hxxp://65[.]38[.]121[.]75/ImYwoJnO/win4[.]zip

Analysis

max time kernel
281s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://65.38.121.75/ImYwoJnO/win4.zip

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 39 IoCs

pid	Process
1520	main.exe
2028	main.exe
5072	main.exe
4516	main.exe
2896	main.exe
2292	main.exe
2300	main.exe
3612	main.exe
3644	main.exe
4072	main.exe
4680	main.exe
4828	main.exe
2028	main.exe
1912	main.exe
3620	main.exe
408	main.exe
1976	main.exe
6020	main.exe
6028	main.exe
6036	main.exe
6044	main.exe
6052	main.exe
4044	main.exe
5252	main.exe
5244	main.exe
5384	main.exe
5264	main.exe
5260	main.exe
5488	main.exe
5496	main.exe
5596	main.exe
4468	main.exe
5576	main.exe
5964	main.exe
5700	main.exe
5920	main.exe
5656	main.exe
5772	main.exe
5800	main.exe

Loads dropped DLL 64 IoCs

pid	Process
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
1520	main.exe
2896	main.exe
2896	main.exe
4516	main.exe
4516	main.exe
2292	main.exe
2292	main.exe
5072	main.exe
5072	main.exe
2028	main.exe
2028	main.exe
2028	main.exe
2028	main.exe
2028	main.exe
2028	main.exe
2028	main.exe
2028	main.exe
2028	main.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
169	ipinfo.io
170	ipinfo.io
143	ipinfo.io
144	ipinfo.io
153	ipinfo.io
154	ipinfo.io
162	ipinfo.io
163	ipinfo.io

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	main.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	main.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	main.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	main.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	main.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	main.exe

Kills process with taskkill 28 IoCs

evasion

pid	Process
5312	taskkill.exe
5812	taskkill.exe
5868	taskkill.exe
2708	taskkill.exe
5464	taskkill.exe
5588	taskkill.exe
5532	taskkill.exe
2828	taskkill.exe
228	taskkill.exe
5560	taskkill.exe
5132	taskkill.exe
2868	taskkill.exe
1980	taskkill.exe
1804	taskkill.exe
3760	taskkill.exe
4380	taskkill.exe
4764	taskkill.exe
3528	taskkill.exe
2584	taskkill.exe
5540	taskkill.exe
644	taskkill.exe
4444	taskkill.exe
6072	taskkill.exe
6032	taskkill.exe
2084	taskkill.exe
1460	taskkill.exe
5292	taskkill.exe
3044	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\win4.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4516	main.exe
4516	main.exe
3620	main.exe
3620	main.exe
5260	main.exe
5260	main.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeIncreaseQuotaPrivilege	228	WMIC.exe
Token: SeSecurityPrivilege	228	WMIC.exe
Token: SeTakeOwnershipPrivilege	228	WMIC.exe
Token: SeLoadDriverPrivilege	228	WMIC.exe
Token: SeSystemProfilePrivilege	228	WMIC.exe
Token: SeSystemtimePrivilege	228	WMIC.exe
Token: SeProfSingleProcessPrivilege	228	WMIC.exe
Token: SeIncBasePriorityPrivilege	228	WMIC.exe
Token: SeCreatePagefilePrivilege	228	WMIC.exe
Token: SeBackupPrivilege	228	WMIC.exe
Token: SeRestorePrivilege	228	WMIC.exe
Token: SeShutdownPrivilege	228	WMIC.exe
Token: SeDebugPrivilege	228	WMIC.exe
Token: SeSystemEnvironmentPrivilege	228	WMIC.exe
Token: SeRemoteShutdownPrivilege	228	WMIC.exe
Token: SeUndockPrivilege	228	WMIC.exe
Token: SeManageVolumePrivilege	228	WMIC.exe
Token: 33	228	WMIC.exe
Token: 34	228	WMIC.exe
Token: 35	228	WMIC.exe
Token: 36	228	WMIC.exe
Token: SeDebugPrivilege	1988	firefox.exe
Token: SeDebugPrivilege	228	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	5312	taskkill.exe
Token: SeDebugPrivilege	5292	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5936	WMIC.exe
Token: SeSecurityPrivilege	5936	WMIC.exe
Token: SeTakeOwnershipPrivilege	5936	WMIC.exe
Token: SeLoadDriverPrivilege	5936	WMIC.exe
Token: SeSystemProfilePrivilege	5936	WMIC.exe
Token: SeSystemtimePrivilege	5936	WMIC.exe
Token: SeProfSingleProcessPrivilege	5936	WMIC.exe
Token: SeIncBasePriorityPrivilege	5936	WMIC.exe
Token: SeCreatePagefilePrivilege	5936	WMIC.exe
Token: SeBackupPrivilege	5936	WMIC.exe
Token: SeRestorePrivilege	5936	WMIC.exe
Token: SeShutdownPrivilege	5936	WMIC.exe
Token: SeDebugPrivilege	5936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5936	WMIC.exe
Token: SeRemoteShutdownPrivilege	5936	WMIC.exe
Token: SeUndockPrivilege	5936	WMIC.exe
Token: SeManageVolumePrivilege	5936	WMIC.exe
Token: 33	5936	WMIC.exe
Token: 34	5936	WMIC.exe
Token: 35	5936	WMIC.exe
Token: 36	5936	WMIC.exe
Token: SeDebugPrivilege	5464	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe
1988	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 2540 wrote to memory of 1988	2540	firefox.exe	83
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 2356	1988	firefox.exe	84
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85
PID 1988 wrote to memory of 4936	1988	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://65.38.121.75/ImYwoJnO/win4.zip"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://65.38.121.75/ImYwoJnO/win4.zip
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.0.983468760\1536563274" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {546b326d-ea31-429f-a17b-5a3f6dcadf32} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 1868 1e62c70da58 gpu
    3⤵
    PID:2356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.1.183336649\2140690135" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {174a697d-4f28-49c8-80ad-2ed7ad72039b} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 2476 1e61838ab58 socket
    3⤵
    PID:4936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.2.1791366537\369419299" -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3020 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed99704-10b8-418b-a4b6-fb8cdd5a954a} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 3036 1e62f558458 tab
    3⤵
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.3.773650632\558796663" -childID 2 -isForBrowser -prefsHandle 4092 -prefMapHandle 4088 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7b487d0-2f57-43e3-b923-dbcdb9ba4d2f} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 3924 1e631315258 tab
    3⤵
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.4.165711671\1729182805" -childID 3 -isForBrowser -prefsHandle 4976 -prefMapHandle 4988 -prefsLen 27656 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da742fe6-4877-468c-86ed-52b3a69785b1} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5128 1e61837df58 tab
    3⤵
    PID:1056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.5.294540758\206722375" -childID 4 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 27656 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db6737b2-2adc-48b0-b12e-3d412eb918a4} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5384 1e6328ebe58 tab
    3⤵
    PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1988.6.1744509435\800792679" -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27656 -prefMapSize 235121 -jsInitHandle 1256 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1987fb59-4fe9-48ca-84ca-a0a636d243f5} 1988 "\\.\pipe\gecko-crash-server-pipe.1988" 5568 1e6328e9d58 tab
    3⤵
    PID:2916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3192

C:\Users\Admin\Downloads\win4\win4.exe
"C:\Users\Admin\Downloads\win4\win4.exe"
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
  "C:\Users\Admin\Downloads\win4\win4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=544"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"
      4⤵
      PID:1476
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im brave.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=584"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
      4⤵
      PID:3356
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"
      4⤵
      PID:1104
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im browser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=592"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
      4⤵
      PID:4488
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"
      4⤵
      PID:3620
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vivaldi.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=732"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
      4⤵
      PID:1832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3600
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4572
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1384
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1804
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4828
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4896
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1104
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4028
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2376
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=756"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"
      4⤵
      PID:2432
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msedge.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3780
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:4408
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:2708
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=484"
    3⤵
    - Executes dropped EXE
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=752"
    3⤵
    - Executes dropped EXE
    PID:3644
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=740"
    3⤵
    - Executes dropped EXE
    PID:3612
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=812"
    3⤵
    - Executes dropped EXE
    PID:4072
- - C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe" "--multiprocessing-fork" "parent_pid=1520" "pipe_handle=800"
    3⤵
    - Executes dropped EXE
    PID:4680

C:\Users\Admin\Downloads\win4\win4.exe
"C:\Users\Admin\Downloads\win4\win4.exe"
1⤵
PID:3324
- C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
  "C:\Users\Admin\Downloads\win4\win4.exe"
  2⤵
  - Executes dropped EXE
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=724"
    3⤵
    - Executes dropped EXE
    PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"
      4⤵
      PID:4044
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msedge.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=464"
    3⤵
    - Executes dropped EXE
    PID:1912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
      4⤵
      PID:2352
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"
      4⤵
      PID:5184
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im browser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5312
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=460"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"
      4⤵
      PID:3372
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im brave.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5256
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5388
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5488
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5604
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5732
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5804
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5868
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=556"
    3⤵
    - Executes dropped EXE
    PID:408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
      4⤵
      PID:2920
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"
      4⤵
      PID:5156
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vivaldi.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5292
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=764"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
      4⤵
      PID:5080
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:5628
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:5884
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5936
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=984"
    3⤵
    - Executes dropped EXE
    PID:6020
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=992"
    3⤵
    - Executes dropped EXE
    PID:6028
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=996"
    3⤵
    - Executes dropped EXE
    PID:6036
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=1020"
    3⤵
    - Executes dropped EXE
    PID:6044
- - C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_3324_133608835765137295\main.exe" "--multiprocessing-fork" "parent_pid=4828" "pipe_handle=776"
    3⤵
    - Executes dropped EXE
    PID:6052

C:\Users\Admin\Downloads\win4\win4.exe
"C:\Users\Admin\Downloads\win4\win4.exe"
1⤵
PID:2288
- C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
  "C:\Users\Admin\Downloads\win4\win4.exe"
  2⤵
  - Executes dropped EXE
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=484"
    3⤵
    - Executes dropped EXE
    PID:5252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
      4⤵
      PID:5344
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:5532
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=536"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
      4⤵
      PID:5356
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        
        PID:5588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:4296
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:5144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:1112
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:3372
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=524"
    3⤵
    - Executes dropped EXE
    PID:5384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
      4⤵
      PID:5292
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"
      4⤵
      PID:5656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vivaldi.exe
        5⤵
        Kills process with taskkill
        
        PID:5812
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=708"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"
      4⤵
      PID:5460
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im brave.exe
        5⤵
        Kills process with taskkill
        
        PID:5540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5744
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5956
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5116
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2872
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6024
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2084
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6140
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=728"
    3⤵
    - Executes dropped EXE
    PID:5264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"
      4⤵
      PID:5216
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msedge.exe
        5⤵
        Kills process with taskkill
        
        PID:5560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"
      4⤵
      PID:5764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im browser.exe
        5⤵
        Kills process with taskkill
        
        PID:5868
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=868"
    3⤵
    - Executes dropped EXE
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=840"
    3⤵
    - Executes dropped EXE
    PID:5496
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=364"
    3⤵
    - Executes dropped EXE
    PID:5596
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=964"
    3⤵
    - Executes dropped EXE
    PID:4468
- - C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_2288_133608835993871869\main.exe" "--multiprocessing-fork" "parent_pid=4044" "pipe_handle=776"
    3⤵
    - Executes dropped EXE
    PID:5576

C:\Users\Admin\Downloads\win4\win4.exe
"C:\Users\Admin\Downloads\win4\win4.exe"
1⤵
PID:5512
- C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
  "C:\Users\Admin\Downloads\win4\win4.exe"
  2⤵
  - Executes dropped EXE
  PID:5964
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=448"
    3⤵
    - Executes dropped EXE
    PID:5700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
      4⤵
      PID:5916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        
        PID:6032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"
      4⤵
      PID:4764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vivaldi.exe
        5⤵
        Kills process with taskkill
        
        PID:3044
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=716"
    3⤵
    - Executes dropped EXE
    PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
      4⤵
      PID:4084
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        5⤵
        Kills process with taskkill
        
        PID:644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:5200
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:5196
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:5424
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=764"
    3⤵
    - Executes dropped EXE
    PID:5656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
      4⤵
      PID:5780
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:6072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"
      4⤵
      PID:5032
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im browser.exe
        5⤵
        Kills process with taskkill
        
        PID:5132
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=724"
    3⤵
    - Executes dropped EXE
    PID:5772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"
      4⤵
      PID:212
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msedge.exe
        5⤵
        Kills process with taskkill
        
        PID:2084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5136
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5408
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5448
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:1956
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5612
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2220
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2692
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=720"
    3⤵
    - Executes dropped EXE
    PID:5800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"
      4⤵
      PID:6112
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im brave.exe
        5⤵
        Kills process with taskkill
        
        PID:1460
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=808"
    3⤵
    PID:5668
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=796"
    3⤵
    PID:5636
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=800"
    3⤵
    PID:5876
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=760"
    3⤵
    PID:5816
- - C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe
    "C:\Users\Admin\AppData\Local\Temp\onefile_5512_133608836132193139\main.exe" "--multiprocessing-fork" "parent_pid=5964" "pipe_handle=780"
    3⤵
    PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
9dda0cf1a46811ba3654d67d6b92f92f

SHA1
7c857e81af60f4b45326fdb719342016db7b623f

SHA256
eb1e9c7da2517b3fff6a3d652cea0c1404a1836144120a40ef6e66847cec2e66

SHA512
141c10c886ac24a9b49ff54add7d4031e1a63d7d8c81995de857cda6087442f605fc784c73a0af4c7f87065ac24ea7aa98fa59065a8df98775f9d59ff7e0efab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
ede5f0bfcd10c321ccc161fd3ff20628

SHA1
6fe9da69334eb112455e336dd76a58347abb0443

SHA256
a72fa77b3e0d260ede74847a80d71dee6051087f6211088e7208a7b39a879fda

SHA512
d902ffacd87411815cef372ababe6239a772f95093a611b3c9208f3f40d2b7570a9eec00fb8f9d77f1f67cc9d53f5a9783bac6bf2b3a77bf9670514686237d39

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_arts_and_entertainment.json

Filesize
67KB

MD5
6c651609d367b10d1b25ef4c5f2b3318

SHA1
0abcc756ea415abda969cd1e854e7e8ebeb6f2d4

SHA256
960065cc44a09bef89206d28048d3c23719d2f5e9b38cfc718ca864c9e0e91e9

SHA512
3e084452eefe14e58faa9ef0d9fda2d21af2c2ab1071ae23cde60527df8df43f701668ca0aa9d86f56630b0ab0ca8367803c968347880d674ad8217fba5d8915

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_autos_and_vehicles.json

Filesize
44KB

MD5
39b73a66581c5a481a64f4dedf5b4f5c

SHA1
90e4a0883bb3f050dba2fee218450390d46f35e2

SHA256
022f9495f8867fea275ece900cfa7664c68c25073db4748343452dbc0b9eda17

SHA512
cfb697958e020282455ab7fabc6c325447db84ead0100d28b417b6a0e2455c9793fa624c23cb9b92dfea25124f59dcd1d5c1f43bf1703a0ad469106b755a7cdd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_beauty_and_fitness.json

Filesize
33KB

MD5
0ed0473b23b5a9e7d1116e8d4d5ca567

SHA1
4eb5e948ac28453c4b90607e223f9e7d901301c4

SHA256
eed46e8fe6ff20f89884b4fc68a81e8d521231440301a01bb89beec8ebad296b

SHA512
464508d7992edfa0dfb61b04cfc5909b7daacf094fc81745de4d03214b207224133e48750a710979445ee1a65bb791bf240a2b935aacaf3987e5c67ff2d8ba9c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_blogging_resources_and_services.json

Filesize
33KB

MD5
c82700fcfcd9b5117176362d25f3e6f6

SHA1
a7ad40b40c7e8e5e11878f4702952a4014c5d22a

SHA256
c9f2a779dba0bc886cc1255816bd776bdc2e8a6a8e0f9380495a92bb66862780

SHA512
d38e65ab55cee8fef538ad96448cd0c6b001563714fc7b37c69a424d0661ec6b7d04892cf4b76b13ddbc7d300c115e87e0134d47c3f38ef51617e5367647b217

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_books_and_literature.json

Filesize
67KB

MD5
df96946198f092c029fd6880e5e6c6ec

SHA1
9aee90b66b8f9656063f9476ff7b87d2d267dcda

SHA256
df23a5b6f583ec3b4dce2aca8ff53cbdfadfd58c4b7aeb2e397eade5ff75c996

SHA512
43a9fc190f4faadef37e01fa8ad320940553b287ed44a95321997a48312142f110b29c79eed7930477bfb29777a5a9913b42bf22ce6bb3e679dda5af54a125ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_business_and_industrial.json

Filesize
45KB

MD5
a92a0fffc831e6c20431b070a7d16d5a

SHA1
da5bbe65f10e5385cbe09db3630ae636413b4e39

SHA256
8410809ebac544389cf27a10e2cbd687b7a68753aa50a42f235ac3fc7b60ce2c

SHA512
31a8602e1972900268651cd074950d16ad989b1f15ff3ebbd8e21e0311a619eef4d7d15cdb029ea8b22cf3b8759fa95b3067b4faaadcb90456944dbc3c9806a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_computers_and_electronics.json

Filesize
45KB

MD5
6ccd943214682ac8c4ec08b7ec6dbcbd

SHA1
18417647f7c76581d79b537a70bf64f614f60fa2

SHA256
ab20b97406b0d9bf4f695e5ec7db4ebad5efb682311e74ca757d45b87ffc106b

SHA512
e57573d6f494df8aa7e8e6a20427a18f6868e19dc853b441b8506998158b23c7a4393b682c83b3513aae5075a21148dd8ca854a11dabcea6a0a0db8f2e6828b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_finance.json

Filesize
33KB

MD5
e95c2d2fc654b87e77b0a8a37aaa7fcf

SHA1
b4b00c9554839cab6a50a7ed8cd43d21fdaf35dc

SHA256
384bf5fcc6928200c7ebb1f03f99bf74f6063e78d3cd044374448f879799318e

SHA512
9696998a8d0e3a85982016ff0a22bb8ae1790410f1f6198bb379c0a192579f24c75c25c7648b76b00d25a32ac204178acaccd744ee78846dfc62ebf70bf7b93a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_food_and_drink.json

Filesize
67KB

MD5
70ba02dedd216430894d29940fc627c2

SHA1
f0c9aa816c6b0e171525a984fd844d3a8cabd505

SHA256
905357002f2eced8bba1be2285a9b83198f60d2f9bb1144b5c119994f2ec6e34

SHA512
3ae60d0bf3c45d28e340d97106790787be2cc80ba579d313b5414084664b86e89879391c99e94b6e33bdc5508ea42a9fd34f48ca9b1e7adfa7b6dd22c783c263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_games.json

Filesize
44KB

MD5
4182a69a05463f9c388527a7db4201de

SHA1
5a0044aed787086c0b79ff0f51368d78c36f76bc

SHA256
35e67835a5cf82144765dfb1095ebc84ac27d08812507ad0a2d562bf68e13e85

SHA512
40023c9f89e0357fae26c33a023609de96b2a0b439318ef944d3d5b335b0877509f90505d119154eaa81e1097ecfb5aa44dd8bb595497cdecfc3ee711a1fe1d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_health.json

Filesize
33KB

MD5
11711337d2acc6c6a10e2fb79ac90187

SHA1
5583047c473c8045324519a4a432d06643de055d

SHA256
150f21c4f60856ab5e22891939d68d062542537b42a7ce1f8a8cec9300e7c565

SHA512
c2301ed72f623b22f05333c5ecc5ebf55d8a2d9593167cc453a66d8f42c05ff7c11e2709b6298912038a8ea6175f050bbc6d1fc4381f385f7ad7a952ad1e856b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_hobbies_and_leisure.json

Filesize
67KB

MD5
bb45971231bd3501aba1cd07715e4c95

SHA1
ea5bfd43d60a3d30cda1a31a3a5eb8ea0afa142a

SHA256
47db7797297a2a81d28c551117e27144b58627dbac1b1d52672b630d220f025d

SHA512
74767b1badbd32cacd3f996b8172df9c43656b11fea99f5a51fff38c6c6e2120fae8bdd0dd885234a3f173334054f580164fdf8860c27cbcf5fb29c5bcdc060d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_home_and_garden.json

Filesize
33KB

MD5
250acc54f92176775d6bdd8412432d9f

SHA1
a6ad9ad7519e5c299d4b4ba458742b1b4d64cb65

SHA256
19edd15ebce419b83469d2ab783c0c1377d72a186d1ff08857a82bca842eea54

SHA512
a52c81062f02c15701f13595f4476f0a07735034fcf177b1a65b001394a816020ee791fed5afae81d51de27630b34a85efa717fe80da733556fdda8739030f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_internet_and_telecom.json

Filesize
67KB

MD5
36689de6804ca5af92224681ee9ea137

SHA1
729d590068e9c891939fc17921930630cd4938dd

SHA256
e646d43505c9c4e53dbaa474ef85d650a3f309ccf153d106f328d9b6aeb66d52

SHA512
1c4f4aa02a65a9bbdf83dc5321c24cbe49f57108881616b993e274f5705f0466be2dd3389055a725b79f3317c98bdf9f8d47f86d62ebd151e4c57cc4dca2487c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_jobs_and_education.json

Filesize
33KB

MD5
2d69892acde24ad6383082243efa3d37

SHA1
d8edc1c15739e34232012bb255872991edb72bc7

SHA256
29080288b2130a67414ecb296a53ddd9f0a4771035e3c1b2112e0ce656a7481a

SHA512
da391152e1fbce1f03607b486c5dea9a298a438e58e440ebb7b871bd5c62d7339b540eed115b4001b9840de1ba3898c6504872ff9094ba4d6a47455051c3f1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_law_and_government.json

Filesize
68KB

MD5
80c49b0f2d195f702e5707ba632ae188

SHA1
e65161da245318d1f6fdc001e8b97b4fd0bc50e7

SHA256
257ee9a218a1b7f9c1a6c890f38920eb7e731808e3d9b9fc956f8346c29a3e63

SHA512
972e95de7fe330c61cd22111bd3785999d60e7c02140809122d696a1f1f76f2cd0d63d6d92f657cdec24366d66b681e24f2735a8aabb8bcecec43c74e23fb4f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_online_communities.json

Filesize
67KB

MD5
37a74ab20e8447abd6ca918b6b39bb04

SHA1
b50986e6bb542f5eca8b805328be51eaa77e6c39

SHA256
11b6084552e2979b5bc0fd6ffdc61e445d49692c0ae8dffedc07792f8062d13f

SHA512
49c6b96655ba0b5d08425af6815f06237089ec06926f49de1f03bc11db9e579bd125f2b6f3eaf434a2ccf10b262c42af9c35ab27683e8e9f984d5b36ec8f59fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_people_and_society.json

Filesize
45KB

MD5
b1bd26cf5575ebb7ca511a05ea13fbd2

SHA1
e83d7f64b2884ea73357b4a15d25902517e51da8

SHA256
4990a5d17bea15617624c48a0c7c23d16e95f15e2ec9dd1d82ee949567bbaec0

SHA512
edcede39c17b494474859bc1a9bbf18c9f6abd3f46f832086db3bb1337b01d862452d639f89f9470ca302a6fcb84a1686853ebb4b08003cb248615f0834a1e02

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_pets_and_animals.json

Filesize
44KB

MD5
5b26aca80818dd92509f6a9013c4c662

SHA1
31e322209ba7cc1abd55bbb72a3c15bc2e4a895f

SHA256
dd537bfb1497eb9457c0c8ecbd2846f325e13ddef3988fd293a29e68ab0b2671

SHA512
29038f9f3b9b12259fb42daa93cdefabb9fb32a10f0d20f384a72fe97214eff1864b7fa2674c37224b71309d7d9cea4e36abd24a45a0e65f0c61dc5ca161ec7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_real_estate.json

Filesize
67KB

MD5
9899942e9cd28bcb9bf5074800eae2d0

SHA1
15e5071e5ed58001011652befc224aed06ee068f

SHA256
efcf6b2d09e89b8c449ffbcdb5354beaa7178673862ebcdd6593561f2aa7d99a

SHA512
9f7a5fbe6d46c694e8bc9b50e7843e9747ea3229cf4b00b8e95f1a5467bd095d166cbd523b3d9315c62e9603d990b8e56a018ba4a11d30ad607f5281cc42b4cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_reference.json

Filesize
56KB

MD5
567eaa19be0963b28b000826e8dd6c77

SHA1
7e4524c36113bbbafee34e38367b919964649583

SHA256
3619daa64036d1f0197cdadf7660e390d4b6e8c1b328ed3b59f828a205a6ea49

SHA512
6766919b06ca209eaed86f99bee20c6dad9cc36520fc84e1c251a668bcfe0afcf720ea6c658268dc3bbaaf602bfdf61eb237c68e08d5252ea6e5d1d2a373b9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_science.json

Filesize
56KB

MD5
7a8fd079bb1aeb4710a285ec909c62b9

SHA1
8429335e5866c7c21d752a11f57f76399e5634b6

SHA256
9606ce3988b2d2a4921b58ac454f54e53a9ea8f358326522a8b1dcc751b50b32

SHA512
8fc1546e509b5386c9e1088e0e3a1b81f288ef67f1989f3e83888057e23769907a2b184d624a4e4c44fcd5b88d719bd4cca94dfb33798804a721b8be022ec0c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_shopping.json

Filesize
67KB

MD5
97d4a0fd003e123df601b5fd205e97f8

SHA1
a802a515d04442b6bde60614e3d515d2983d4c00

SHA256
bfd7e68ddca6696c798412402965a0384df0c8c209931bbadabf88ccb45e3bb6

SHA512
111e8a96bc8e07be2d1480a820fc30797d861a48d80622425af00b009512aacb30a2df9052c53bfbf4ee0800b6e6f5b56daa93d33f30fecb52e2f3850dfa9130

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_sports.json

Filesize
56KB

MD5
ce4e75385300f9c03fdd52420e0f822f

SHA1
85c34648c253e4c88161d09dd1e25439b763628c

SHA256
44da98b03350e91e852fe59f0fc05d752fc867a5049ab0363da8bb7b7078ad14

SHA512
d119dc4706bbf3b6369fe72553cfacf1c9b2688e0188a7524b56d3e2ac85582a18bbee66d5594e0fb40767432646c23bf3e282090bd9b4c29f989a374aeae61f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\nb_model_build_attachment_travel.json

Filesize
67KB

MD5
48139e5ba1c595568f59fe880d6e4e83

SHA1
5e9ea36b9bb109b1ecfc41356cd5c8c9398d4a78

SHA256
4336ac211a822b0a5c3ce5de0d4730665acc351ee1965ea8da1c72477e216dfa

SHA512
57e826f0e1d9b12d11b05d47e2f5ae4f5787537862f26e039918cb14faff4bc854298c0b7de3023e371756a331c0f3ee1aa7cebbbf94ec70cdfc29e00a900ed1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\personality-provider\recipe_attachment.json

Filesize
1KB

MD5
be3d0f91b7957bbbf8a20859fd32d417

SHA1
fbc0380fe1928d6d0c8ab8b0a793a2bba0722d10

SHA256
fc07d42847eeaf69dcbf1b9a16eb48b141c11feb67aa40724be2aee83cb621b7

SHA512
8da24afcf587fbd4f945201702168e7cfc12434440200d00f09ddcd1d1d358a5e01065ac2a411fdf96a530e94db3697e3530578b392873cf874476b5e65d774a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GH3Mghd8g9.tmp

Filesize
100KB

MD5
7e58c37fd1d2f60791d5f890d3635279

SHA1
5b7b963802b7f877d83fe5be180091b678b56a02

SHA256
df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7

SHA512
a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIeK5QEfHh.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Crypto\Util\_strxor.pyd

Filesize
10KB

MD5
3af448b8a7ef86d459d86f88a983eaec

SHA1
d852be273fea71d955ea6b6ed7e73fc192fb5491

SHA256
bf3a209eda07338762b8b58c74965e75f1f0c03d3f389b0103cc2bf13acfe69a

SHA512
be8c0a9b1f14d73e1adf50368293eff04ad34bda71dbf0b776ffd45b6ba58a2fa66089bb23728a5077ab630e68bf4d08af2712c1d3fb7d79733eb06f2d0f6dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\zstandard\backend_c.pyd

Filesize
512KB

MD5
4652c4087b148d08adefedf55719308b

SHA1
30e06026fea94e5777c529b479470809025ffbe2

SHA256
003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795

SHA512
d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
ff2c1c4a7ae46c12eb3963f508dad30f

SHA1
4d759c143f78a4fe1576238587230acdf68d9c8c

SHA256
73cf4155df136db24c2240e8db0c76bedcbb721e910558512d6008adaf7eed50

SHA512
453ef9eed028ae172d4b76b25279ad56f59291be19eb918de40db703ec31cddf60dce2e40003dfd1ea20ec37e03df9ef049f0a004486cc23db8c5a6b6a860e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
fe489576d8950611c13e6cd1d682bc3d

SHA1
2411d99230ef47d9e2e10e97bdea9c08a74f19af

SHA256
bb79a502eca26d3418b49a47050fb4015fdb24bee97ce56cdd070d0fceb96ccd

SHA512
0f605a1331624d3e99cfdc04b60948308e834aa784c5b7169986eefbce4791faa148325c1f1a09624c1a1340e0e8cf82647780ffe7b3e201fdc2b60bcfd05e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
a33ac93007ab673cb2780074d30f03bd

SHA1
b79fcf833634e6802a92359d38fbdcf6d49d42b0

SHA256
4452cf380a07919b87f39bc60768bcc4187b6910b24869dbd066f2149e04de47

SHA512
5d8bdca2432cdc5a76a3115af938cc76cf1f376b070a7fd1bcbf58a7848d4f56604c5c14036012027c33cc45f71d5430b5abbfbb2d4adaf5c115ddbd1603ab86

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
821aaa9a74b4ccb1f75bd38b13b76566

SHA1
907c8ee16f3a0c6e44df120460a7c675eb36f1dd

SHA256
614b4f9a02d0191c3994205ac2c58571c0af9b71853be47fcf3cb3f9bc1d7f54

SHA512
9d2ef8f1a2d3a7374ff0cdb38d4a93b06d1db4219bae06d57a075ee3dff5f7d6f890084dd51a972ac7572008f73fde7f5152ce5844d1a19569e5a9a439c4532b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
619fb21dbeaf66bf7d1b61f6eb94b8c5

SHA1
7dd87080b4ed0cba070bb039d1bdeb0a07769047

SHA256
a2afe994f8f2e847951e40485299e88718235fbefb17fccca7ace54cc6444c46

SHA512
ee3dbd00d6529fcfcd623227973ea248ac93f9095430b9dc4e3257b6dc002b614d7ce4f3daab3e02ef675502afdbe28862c14e30632e3c715c434440615c4dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_asyncio.pyd

Filesize
63KB

MD5
33d0b6de555ddbbbd5ca229bfa91c329

SHA1
03034826675ac93267ce0bf0eaec9c8499e3fe17

SHA256
a9a99a2b847e46c0efce7fcfefd27f4bce58baf9207277c17bffd09ef4d274e5

SHA512
dbbd1ddfa445e22a0170a628387fcf3cb95e6f8b09465d76595555c4a67da4274974ba7b348c4c81fe71c68d735c13aacb8063d3a964a8a0556fb000d68686b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_overlapped.pyd

Filesize
48KB

MD5
fdf8663b99959031780583cce98e10f5

SHA1
6c0bafc48646841a91625d74d6b7d1d53656944d

SHA256
2ebbb0583259528a5178dd37439a64affcb1ab28cf323c6dc36a8c30362aa992

SHA512
a5371d6f6055b92ac119a3e3b52b21e2d17604e5a5ac241c008ec60d1db70b3ce4507d82a3c7ce580ed2eb7d83bb718f4edc2943d10cb1d377fa006f4d0026b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\_uuid.pyd

Filesize
24KB

MD5
b68c98113c8e7e83af56ba98ff3ac84a

SHA1
448938564559570b269e05e745d9c52ecda37154

SHA256
990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2

SHA512
33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\charset_normalizer\md.pyd

Filesize
10KB

MD5
f0027550d46509b0514cf2bf0cc162bc

SHA1
5b5a9fd863a216b2444ccbd51b1f451d6eca8179

SHA256
77300a458bb8dc0d4ff4d8bddb3289e90cb079418dbed3e20d2c9a445f39746e

SHA512
bb09b814dbe3e4361abbafec4768208c98a7f455ef311b653d61b0b6098197bdac43e74e2e3868e486819f147b8f7c442c76e5181cc5a7eb13b6e2c2e07bf9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\charset_normalizer\md__mypyc.pyd

Filesize
111KB

MD5
e9454a224d11e1bd68c7069b7f5f61a7

SHA1
793098653d93652415f8bace81434f6f4490cf1a

SHA256
711f292ace44576f5de4f592adebd9d21faf569357c289425251d8dce4fa84cc

SHA512
17d993a0c4b56219e8c224eb2bdea92d9cc4bd3809b0f9fa4cf0ddfdc5eab4371441d488ea851abf2f88c691d57a268d5cdcaa9d11d4dd091bc130638fe36460

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\main.exe

Filesize
12.5MB

MD5
c58c78a74d1819e8288be0f55f656318

SHA1
e47af27fe87c79adedba7423e1fc983f9b4a4a38

SHA256
fd685d19b1db402874e32f6dfd72edbded886816333600f8f29342cdf2980425

SHA512
14ec5817c26a4a445f669fc9d83459b24713c3a3e4b768d17482faaca1e40f3092b8e7c3e8802faa5d4bece4cc4e7e58e68f1457159961b1d3a2365469adf41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\pywintypes310.dll

Filesize
131KB

MD5
ceb06a956b276cea73098d145fa64712

SHA1
6f0ba21f0325acc7cf6bf9f099d9a86470a786bf

SHA256
c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005

SHA512
05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\vcruntime140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1692_133608835673686291\win32crypt.pyd

Filesize
121KB

MD5
acc2c2a7dd9ba8603ac192d886ff2ace

SHA1
eae213d0b86a7730161d8cc9568d91663948c638

SHA256
4805c4903e098f0ae3c3cbebd02b44df4d73ab19013784f49a223f501da3c853

SHA512
23b97707843d206833e7d4f0dfcad79a597de0867bab629026dd26bff9f1c640bb4cd1bc6bce7abe48353feac8c367e93ea7b15425d6ff8b1aea07a716f5e491

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
0acfcaf2b4aebd22a7d151c331e98f78

SHA1
3d9835637e0d03cc7a69c661389c319d0afb748c

SHA256
6b0b025a86d8c0b5e0ad41e19eeaaa1e229220ad728c36301106aee2c081e85d

SHA512
56dac78781cd22767273cf2d08bc9caf9a7b345b39d888cbe45f715032cc980480ef742ef61393bd216e88edee1cc2af84179e2c2b34bca5d1948b839a1b5c28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\addonStartup.json.lz4

Filesize
5KB

MD5
7bb0d91d09cc64e6f66e96e5ca062f23

SHA1
1bc68ed89c69468c57702cfdefc52602e05c92b0

SHA256
0f9f2f2b00ea9d94d4c52c3e63aeb4c13714157519c51269ad46ba3e3abc0d11

SHA512
8dcad9f2762b3a394611850897548a59fffcfebf0399daa6cbce5fcc25db303c77bb698fee030092e4c8d0b469ecbfcd9008e5ece6f9ba0c0377a0237817754c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\broadcast-listeners.json

Filesize
216B

MD5
b0ce94b510878a8b430692ebb188af4e

SHA1
8abe26e896abf76205f2333df4c5977338ae2883

SHA256
9e4db3cf3494997438dab7b82e72698317980f64416abc2c30cfee90d875c55b

SHA512
19ae5084b01ffaf918e04042cd2e6a9ec82880d0a072c540bd192ac5de23bb4d193165889c1c211b1566b6337a2fcdac543868282f94fb350ae60570c35b94a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
10KB

MD5
4200398d791c0115b5db8c1e9fbbd8ae

SHA1
9d9382a2fe3c3b15ef128ff457d99cc47c8e43a9

SHA256
ade52d384cca14c8c6d688bc45bce86e319dcd89b2af6ea41f57d8a6914fb4cb

SHA512
9f679d29b5d092b44315e5ad409dfa6373329a1be37bd0f9a97294219b917cbee94b56ef2fbef871bdfea6eb8365845b4e7007c84b047060f3e75a2a5418050e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
8KB

MD5
c2a490be454f6e46187b083f0fa107a6

SHA1
5dcaa8371915a814533b4a0ab3436485d36f3485

SHA256
c49ed8725584d7f5f4806b5bf10bb30dcc3f5f605235d6bbfffecae160e76215

SHA512
7fba83441c2a140eca81f22ab459ca478409a46a81020837fc6a5000e05786a8550469de97674b0ac8f9ebe12cb812c7e3c0f46cf984dce209d08d7f89937691

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
11KB

MD5
5648b21fa8d399d0eb44f90b1dff7e14

SHA1
8e1b4b411a2fcd7fc81b9f494a0cc987b0408ac9

SHA256
824609f3f3ed67bd80ea19b8e3507a2393727c2572393f07ef1e4290dc2a2c9b

SHA512
570e4138f85c12bfc15bee2ec0bac62774afefd5528023a8cf0316d69ea02ce7ff081836c3228a17ca2bbbd4d84cf3168d072637e47b08f4fadac953513ff05a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
6KB

MD5
20d124cc1b1194d5cd64b0cc8301ed18

SHA1
06a9dd518ccac57aa599a3254bea14d1bc1c3e3d

SHA256
0df7685295329b196d6a883182e2c9417328d86ccc4d4bca0057e3b9b87a8198

SHA512
08723b26e53a9f5f3e0a8359a7b4ac09ca666ffbcc36b28390ed7b802d79e024599a5ee3640ca39eb5f76fd0bd5c3a53eeb03984ee3bf80e25079e884cc70c93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
52ec778f2ab53f2d9a08db7cf3dffe27

SHA1
1108ccc41bed9cf29c5e7fa3e0cfaea201845541

SHA256
289dd838db42adf08552052fb269bbd71fda09a099f9a94ac1e1a57853937741

SHA512
5c065f145ca59796eb3e9efd60400f071e97566f0cb38e36c4b8e5f4b9b6eda9fc150bad9fb82afb297c1c22c2a23ea31ac0aad25d88fa232223f5be08707212

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\targeting.snapshot.json

Filesize
4KB

MD5
ede9f76e368c85e26e89d07cdd88e54b

SHA1
937091bb50205bb8f902455af8ff03511c5a5ef6

SHA256
eb983a424aca7a0d0596962336bd09e472be6ed31ea94695ab86f7dca9dfb69a

SHA512
5ea58db2fcca2b313a55e33f4e3f224a818a3410dbf56ebed60222690e72ed78160330c44c9ab0dbcc614f43efc640f1cdab4d18aa8b56e842391033a7b94804

Download Submit
C:\Users\Admin\Downloads\win4.vwIgkONx.zip.part

Filesize
8.4MB

MD5
0d3429d3fe34d7b83c1ffc494b2bfe66

SHA1
edb420294ca29e961b82f4322e9d8d20f5f82d17

SHA256
1257a1cda6ec520ca27744120d70f66d999dd659ff0ade737c9d312c9f6555a6

SHA512
52ba5c3b2f8301cb4b60748a85759b66a19536b581ad36d2f47e8164a42f6a9cd2043fcf64d238e72a8abf924df07203b5c58cba7aa93c7595e5caf8465a5419

Download Submit
memory/408-2621-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/1520-2635-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/1692-2634-0x00007FF6EA280000-0x00007FF6EAB11000-memory.dmp

Filesize
8.6MB

Download
memory/1912-2619-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/1976-2622-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/2028-2519-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/2028-2618-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/2288-2755-0x00007FF6EA280000-0x00007FF6EAB11000-memory.dmp

Filesize
8.6MB

Download
memory/2292-2518-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/2300-2530-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/2896-2522-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/3324-2638-0x00007FF6EA280000-0x00007FF6EAB11000-memory.dmp

Filesize
8.6MB

Download
memory/3612-2532-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/3620-2620-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/3644-2531-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/4044-2756-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/4468-2738-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/4516-2521-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/4828-2639-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/5072-2520-0x00007FF756F60000-0x00007FF757C07000-memory.dmp

Filesize
12.7MB

Download
memory/5244-2719-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5252-2718-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5260-2721-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5264-2722-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5384-2720-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5488-2741-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5496-2737-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5576-2739-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5596-2740-0x00007FF64F610000-0x00007FF6502B7000-memory.dmp

Filesize
12.7MB

Download
memory/5636-2843-0x00007FF6480E0000-0x00007FF648D87000-memory.dmp

Filesize
12.7MB

Download
memory/5656-2834-0x00007FF6480E0000-0x00007FF648D87000-memory.dmp

Filesize
12.7MB

Download
memory/5668-2844-0x00007FF6480E0000-0x00007FF648D87000-memory.dmp

Filesize
12.7MB

Download
memory/5700-2832-0x00007FF6480E0000-0x00007FF648D87000-memory.dmp

Filesize
12.7MB

Download
memory/5772-2835-0x00007FF6480E0000-0x00007FF648D87000-memory.dmp

Filesize
12.7MB

Download
memory/5800-2836-0x00007FF6480E0000-0x00007FF648D87000-memory.dmp

Filesize
12.7MB

Download
memory/5876-2845-0x00007FF6480E0000-0x00007FF648D87000-memory.dmp

Filesize
12.7MB

Download
memory/5920-2833-0x00007FF6480E0000-0x00007FF648D87000-memory.dmp

Filesize
12.7MB

Download
memory/6020-2630-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/6028-2631-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/6036-2632-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download
memory/6044-2633-0x00007FF68F940000-0x00007FF6905E7000-memory.dmp

Filesize
12.7MB

Download