916e3d813766359308d1181bd9468

SHA512
3dae500302a46720b58332211c0c38e20359b46119e2c7dab8e878276eee0768d38e83b0a3db5c7a6c9922da62699614044632fe3da7953fd8851cf3cd801db9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\611018E31BE9DC95A2F3E897A6D97DA6847C4107
Filesize
4.7MB

MD5
76adcd8e4222b75e7e2670b10fa701ce

SHA1
543e05466054b1d859043bb0ef0802f0483b76e9

SHA256
cd04cdd6ff72d1f92c488a7ec19e907f7c1b6f0a3cf581126e939393f7b7636d

SHA512
d3321a5c854f79e55cf2f044735e7de877110d731e31c4e2bb5738261c2cc9cbf2abacef5762507df01ff1d742678bb648b15690f79dfe64f94310fc9f21f6e3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\6AA37A0F51195218A134D2DCE0A7F76191B5AA52
Filesize
37KB

MD5
debb1df08f896c3e5d5efce1d1cb43a0

SHA1
2d291a5100963894ac807070f603578c4ecd0e24

SHA256
c2350e55758e0a902f2334e343111101034a53c0ca5b156dc4af6ff1cfa9e7f2

SHA512
b455b8d6d99950e6a1b51de19757a9caf2b63498ae91c6f023aff009d7ccb378bcc60072e906434cbf49607adba50f679144175bd48d4c6c49881359f57d1c35

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\75671639297646765184C3F12342C7DC33F1685D
Filesize
120KB

MD5
ae082899882b6b624c43e338afbddeb7

SHA1
253152b02fb5c28e044b448d878e62d36ccb3df0

SHA256
181a5dc84daa4d2681a7678acda340a89ecca2856aa85b5ca3c6ca6a0898fb53

SHA512
f80166df6eb2aea034a9c1917db42072a7b7ef21ea20d2168db71ef24496d814e12d0465bc55f4ad0ee7ca747d4552941742f91f2b8d465a5d6d1f06d8f4dee4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\818D6913D1EF98264BBC58767F6D6D22E497C6EB
Filesize
183KB

MD5
3f924b2c67709347eb521310e0758c7a

SHA1
d4029335b0af45cef4171b28832c09ed57ee36eb

SHA256
5b1015d2e97428607a3afb70429d581568e916d82359ade3a686f17f74c6f8c7

SHA512
49413cc45da70027a0425cf3c98996c57af0189a0429d3cec00a9a5d597e97e9f72650ffd66cfe5a3a8a8321a10322f47749bc6b837e3c6619ecb8e654864e19

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\8F696954523EE3A8A3B3443F4354C42E42E7E6DB
Filesize
40KB

MD5
eaab50b98f7460b2ac4ba056d583f2bd

SHA1
7445508b095c91aba7d7e88b4334f8828862d93b

SHA256
c18ad5a832968c19b103bd2cd86f69ca6d32fa766ca9b184cc4f4f0c17cf3dd3

SHA512
1de3e7b35be5a1357112f2fbd6a101f7098f9dc0750cf3c53f488007517c33329d440a4cd75ab19e775616cfdc2777c3dba8f7ea2645ff2a89cabf9d47036858

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\94CA4629BF02C16F625F97EFB8963F192F9CB664
Filesize
2.0MB

MD5
b5c9db786c1c04d4293e4b83428189ea

SHA1
b0c1c3595d8fda3d47b6b93c8b1b6b442d8cda83

SHA256
89b7e1818e510e30317464234a40922f14a137a66038c096c941fd3822130362

SHA512
497e9759395436e309d337d5749ca20e00145e6e6533ce7efbe4eb20f8b47da76c4cfa4ca8dc3a27657811366d5e87e732b328f8cbbfe3b5a92d455a8d91a5e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\98E7CB868A0E2CCBB49693CA594496B2A4BD01CC
Filesize
1.3MB

MD5
a7f92399fb4bbbfa58ced65680ec6ca6

SHA1
04c5f8c8518f2bb53282b3836882de4ed75637ad

SHA256
568ed917b991cdf11e8811cf26b5a8481070a163524182a3a0383ec6ce159fc7

SHA512
3d6170f9c473928c524096f2c6aa25a6bf125ee5306c6b640956f574b07827023ccbce06f8078bc644795cb15579ff512c4d74b05cdb7e1ca53527b7159e8ce3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\9C2BBC7137762B4CA02A130A09A82F71C29112CE
Filesize
327KB

MD5
662576010c849accd6cd9baa09e478b4

SHA1
13599e0f3ac16c687139f9f2b07ae7a5514897b6

SHA256
402506236f7b48edae321cd64921923752745ce2577b0915df99765a0813aaf7

SHA512
c174615c1bbba3fd34c44f9bd7c03a29069d140ce5d39c93a6312fa99244ffa79758fc7502b068c3b958e2b1fc54b0e4ee3d96583284f18185eb8c5a2edbb854

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\A530F15DB29963B5C2CCCC8B9CA55C728410D69C
Filesize
78KB

MD5
29da83ef21dd1dc28a472607cd6c3c42

SHA1
d607ece5d854cf8a89b6080fcb246343db373d0f

SHA256
715e74b532a6cb5b31c26e95851058be7805e72b4ee29e3576490f8f29cdfd64

SHA512
514c2b2bc3413ee55023575479ed232f4aed8d08d4d74a1e39a01b889399a9dc7e90bc378bd168843864595260200484bde06e072b5003101703acbb90b6a255

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\AC89153B3BBC863316BF97ADBA9A93CB62F0A987
Filesize
39KB

MD5
f0a119f9e869009393485a5639100639

SHA1
25b3be0e5ae2c688f9a8b8813c1530788e31da0e

SHA256
6a118db30dcce16aee8a7fcb4d7b96582530e3b518f0ae23c986a7daba6d7035

SHA512
00b50efb4d4b2b4dfa6097dea32982cd778b439023ea350300bb14787089f6c8610afda68728b7a41caa14ad6f6ddc763a784b8fcb215e6cbce1c243d653a100

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\AD525AE91F8D63419653596829AB9B1342CB5750
Filesize
1.0MB

MD5
03908b8ec7a5a757394432b727e460b8

SHA1
9919bec82aa9042350bab13aa08af7fd5ffee8f6

SHA256
1217a7664ccd4ceeb74a45912a239c81780efeb68db779c9ff7e807465e9bb89

SHA512
70d742384b94dc59489f0233626b02fd54c7ffee092de1bea50d7aab6b4a5cbf31a635710d56e88f248dfcbb9117773a4f5b88e49b6f049bf942ab8e7b7b6d39

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\B63AD117DDE7D561C54267135CC34EA70A7F96D7
Filesize
345KB

MD5
04cb6f23a6b267bb24174f23cc21eada

SHA1
e73151f278d3dcbbcee2cbb78772b59ce4da634a

SHA256
a7ce4acc9e899a225df27aabe3c6b9119563bc1105c043549b9e1f153faef5f9

SHA512
9331b01524ca374a832414e8bd3a676fe726abddd9b727e7531e041eb24260f86d36cf8e5651e375f96e851c023d67a3350c4c0a3b9e59e6ffb1a06cca0a5340

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\B6CC53B0972D295D54F95FA82A5838EC5616B026
Filesize
322KB

MD5
f6b321aa27733088a03afc1c0170255f

SHA1
0eeba32e0fd8a4b2fdecd858dd587e756f4d07fd

SHA256
f4a707adbe00ce7997cf7effbe19f155b6bffb833bab5bc64559cbb674a44f08

SHA512
4733290656c23b22887eea30e30114a4f897dfb648912e1d5482d60c8c5edf8bb84b7c8f30b240b53856f6b24bb20ddba048a97250647207ec9efbd6215ad571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\B8857266E850CFF153AD7D11457529B236BD8ADE
Filesize
61KB

MD5
e3fcf90f3ea194ea5ac3c7744a128d70

SHA1
ed0b5d7bb7438796f68642e2f82dfac2ff9d2205

SHA256
e6eb64f0d427462df347fc52d54a700aa86c14992b33a2e10fac03d2d4449490

SHA512
9d7a3e7b1b716e66ec17bb97673490caffc21fd3bb731127fb37531bbb856fa5969bdae193b8fc86c713d1107f4d86311c055bff3424410c8bb6970388f64f2e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\C2995AC72A1C82CA460CD55984A64498CDFD69A6
Filesize
960KB

MD5
69f874b970c5aad0765b693607b22b45

SHA1
9f993a04d916be84a843d913c56f1f320538f5f2

SHA256
460ed6b795f03d7a6aac83e25e04087d314faad7bd8fadb638613596b3eb632c

SHA512
327808c77a113f9d66c7c74a6e5675ec0cc4f39f940277af8a0b1ce3fd7273fce25ec5bd0605e4686a3cf43c85ee53e1506d37ffe524a8d1187e069e9df6677e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize
13KB

MD5
338c159172dc09fea61b3563c6fb3613

SHA1
33fee6d9eeadcee72c2f39f13b1e7cd7a045553e

SHA256
bf448a33331ce5a329a255a8e4627c54292891d97bd2e356e7e7bfeb374b35ae

SHA512
335210a6cd42ccc362961b842576596b709f23732588b6846c04c3ffa00a5fc484c094f83eb175d9d341ee21067f97908f606c265f15a9ee4de14d23b8aad8f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA
Filesize
13KB

MD5
484556116c1b76a56e0856663d6b3842

SHA1
b39affb092f342a7c198e94b2702a6ea02b386de

SHA256
bda5be6e574e6d1eb7f55b236415073a12d18abcbccff7a9144ee24e448600d9

SHA512
ba319bbe0f23c74078547c73e998cc96a5009f2f89823e31020615a8038f0598d380780c11d762540900562c6c0eacb704c26267f787203f9eeef663cb6afdad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\CDA2E59960962705B47D45CB27BF1EEA59193C4D
Filesize
121KB

MD5
b9ddf5317d540d7e7492eff902e8d3f9

SHA1
c638f3bf675dbd34c5c419c0297aff817990bf8c

SHA256
362bdeb0d21f0ad2ff89281d3a1195671012623dfb5a7fbb2ec97845608e4c74

SHA512
e578526fa8bf06de4068fdd043b18d2177b75b61f24b43caf8e3b63a7d19a85dc57a380c9f2a77fa3fb5639ebf0b53a2ee030909a991a411afff0b4ab445b20b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\CE6193F114C7E3787537789C9C761C3527FA48D1
Filesize
148KB

MD5
76538bd8bf6f7b294df08201d479656a

SHA1
e8c12c711325d1d02037a9a41ed8e1686e6552d4

SHA256
925564804c0773c89a44d0c9fb1cdc150731e812a45b80b71ff058838ba5e17f

SHA512
df44755aa2add00ad36de0437d2de6c59458e24ca63226f170bbb411277f5d6c84007246db615e8cdb089ee7e27501bc0947c8001a280b9d3fdd6802506fcafa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\DA177214AB32427552B9515B958FF1916C97C8F1
Filesize
543KB

MD5
1117dc7f906e43d53a83cc37805c9f6a

SHA1
661d3b0bc4ee8aa578b4fa999f9ad31e3eb7e088

SHA256
68d9011eb7cd5e6ea1e939ed50a675f87b5dcc94f2e2833befc2da4bc8171bc9

SHA512
b321c859b37b22dacbd760bbeb7c8c248284c6aa95b69aac17fb952745a114b36356dca776162a56df88a42dc44c6805bbcbe7b9b9c7a2cd160ee34fa7bae30c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\E0B46A203FF7FE1ABB3989B015ADF65BE03664A9
Filesize
33KB

MD5
cb05efb8a609d4e0bd680641acfc02ab

SHA1
3f164ce32fbdd94ed869fe9ba93938475c69ec1e

SHA256
14b89d53803bbb77f30243206227bc42d5b4b21cc09c1cb06d4b09456a935a31

SHA512
a69ef51ca53897f099cc8289c072bf3230f47a5be0449919ee63978075796d35ed00677932d3bbce93920252e910c6b9f3cbff34581e0e970b73747e3556304a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\E2195B15E085550C47C77CCD6B686DD370076298
Filesize
277KB

MD5
538de99852d7ccc12d985684b4753908

SHA1
cf35a5342f9ae11eb2c6990b3a6500179b7e3525

SHA256
fd326d9de9f37eec7b4ce14dab0f8b4df098ecdc9ea89f2edc27b10ee78a264f

SHA512
d1163f031df2957daae9dfd6f0f5058943db2bc0509633172b159f29253679c153a3d383f89dc0b65f6d05ce749b974cf8c3a3a329548b131a11fd7766e47bc7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\E80AFDCEE7C1FD83EDFCEF88D969DBF2BF42CB6D
Filesize
35KB

MD5
ce74ab2df40e13713c96ca96fecf0c78

SHA1
3c4a073f508d7b606c6f7d768424503dff12f45f

SHA256
700b7928845e03ec37dca9ebcfa29cbd711e5c72da7cd75553ce617f587718ca

SHA512
dfc60f41fd2676a6edf1fb4d2efd0c763298f6f464ea89e142386bea1a4c6122506f729033f637b89c2d0708a5a5650d45ac5f1e94e43b32484e53bd382188dd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\EB73E7FF0DA31744A2FBB64A65A5138D85179E37
Filesize
32KB

MD5
b0fab29fae49c6ff3448815f23e97fbc

SHA1
4380bb7844be43059afe42ab577f9e0f6b4dd58a

SHA256
4084d989c7af92d177af79acded89dc30266b3128a777393d6fa69ab424c92ef

SHA512
be0b4d787ca2af64c7739be089b054ca1385bda0d1c0210bf1cadfe66917a464aea4ae87f405a0479510200c4be90d26a0e6d3335b0cb47ddd009a2911062dd9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\F1024191799870B12785EC8CF95ED4019EE3FD36
Filesize
410KB

MD5
8a86fb1100cb223fa78fc2a45a1f6d38

SHA1
7eca4a80f4eec6b1f95ed54b959a5ec0794c81b3

SHA256
af9b91e324b0098535ca0185a1cb346d293286c74710f35e25a4869078a9c37c

SHA512
632437619472609ea8d6d56e7c569429b45d2c143431dea85bfa9bdaa9405463150f8f6d60900f7ee6bd61a7d9c5fb2e325c4a1710ad6bc30b1f2358bd515fc9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\F12438933DCAA5300F771BB2C408A2B6AB6F22AA
Filesize
31KB

MD5
b417a4faba420aef0aa9efba148555c2

SHA1
13b01b1f695a7156da2bd888b953f1a137511861

SHA256
e92a0485e75ddd192a15741c46d0fdbe681a29988977d07ddd00acc387f296b4

SHA512
a0768bb502462c291dc82b3b872716619555e69fdbcc53b6d36c47ee8e6038d4e6c5b0525c2357e403e2f11b0a7179727bf571ce15a9559641c1603bdd7cbbff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\entries\FFAFBFA30B8A5B3743B2995F9FAB3E2954703B29
Filesize
951KB

MD5
8b1feda2fd1a314643b64dc816449e5e

SHA1
93194be21f43399959761ba2bc2ba665d5984f20

SHA256
ce998e95fbdb8b6706d51526a170a6922584c335830ce4cde326dd34d27e6ade

SHA512
073e594ed4efbc5ff6b3c61c00e0eb560e2bddbe10ecec4bfe806c5f8c7581ed5a71006a9a8f52da9ac50281ba4507a6fd39a97400b3643e7246490245d8feff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133584351786085234.txt
Filesize
78KB

MD5
d1f9b580ba6f291840fa0e10c8a8d524

SHA1
081ab38a0d5eba9514e616a75bf0f73a57c1cfb8

SHA256
de1d5d1dbb4af74115b830a6b126beaa4784db06cb48e4f35a79d3823915553d

SHA512
bbfda30f1de4204f2486a3d7630f8b656ccd3f994f95634009803315f3ce6bf1cde06a154065568dffb0856a0ab4cc7de7bb97ad7eb39242eab021706f86b915

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\backicon.png
Filesize
15KB

MD5
7ff5dc8270b5fa7ef6c4a1420bd67a7f

SHA1
b224300372feaa97d882ca2552b227c0f2ef4e3e

SHA256
fa64884054171515e97b78aaa1aad1ec5baa9d1daf9c682e0b3fb4a41a9cb1c1

SHA512
f0d5a842a01b99f189f3d46ab59d2c388a974951b042b25bbce54a15f5a3f386984d19cfca22ba1440eebd79260066a37dfeff6cb0d1332fca136add14488eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\checked_gray.png
Filesize
538B

MD5
ce144d2aab3bf213af693d4e18f87a59

SHA1
df59dc3dbba88bdc5ffc25f2e5e7b73ac3de5afa

SHA256
d8e502fab00b0c6f06ba6abede6922ab3b423fe6f2d2f56941dabc887b229ad3

SHA512
0f930edd485a0d49ef157f6cc8856609c087c91b77845adeb5cc8c8a80ebc7ec5416df351ffa1af780caad884dbb49dcc778b0b30de6fb7c85ffef22d7220ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\close_red.png
Filesize
15KB

MD5
93216b2f9d66d423b3e1311c0573332d

SHA1
5efaebec5f20f91f164f80d1e36f98c9ddaff805

SHA256
d0b6d143642d356b40c47459a996131a344cade6bb86158f1b74693426b09bfb

SHA512
922a7292de627c5e637818556d25d9842a88e89f2b198885835925679500dfd44a1e25ce79e521e63c4f84a6b0bd6bf98e46143ad8cee80ecdbaf3d3bc0f3a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\close_red_click.png
Filesize
15KB

MD5
6db7460b73a6641c7621d0a6203a0a90

SHA1
d39b488b96f3e5b5fe93ee3eecb6d28bb5b03cf3

SHA256
d5a7e6fc5e92e0b29a4f65625030447f3379b4e3ac4bed051a0646a7932ce0cd

SHA512
a0e6911853f51d73605e8f1a61442391fad25ff7b50a3f84d140d510fd98e262c971f130fb8a237a63704b8162c24b8440a5f235f51a5c343389f64e67c1c852

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\close_red_hover.png
Filesize
15KB

MD5
5ceab43aa527bc146f9453a1586ddf03

SHA1
88ffb3cadccb54d4be3aabf31cf4d64210b5f553

SHA256
7c625ae4668cc03e37e4ffc478b87eace06b49b77e71e3209f431c23d98acdd0

SHA512
8a5c81c048fb7d02b246ed23a098ae5f95cdf6f4ca58fd3d30e4fe3001c933444310ca6391096cfaeed86b13f568236f84df4ea9a3d205c0677e31025616f19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\custom.png
Filesize
17KB

MD5
03b17f0b1c067826b0fcc6746cced2cb

SHA1
e07e4434e10df4d6c81b55fceb6eca2281362477

SHA256
fbece8bb5f4dfa55dcfbf41151b10608af807b9477e99acf0940954a11e68f7b

SHA512
67c78ec01e20e9c8d9cdbba665bb2fd2bb150356f30b88d3d400bbdb0ae92010f5d7bcb683dcf6f895722a9151d8e669d8bef913eb6e728ba56bb02f264573b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\installer_flash_background.jpg
Filesize
34KB

MD5
08d091faf58df0ea8218d7e08140bbeb

SHA1
38ebf2763bd2082635a5971c4302021ecaddc0d1

SHA256
7e5f6998d34d56aeca87f676c12a42c6c4362ae16a753dc567aae00e253b0817

SHA512
5cfede2ea2ade7bbc4b63475af5eb52f78af567fa7096a2ead396056271b8745df4dc6e11e4328151ce59ab74c6c48fd49cd13e30f7f4b86c566757e310fd5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\installer_logo.png
Filesize
6KB

MD5
4cc6586c249ae201501c07fe5354b23b

SHA1
8fda8ef400f0bc25fd19cf4aa13469141befa3d8

SHA256
06f6630b150cca4ab3a00b663bfb6b0fe0c53309d434036c5ef16b3fe01304ed

SHA512
65ce7392ad4519ca51edafb5e25d60f0b0d2d37f7f8afe0394aa0594e63c38d331cd3c63aea149419dedabdc836f10cb1e9cc468c2d40afbb9e94a344a20fa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\installer_minimize.png
Filesize
113B

MD5
38b539a1e4229738e5c196eedb4eb225

SHA1
f027b08dce77c47aaed75a28a2fce218ff8c936c

SHA256
a064f417e3c2b8f3121a14bbded268b2cdf635706880b7006f931de31476bbc2

SHA512
2ce433689a94fae454ef65e0e9ec33657b89718bbb5a038bf32950f6d68722803922f3a427278bad432395a1716523e589463fcce4279dc2a895fd77434821cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\setpath.png
Filesize
15KB

MD5
b2e7f40179744c74fded932e829cb12a

SHA1
a0059ab8158a497d2cf583a292b13f87326ec3f0

SHA256
5bbb2f41f9f3a805986c3c88a639bcc22d90067d4b8de9f1e21e3cf9e5c1766b

SHA512
b95b7ebdb4a74639276eaa5c055fd8d9431e2f58a5f7c57303f7cf22e8b599f6f2a7852074cf71b19b49eb31cc9bf2509aedf41d608981d116e49a00030c797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Assets\unchecked_gray.png
Filesize
192B

MD5
e50df2a0768f7fc4c3fe8d784564fea3

SHA1
d1fc4db50fe8e534019eb7ce70a61fd4c954621a

SHA256
671f26795b12008fbea1943143f660095f3dca5d925f67d765e2352fd7ee2396

SHA512
c87a8308a73b17cbdd179737631fb1ba7fdaeb65e82263f6617727519b70a81266bb695867b9e599c1306ee2cf0de525452f77ce367ca89bf870ea3ae7189998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\BlueStacksInstaller.exe
Filesize
522KB

MD5
201a0f5f9a7c14c7bec7cc08dd971e49

SHA1
a14e69e7bdd551d86d13e4d6a48364680ae396ed

SHA256
75cba8246de01c32b263d693b6c2fb6afb755b58547fc0519c8be4176673d0d4

SHA512
122d0b0c902761bbaebd31b32784258199a61b7453e36a3bff2de05cefaae2eb02df278bebb02c2d5f0cbd9b80da663f92860ad551fe823d885b87b682455762

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\BlueStacksInstaller.exe.config
Filesize
324B

MD5
1b456d88546e29f4f007cd0bf1025703

SHA1
e5c444fcfe5baf2ef71c1813afc3f2c1100cab86

SHA256
d6d316584b63bb0d670a42f88b8f84e0de0db4275f1a342084dc383ebeb278eb

SHA512
c545e416c841b8786e4589fc9ca2b732b16cdd759813ec03f558332f2436f165ec1ad2fbc65012b5709fa19ff1e8396639c17bfad150cabeb51328a39ea556e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\HD-Common-Native.dll
Filesize
548KB

MD5
b128d6061906bb3c22294048158562e1

SHA1
c5d1f5d9b76e4356eb30e29e83defd959a360376

SHA256
a485f14aae7dc9dc9b70d5e294bcc117c257cd90f21b4bb93b50ac535d093db0

SHA512
866d50610c8b9564bf53711d6dcedf82ddf0daa663612eaa64bd4601c20de5490e0130d769537e4fac4f6fb148e4982e259af051e646ccb308667e2f08db26d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\JSON.dll
Filesize
411KB

MD5
f5fd966e29f5c359f78cb61a571d1be4

SHA1
a55e7ed593b4bc7a77586da0f1223cfd9d51a233

SHA256
d2c8d26f95f55431e632c8581154db7c19547b656380e051194a9d2583dd2156

SHA512
d99e6fe250bb106257f86135938635f6e7ad689b2c11a96bb274f4c4c5e9a85cfacba40122dbc953f77b5d33d886c6af30bff821f10945e15b21a24b66f6c8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\Locales\i18n.en-US.txt
Filesize
117KB

MD5
bc06cc543480420460bbff56657f4bd2

SHA1
1348e68db07101fad6541b0a680076ea9fc152c6

SHA256
b542578fd373773958d24733c979eeafd057db6fa23e9ef571c4c95a5229a96d

SHA512
e85f6b40b7d51b997d7c65b9a5e8152cde6c940e6f271c73c7424650ad3185da944c3f45a25a2be85feb014454d2c3949bb8eedc6dba785ff27e5b38f6c62895

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS89DC2847\ThemeFile
Filesize
76KB

MD5
4567f7dc395c544d0e6903a1ba678fc6

SHA1
d09275c52f6ffaa83962f07854bc5f7cbaae5953

SHA256
3777668daf5c0da4e4938dc95feb4535ef8493e809081703304587e1056e9fbf

SHA512
9509e99a1cb69749f883f701f88cec6ec6ca61a877f92418990f1536cdd766266ad2a31c5248e95e3df3b15fea994c73de451861f7d362275faa5184835e9236

Download Submit
C:\Users\Admin\AppData\Local\Temp\Upx.exe
Filesize
283KB

MD5
308f709a8f01371a6dd088a793e65a5f

SHA1
a07c073d807ab0119b090821ee29edaae481e530

SHA256
c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35

SHA512
c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
19KB

MD5
36851c4838e9ee0e9740c57cced0c6ca

SHA1
0156b45fb01564ae816e0396bba57a7c0f3b1b50

SHA256
1cf9028ccd768e216387f0a0c83837ff5a89ace21a15f5b44eea3b0c8a875f16

SHA512
b18fa1c341c90426d4ee0ae3832314c112728f3abf0cfa8ccbae6339c9570f079083f42a76ed5da9eee87bd6c005ef5776b6ece096038d29cc229213722e371c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js
Filesize
8KB

MD5
47425cd3a7d80c3895242434be701f9d

SHA1
cb72f1cbe10b46bf50c7e9a27313d11dfe556a27

SHA256
33d31f5e352b0406cd8d2fc1ccee7164ed45beecbac6aa46dd0a717e5856a2a9

SHA512
ec4b85158470d991fce9d406bb4a1d9f120918b12b3547850396cb1d1a2ee5de6b4432f4eb864547bbe72646935fe79ae10c3f64e43908ea157ec6fbd2615a1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js
Filesize
7KB

MD5
07ba857f3325b34580894c404016014c

SHA1
ceaf5f36c2352807a9732b0af800664cf5ab7ad1

SHA256
cc9028a58dcffe643144fc97b078099cdb364775d905ed35aceb388640406838

SHA512
8979aa75b847e03cf18cce595467238cb89e96cf558c34cbb0d04bb4ccba229dda4a92423a3995dae8245ae2b34ac304ff135a7a7b0c3ac48165c1c8f7f0c35d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.js
Filesize
10KB

MD5
83958efaa697f1589dc6c17c6483a56a

SHA1
dfabd3dbc8e6326144502b0e423f09c00ea325bb

SHA256
a753e57098c4f645aa0049b6306028c5862dfa3a6f7ea97794a7ef2a420b3e45

SHA512
fa43acf2bf9ca9a05e34c439f563e8dd6d61095895daf81534b7fefaa54287cb015bea4c31e0fe70340d14200ae35a357a23ee69381352a3a42aa26ce6611bde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.js
Filesize
6KB

MD5
53653e1a200c11bda8f004b676e69aa6

SHA1
ec043a3960ab906bda5ca7c222731a503d09e239

SHA256
e4849004e6321688b0e393cdeaac4b53a6a0a30c2bbd86bb4e7050e186ea7172

SHA512
d1e3e2ff0908418c77a49832ef0ab35ea134672cf87cb3ef8397081ac305b479d7f6dca1538bf9a351d9cb23b1a47d509f71aa1be84143268fa18d6da30057b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
ea115b68b456daab22dab193ad8e0afa

SHA1
6cd4cb4ad4fd4bbceaa91981c81db4fba7a0d344

SHA256
1c28ec112d8140d9d08b208ccf9eb906dba138de549677f972328b0de3d3c555

SHA512
4eda4e6cb7c3ffdb312f7e89e17a992488de0c092f8483faa0a4097ab4eb0f4bccce5ce36da19ae5e4fb241819b98875055267683de90e16c70430493fe7f9c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
50947ae735077a2127ae416980337e92

SHA1
e8b09b8316a520c4ed28192a67c0fd598f5e829d

SHA256
7986cd2925dd1f5685bb55564bb4ec32772476c994b77f14dc68df82ae8fc7f2

SHA512
961b32cd371964365dcd6aa2ce4be6da5f337384f528a420b599386b64796621d85e0a2596ce2dae915f0854543415670b8ba87f7ebb1b192043fe04463a5b22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
9101bd9f99c3f0b2cd72d9c6f482b75f

SHA1
ab22c2348e3101e78ef01c919342734c9284a005

SHA256
749aeeb83462aa843346e5bc68268fd8f5db9d48aa4df39a5dbe7daade33a70f

SHA512
154645e86ce8dafcebd92c5b5563c896848e1d210364ddb8baa81b015e63cb0c99c42e74edb96edcbb354775fa232c6d16e98e5a3bbafe9d510d245bbed261f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
9KB

MD5
02c1e255b06071fb67bd0c392aec4666

SHA1
ba196cb4cee3c742769c9cace32145ad6653aeff

SHA256
0f1413cfd306730a46d38d5f7d572dc5edc7be60208d0c7cf581517d6b51f341

SHA512
00f07cc4adf7a2670b0134f2c81990723e4354192a2314f8c37e5cca8e48494649a57d245d3bb794b2fab398546f4e9fcd26d35b70db09d3174e037ecdb5b058

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
6ee9338fbf7087130bbcbb7fe5cca5df

SHA1
b4c74f4e55645f7e9c0e7067ccbde75af5396701

SHA256
066953abc3998012ec29cb3eedb8ceb07cd9af699bb8fa0d291e097f3c500a06

SHA512
e72b6a74b10b6e7438f816e77bc9b607e177cc70aeea5a3148b2c84057511a3d54e7e17d667311debad2915b72ee206f8bb2f1863e5cf40024d53d60599b3261

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
5ca6473a6727fcd4b316324531dcdf41

SHA1
d7c28548d46bdef6a4214a7bbd6469185071a672

SHA256
2f3093df8f05b1d5d6c4dfdd294c6b8611145be5659353c524ce7c5e31714ef1

SHA512
a6a6e4c605ed7b70d48b0b60244755b4b390120fe22875b330c5f404d3228c0e869f56eb0144fc5e39b0122fb0f4fd23a5d8481b586115eeb333432e17a6c17c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
21KB

MD5
85d11d0d737e5ed332c81b8e391d54ab

SHA1
c7018fb222506d54198c537011b4881a5ebde4db

SHA256
1ad66a9b8d77f28fca32d81187475b1c9ff27f15d6b4d5f8fc3fb811060795ca

SHA512
7619975cd9b5e4eba9cea6e7049e302dfa57d3caf154f936fd3ff17178dd41a4e4c63ed02993dcc034abf36bffb357b3619e751ec90e4c8f157c653f5c744771

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
9034105afb7c17d31aa92d55b0fe09af

SHA1
37fad35f72bde587a6878d6f7a678539a5b28ea3

SHA256
5ed2173372e30b9b0a500c43b79633abcfe1d17d23e2de17c198ffee4f8aaea2

SHA512
21b006dd9620c39d62326da45125abf316ddc5019bdd4d10553ada7fef43672420ce0d0ae3398659fa590592ea9b991f2f57565c74ea0396064023b837fbd3fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore.jsonlz4
Filesize
10KB

MD5
512e1722fac0b2c7b911c5aa27681da3

SHA1
91558d618c17557cb0bea66e0f99930e13fb8b17

SHA256
7dc5d47a432cee404b81ce56c8a1e715f72c61135b4aa1cbe32e707b62f96e39

SHA512
e4c2788d5e9c2ab2ceff4dcd1ad336be209ff3cda58d6dd6b90e80b4249a95ed4e73ac5caf48eb4d00ea0926d33798cc7996fe201de143103714d499002af0bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2171031483YattIedMb.sqlite
Filesize
48KB

MD5
dbc6b947deec147113fafd068a271cc3

SHA1
a4181e092a4acbe7f53f8b2139a242845665e50a

SHA256
0f584ecc32257b0f7c4185bc0407e5f936a99c238ca95f5a0e9d6ca580788d79

SHA512
21476b95c44847463974dc8220b1490d7014a4b61c70ceedf3719ffd43b48c9739a64f819307fe28092466211eda4fe01cc9544921762cbac164819bc63cf85a

Download Submit
C:\Users\Admin\Downloads\RCX867A.tmp
Filesize
387KB

MD5
e5efaa0556c9a09030cec653f3772c49

SHA1
a1aea58a965cc5405ae4afc158bbfd83478740ba

SHA256
81b877b59bd925b1d04c0c6625eb5cf037b7b14ea7ab5d21cec38249956aa1a7

SHA512
3fb0f8928186f3fbc629c7710764d2eb34f67739fb462cc0faf696c6017e279481049d5c6293f745ba8d9e1c80071f11618dbd6ba6d7b77b99237270479c1208

Download Submit
C:\Users\Admin\Downloads\WinLocker Builder v1.4.exe
Filesize
699KB

MD5
81dd862410af80c9d2717af912778332

SHA1
8f1df476f58441db5973ccfdc211c8680808ffe1

SHA256
60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f

SHA512
8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15

Download Submit
C:\Users\Admin\Downloads\aimware.exe
Filesize
382KB

MD5
97eb6f7ec0586fe37b82dbe2f522da35

SHA1
7b9995845a89aec0a6eabe7e9eeb446abe8e5d58

SHA256
f738afbd4c316267d35e2f4d7b818139a55d8ef6b636c3bf736f1672cb4c8ea1

SHA512
888850fe4ea693a5168d6c0f2ab638862dc1a09a1e25f1de8cbfb373753cad982f2461826f5fa54144ba04ff6ed2c19c5850d70a3a2edc3bbb2024cf42710c49

Download Submit
C:\Users\Admin\Downloads\aimware.exe
Filesize
156KB

MD5
b68a9f97b82e339cd8c90ab5224a34d9

SHA1
691f5733e5980b6e94023ae236a693a672cb6fe9

SHA256
b5acfd2a9b6b9cef70e56f3b6c90cc798cc0bf94244a17aa07099faa34370552

SHA512
b1ff95d3e787efb6bbccd85858b63161e6972ff7be51d015bade131ad9389cc410eb471f7eb8f25200b95eab8329192b006b0d9d620b2da41cfe55055191246f

Download Submit
C:\Users\Public\BlueStacks\MachineID
Filesize
36B

MD5
9ac06550e9172203005a29b0fe86737b

SHA1
3a108be36266095d5c275f27e75cfc2ec01ddc04

SHA256
55d1180191a0fbccbc0b6bfffe17e7ae494920a901acb598300de0c13b8df194

SHA512
a71ae9f4420468779e513252c5346ad85f4f94eabc2e4b02147c95f5592228c21fdabce88325f4422d8aba1c644ba67a1640b02ad3def414efcc3a00f2d971c4

Download Submit
C:\Users\Public\BlueStacks\VersionMachineId_4.280.1.1002
Filesize
36B

MD5
4f7207a96b7519ed1d4896e364918ca3

SHA1
9dcb2d41b86b7ad8df4cfe785128245cc0d55e15

SHA256
887392b2486ba3777b092a6a5bcb14180b64a3c5eab0dc501f7c98acf0e34d7b

SHA512
33273dceae611888a8b2582867245b5b5378d1e09c427ea56cc51fa185d41191f0de26e64e4362b44fc7be27b475038691206d52fdf6c55016d49879cad7c045

Download Submit
memory/1120-3612-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1120-3622-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1844-117-0x000000001BC40000-0x000000001BC50000-memory.dmp

Filesize
64KB

Download
memory/1844-200-0x00007FFE80520000-0x00007FFE80FE1000-memory.dmp

Filesize
10.8MB

Download
memory/1844-109-0x0000000000E90000-0x0000000000F16000-memory.dmp

Filesize
536KB

Download
memory/1844-110-0x00007FFE80520000-0x00007FFE80FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2524-1523-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2524-1533-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2524-1502-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2524-1503-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2524-1525-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2524-1536-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2524-1541-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/2524-1554-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/3668-197-0x00007FFE80520000-0x00007FFE80FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-138-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/3668-128-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/3668-120-0x00007FFE80520000-0x00007FFE80FE1000-memory.dmp

Filesize
10.8MB

Download
memory/3668-139-0x0000000020440000-0x0000000020448000-memory.dmp

Filesize
32KB

Download
memory/3668-140-0x000000001D3D0000-0x000000001D408000-memory.dmp

Filesize
224KB

Download
memory/3668-141-0x000000001D3A0000-0x000000001D3AE000-memory.dmp

Filesize
56KB

Download
memory/3668-144-0x0000000020930000-0x0000000020998000-memory.dmp

Filesize
416KB

Download
memory/4216-3558-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4216-1557-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4216-1558-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4216-1564-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/4216-3559-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4216-3544-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4216-3623-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4216-3539-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4216-2996-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4216-3560-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/4216-1556-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/5088-3722-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/5088-3723-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5088-3725-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/5088-3727-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5088-3728-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5088-3721-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download