f3beb34cc046e27623b8ed753d3fc50584aaf6f388aa6bb75780d1043326e4f7

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 22:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Bearly.exe
Size

154.7MB
MD5

88b6fcc98fa8fc9cc8f1a6feae35b6df
SHA1

3ad34fe3567d7fd7518fef99c0bb112c3c50464b
SHA256

a87607b53250badcf6829e42e0d5f84b1d47f1861b49de23135e44978b8d0f07
SHA512

c1a2b5cd7bd77faad31861305f0562e2a0c3f15ecc4bbcb1931d3064ed9ef6c8fd85f7fa0d7e723059153fa8ef5d598907e98dcf4f1c6e3a0e68c55fcef5a847
SSDEEP

1572864:4BtbwS6fGMIgBx5GZ7W1S9/kYGaWCLmXLnT2RGIfdZSHV0omQTk+R7BULUGSh6Tr:un9LLmXdd

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Bearly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Bearly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Bearly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Bearly.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bearly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Bearly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bearly.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Bearly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Bearly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Bearly.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Bearly.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\bearly\URL Protocol	Bearly.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\bearly\ = "URL:bearly"	Bearly.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\bearly\shell\open\command	Bearly.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\bearly\shell	Bearly.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\bearly\shell\open	Bearly.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\bearly\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Bearly.exe\" \"%1\""	Bearly.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\bearly	Bearly.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5032	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5068	Bearly.exe
5068	Bearly.exe
2524	Bearly.exe
2524	Bearly.exe
6044	Bearly.exe
6044	Bearly.exe
6044	Bearly.exe
6044	Bearly.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe
Token: SeShutdownPrivilege	4952	Bearly.exe
Token: SeCreatePagefilePrivilege	4952	Bearly.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4952	Bearly.exe
4952	Bearly.exe
4952	Bearly.exe
4952	Bearly.exe
4952	Bearly.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4952	Bearly.exe
4952	Bearly.exe
4952	Bearly.exe
4952	Bearly.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3320	4952	Bearly.exe	81
PID 4952 wrote to memory of 3320	4952	Bearly.exe	81
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5064	4952	Bearly.exe	82
PID 4952 wrote to memory of 5068	4952	Bearly.exe	83
PID 4952 wrote to memory of 5068	4952	Bearly.exe	83
PID 4952 wrote to memory of 2524	4952	Bearly.exe	84
PID 4952 wrote to memory of 2524	4952	Bearly.exe	84
PID 4952 wrote to memory of 5032	4952	Bearly.exe	85
PID 4952 wrote to memory of 5032	4952	Bearly.exe	85
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87
PID 4952 wrote to memory of 4000	4952	Bearly.exe	87

C:\Users\Admin\AppData\Local\Temp\Bearly.exe
"C:\Users\Admin\AppData\Local\Temp\Bearly.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\Bearly.exe
  C:\Users\Admin\AppData\Local\Temp\Bearly.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Bearly /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Bearly\Crashpad --url=https://f.a.k/e --annotation=_productName=Bearly --annotation=_version=3.0.0 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=24.4.0 --initial-client-data=0x45c,0x464,0x468,0x438,0x46c,0x7ff682e9dc70,0x7ff682e9dc80,0x7ff682e9dc90
  2⤵
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\Bearly.exe
  "C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1776,i,2837101430475838215,12833730332051973332,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\Bearly.exe
  "C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1908 --field-trial-handle=1776,i,2837101430475838215,12833730332051973332,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Users\Admin\AppData\Local\Temp\Bearly.exe
  "C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2328 --field-trial-handle=1776,i,2837101430475838215,12833730332051973332,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Bearly
  2⤵
  - Modifies registry key
  PID:5032
- C:\Users\Admin\AppData\Local\Temp\Bearly.exe
  "C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3532 --field-trial-handle=1776,i,2837101430475838215,12833730332051973332,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4000
- C:\Users\Admin\AppData\Local\Temp\Bearly.exe
  "C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3696 --field-trial-handle=1776,i,2837101430475838215,12833730332051973332,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\Bearly.exe
  "C:\Users\Admin\AppData\Local\Temp\Bearly.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Bearly" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2840 --field-trial-handle=1776,i,2837101430475838215,12833730332051973332,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bearly\1335f185-ed5b-4d08-b61c-185c789aa2fd.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
11cb8256965d7c52f57f519e475061a9

SHA1
1e9e84ebb2c98ac7f7ebfcaa7a51e44c09baf096

SHA256
f9599362d792d151285659dc0bd03be81246a55bbf26df418a2e7c37c5fc5149

SHA512
9e251e52462f3cca882537d3905131273ec97f73398a3c6e51d21a3304a77bd9d5fa9746894d1ef69e95ec8a84e4cffd77b9d0ad42ef458eb0d4f5dda6c8fa9a

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
fee23eff655c9dce8027012f9a7eaf2f

SHA1
1e73394157dcf3e8197f120ab639dbd84f8a00fa

SHA256
50cc0f1ee0e5d43c15abeefad752a728e7c539aeb9fac0f89c7370a0a4402b55

SHA512
defe436976f94d41bc0a812f93f2b2fca8533f58e272556af8a1aa609030e0a5c4c230b69ba414a4da31210ccedc2e4659a3f0869101cc9af8b2f763ec5bf950

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State

Filesize
1KB

MD5
974bd42c9c744978867933651326f420

SHA1
2058cabc0c2765422a69c61f04d5c26caab82300

SHA256
124ff0441e7f1d268495071848e9bffdd3b119f9da5a4b48ffc8281838a66a9f

SHA512
8c81912eacc1ae6a172cea89b28e9ff028997db83b0b4b7361ce00c75a26fac47aba561382a3e8ce62ceaa71f34ddca1935e44928a4ee77dd3159c3dc4079acb

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\Network\Network Persistent State~RFe587903.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e643816af29e308fe38545c29f0b4fec

SHA1
ac010c54414605d241ef382f0c8ee33f04b1337f

SHA256
a1d08649272425bda3fbb7e68939d680a6cd4c3bd966617a7d9b69fdfc018662

SHA512
3a202d7704ac88cf884bf0f590073f9283a3129260eaee895f8ecc9e8a17c054a6e036c0fcb64cadeed046d7d2ac6a4c35a3d3759a1c7bf03eed53d490a8875f

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b834.TMP

Filesize
48B

MD5
534b87e7cbf2eb2822fb9b9cb3032793

SHA1
a551263e35aa5c267e84f9a7266b5132c559a75a

SHA256
d7e65216cf671c66a01b06b62df32d262785e7926dac4070271b885e31a692bc

SHA512
38af2a9f450b88024d339a6835da31d873eaa23cefa37ab6834bd182b43f9cf6ed5344e05f0e99460eb52e3bc3fb1591f058c28c7f15b4fc231a6737d50ae2d7

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\config.json

Filesize
34B

MD5
1ffb53e0bcfa1dfde7672728e3114815

SHA1
ec46721ab0c27d9e707f63c2ee748c954d775de2

SHA256
8e3ed5120a02820b427cb66f4f10c93aa4ca6415f332686b39174a6e04a70c76

SHA512
5aaabd51ac0b126c05d881e07fdaf1d82e86f5c6b5aea347ea53ea507fad953409e213ca0ae05bbf0921b478b595fbdbfada1eafd5ec39fbb9454434f0f5d424

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5380444825a3bee6

Filesize
64B

MD5
b571feedd7a6cfefa26b73514d57a7c7

SHA1
33d4945a08a2040a4707b44d21483cd00858cb7d

SHA256
bf7d1e5bafc682ba7bf07389750e4165fa3076e69625630998b4a528f5e6d635

SHA512
8d2f594f4f568005005f2ba23bdd67ccdfd4bf56ada577993aaed596c839263f223dc2180897b906d8a8e94fd060eccda97a6cc2f464bd507182db45f4a017c7

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5380445252f357eb

Filesize
113B

MD5
0c2bb92bc63d59da117b6542b8ca9edb

SHA1
1841f159e4e2074fd921877937016a21ff4f0f90

SHA256
dc011a83b38ed30c2eb64000cd76d92dd2fa807170fbe2dbab77bc5221471ab3

SHA512
8b4f251a74afe73a4c8fa003b5e0d65b33ac642567c73500783f1339e892fe76f3e524d5b56faf0bdff6a799c9581136fe33ac6fc1f135400440ce05abd57e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Bearly\config.json.tmp-5380445833ca1325

Filesize
119B

MD5
06a780c111c244393ef5753c80af4986

SHA1
792ffd61834bae12c91506f70366c55b549a0a3a

SHA256
2e125366cdcd62de4bf010b0cac8ef4531f9b785a468c3d75191f93d35f6279c

SHA512
7a98c6a729f99e54543e8eb2cabef3b8d7e6f4515caea9c8c1f4280d6cd5386932dfd0c59e4f3aed804d55bdb91187814e3378ed1e4b1cd7f32a7c891c02b740

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/4000-752-0x00007FFB60EE0000-0x00007FFB60EE1000-memory.dmp

Filesize
4KB

Download
memory/4000-751-0x00007FFB60B80000-0x00007FFB60B81000-memory.dmp

Filesize
4KB

Download
memory/6044-865-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-863-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-864-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-869-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-870-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-875-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-874-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-873-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-872-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download
memory/6044-871-0x00000195188E0000-0x00000195188E1000-memory.dmp

Filesize
4KB

Download