44caliber | hxxps://www[.]mediafire[.]com/file/vlkumpo3ih2kjl8/OxyProjAW[.]rar/file

Analysis

max time kernel
77s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
20-06-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/vlkumpo3ih2kjl8/OxyProjAW.rar/file

Score

10^/10

44caliber evasion persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1208790119046193243/eZ9zjLPvHd-FRJsahjqgqZrRSsKnYitSyY6Wf_DhXU7Uan_6NaWZpaFcBn-LdnE8QCGt

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

7268 netsh.exe

pid	process
7268	netsh.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SteamUpdate.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SteamUpdate.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%WinDir%.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%WinDir%.exe	server.exe

Executes dropped EXE 4 IoCs

Processes:

Loader.exeneverlose.exeinjectCS.exeserver.exe

pid process

7860 Loader.exe
8012 neverlose.exe
8064 injectCS.exe
8088 server.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

268 freegeoip.app
285 freegeoip.app
Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\%WinDir%.exe server.exe
File created C:\Windows\SysWOW64\%WinDir%.exe server.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

injectCS.exe

pid process

8064 injectCS.exe

pid	process
7860	Loader.exe
8012	neverlose.exe
8064	injectCS.exe
8088	server.exe

flow	ioc
268	freegeoip.app
285	freegeoip.app

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%WinDir%.exe	server.exe
File created	C:\Windows\SysWOW64\%WinDir%.exe	server.exe

Drops file in Program Files directory 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Program Files (x86)\%WinDir%.exe	server.exe
File opened for modification	C:\Program Files (x86)\%WinDir%.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7952 8064 WerFault.exe injectCS.exe

pid	pid_target	process	target process
7952	8064	WerFault.exe	injectCS.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 3 IoCs

Processes:

Loader.exetaskmgr.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\OxyProjAW.rar:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\OxyProjAW.rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

injectCS.exeserver.exe

pid	process
8064	injectCS.exe
8064	injectCS.exe
8064	injectCS.exe
8064	injectCS.exe
8064	injectCS.exe
8064	injectCS.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe
8088	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

8088 server.exe

pid	process
8088	server.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

firefox.exe7zG.exeinjectCS.exeserver.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2376	firefox.exe
Token: SeDebugPrivilege	2376	firefox.exe
Token: SeDebugPrivilege	2376	firefox.exe
Token: SeRestorePrivilege	7344	7zG.exe
Token: 35	7344	7zG.exe
Token: SeSecurityPrivilege	7344	7zG.exe
Token: SeSecurityPrivilege	7344	7zG.exe
Token: SeDebugPrivilege	8064	injectCS.exe
Token: SeDebugPrivilege	8088	server.exe
Token: SeDebugPrivilege	7520	taskmgr.exe
Token: SeSystemProfilePrivilege	7520	taskmgr.exe
Token: SeCreateGlobalPrivilege	7520	taskmgr.exe
Token: 33	8088	server.exe
Token: SeIncBasePriorityPrivilege	8088	server.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

firefox.exe7zG.exetaskmgr.exe

pid	process
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
7344	7zG.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

firefox.exetaskmgr.exe

pid	process
2376	firefox.exe
2376	firefox.exe
2376	firefox.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe
7520	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

firefox.exeinjectCS.exe

pid process

2376 firefox.exe
2376 firefox.exe
2376 firefox.exe
2376 firefox.exe
8064 injectCS.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 4836 wrote to memory of 2376	4836	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 3096	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe
PID 2376 wrote to memory of 1224	2376	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.mediafire.com/file/vlkumpo3ih2kjl8/OxyProjAW.rar/file"
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.mediafire.com/file/vlkumpo3ih2kjl8/OxyProjAW.rar/file
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.0.2026744630\654004834" -parentBuildID 20230214051806 -prefsHandle 1752 -prefMapHandle 1744 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1adc27f-9e5a-4893-a8ef-1f4c41f264e4} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 1592 2549a50f658 gpu
    3⤵
    PID:3096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.1.1873105238\296893926" -parentBuildID 20230214051806 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c66337d5-e975-4d2f-886e-83588d8b743f} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 2376 25486488f58 socket
    3⤵
    PID:1224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.2.1901005543\1269634485" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2940 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc457e38-2f35-4ee6-9632-6c316ba895c5} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 3036 2549d653358 tab
    3⤵
    PID:4884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.3.1533426347\1150252512" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fff1e42b-57ae-4662-927c-2387c43bf974} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 3660 254a0482558 tab
    3⤵
    PID:32
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.4.1586260116\829481000" -childID 3 -isForBrowser -prefsHandle 5268 -prefMapHandle 5472 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64b89888-7f26-417d-bcbf-ec43976fe91d} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5276 254a341fd58 tab
    3⤵
    PID:4168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.5.1516572272\1480759043" -childID 4 -isForBrowser -prefsHandle 5604 -prefMapHandle 5608 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9d55233-9dbb-46e8-b919-3c13f3553123} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5592 254a341f458 tab
    3⤵
    PID:4632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.6.408674504\1818551209" -childID 5 -isForBrowser -prefsHandle 5872 -prefMapHandle 5868 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f5ee128-91a6-452d-a3c4-0abe8a4a5f75} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5784 254a3420358 tab
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.7.974190433\1008097843" -parentBuildID 20230214051806 -prefsHandle 5812 -prefMapHandle 5840 -prefsLen 27695 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bb94659-0be8-4fbf-9577-f22d9acf3321} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5604 254a3a3a258 rdd
    3⤵
    PID:1000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.8.1637970044\1440916171" -childID 6 -isForBrowser -prefsHandle 9592 -prefMapHandle 9596 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dc225f2-9ba9-49d4-90e9-296d6f2c8723} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 9580 254a45e3258 tab
    3⤵
    PID:4184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.9.1204108924\2086403711" -childID 7 -isForBrowser -prefsHandle 10044 -prefMapHandle 9976 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {039b0e51-4409-4951-95fe-b70c458a4f9c} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5528 254a5ed3358 tab
    3⤵
    PID:1204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.10.684228164\1861899487" -childID 8 -isForBrowser -prefsHandle 6156 -prefMapHandle 6152 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e558f9d8-1402-48fd-8f65-3b9e868c5f6f} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 10172 254a5f3b258 tab
    3⤵
    PID:5116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.11.686163872\329279139" -childID 9 -isForBrowser -prefsHandle 9936 -prefMapHandle 9932 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d80a1d25-8a07-41da-bcd5-e9cd7b4e4d53} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 9916 254a5f3b558 tab
    3⤵
    PID:2876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.12.1384123918\1387346270" -childID 10 -isForBrowser -prefsHandle 9404 -prefMapHandle 9408 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce9f93f-2d30-4c97-8916-d4cdee501151} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 9248 2549d054158 tab
    3⤵
    PID:1848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.13.1891221990\767813849" -childID 11 -isForBrowser -prefsHandle 9748 -prefMapHandle 9744 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6958ec0a-5298-4203-a780-97522fac647f} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 9888 2549c5a7b58 tab
    3⤵
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.14.88237518\1162042188" -childID 12 -isForBrowser -prefsHandle 8952 -prefMapHandle 8948 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f444211f-34ee-4436-9b9f-6a6063ac2127} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 8960 2549c5a9f58 tab
    3⤵
    PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.15.856894626\1693889755" -childID 13 -isForBrowser -prefsHandle 9072 -prefMapHandle 8976 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b74f194e-5fb5-4071-ac7e-d66e044cb3b1} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 8868 254a66a3658 tab
    3⤵
    PID:5272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.16.53368330\1872411483" -childID 14 -isForBrowser -prefsHandle 8476 -prefMapHandle 8472 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d082a77-6efd-4812-b882-41e6dc28ff56} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 8752 2549ac73a58 tab
    3⤵
    PID:5376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.17.1171309873\1525945564" -childID 15 -isForBrowser -prefsHandle 8356 -prefMapHandle 8352 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b801af3b-bdc9-4b5a-a850-14ebf874fed4} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 8464 2549adea558 tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.18.1450230837\1834928872" -childID 16 -isForBrowser -prefsHandle 9136 -prefMapHandle 9132 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8ab09dc-9a2b-4c03-a8c0-9bed3093e085} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 5360 254a6719858 tab
    3⤵
    PID:5788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.19.779189546\1919471964" -childID 17 -isForBrowser -prefsHandle 7812 -prefMapHandle 7832 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1c47693-1454-461f-9559-4f394212bd46} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 7804 254a6742258 tab
    3⤵
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.20.1135659277\1140441214" -childID 18 -isForBrowser -prefsHandle 9072 -prefMapHandle 8976 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd216555-0ef5-4e4a-be14-753fd0702828} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 3904 25486475558 tab
    3⤵
    PID:5612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.21.82331391\1892273360" -childID 19 -isForBrowser -prefsHandle 7640 -prefMapHandle 7596 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bfa12aa-5488-4f02-a9ea-2b87da671811} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 7876 254a372d258 tab
    3⤵
    PID:6344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.22.664269854\180530398" -childID 20 -isForBrowser -prefsHandle 7812 -prefMapHandle 7336 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8b784c2-cdfc-4ca9-bb88-96f965e8194f} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 7340 254a3a5ac58 tab
    3⤵
    PID:6376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.23.55457105\1276635282" -childID 21 -isForBrowser -prefsHandle 7140 -prefMapHandle 7136 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d96ce8-2cab-4658-a53c-93c2c4ac5e9d} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 7336 254a5e09058 tab
    3⤵
    PID:7096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.24.2103504026\1256639546" -childID 22 -isForBrowser -prefsHandle 8572 -prefMapHandle 7628 -prefsLen 27751 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e15101-587c-419b-8f19-4457c34f4101} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 7472 2549d612258 tab
    3⤵
    PID:6364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.25.28093847\1497612849" -childID 23 -isForBrowser -prefsHandle 7000 -prefMapHandle 7140 -prefsLen 27751 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73687d73-4bb8-4158-82f2-76039d51d27a} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 7068 2549fd47e58 tab
    3⤵
    PID:6524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2376.26.745249285\1935510457" -childID 24 -isForBrowser -prefsHandle 7012 -prefMapHandle 7008 -prefsLen 27751 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2927626c-e6a9-4b53-9729-052c53d80d30} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" 6908 254a0482858 tab
    3⤵
    PID:6700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1032

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\OxyProjAW\" -spe -an -ai#7zMap21450:76:7zEvent32346
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:7344

C:\Users\Admin\Desktop\OxyProjAW\Loader.exe
"C:\Users\Admin\Desktop\OxyProjAW\Loader.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:7860
- C:\Users\Admin\AppData\Local\Temp\neverlose.exe
  "C:\Users\Admin\AppData\Local\Temp\neverlose.exe"
  2⤵
  - Executes dropped EXE
  PID:8012
- - C:\ProgramData\server.exe
    "C:\ProgramData\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:8088
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:7268
- C:\Users\Admin\AppData\Local\Temp\injectCS.exe
  "C:\Users\Admin\AppData\Local\Temp\injectCS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:8064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8064 -s 1476
    3⤵
    - Program crash
    PID:7952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1.vbs"
  2⤵
  PID:8124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 8064 -ip 8064
1⤵
PID:8048

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Cookies_Firefox(62).txt

Filesize
11KB

MD5
26b57cf0d3a3241feb07bad429eddc84

SHA1
394b46a8b614604d5d6f7d12484fde0ec08f694c

SHA256
db1b7778c735c7670a7a0279bd67d661724b4a7504cbd1a5af6ef06ad23a5f46

SHA512
82748115dcf69a940c3795167d95c620496215aec740af14a68ab9812cafd5dedcbd0891f0a9f2269526275535ec966ed53ad15ea1312298a1611ac3c875d86d

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
aa48cafbd6d2baf3ca4e760c9e7cd962

SHA1
f382c0c952e3b6ee3cfd9ec9e909024f4bd62f4e

SHA256
795ef7c73ae2475ac342a5225b7dafc67bab8fb37aa8a933559410a78d14dbed

SHA512
7cd64ad2bbbcfffab869de40b1bc3be44867a9c91cc4d7dd90c9f6bf3ddb5a46d7c9f04c8a0ff84fe150869b4f8766d497a8f067147841414551c72f588dfc7d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\cache2\doomed\14618

Filesize
8KB

MD5
35f6bf9ad977f9ed4a4cf062a5a259c2

SHA1
8864fad4b822ccf05966430539b6683a59999550

SHA256
f2ffd6275c1cdae58dd635c884e720683063a1fa98396d980df01c283b77b847

SHA512
9916a5d7f5a4490a41e3217ccf2e639117a45f15e3e27e9ee2d58fb3ca519220ef9145b8b090ebcad88a02e70cfef0a5c773c1eaafa747df60d5ddbfdaabfc61

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\cache2\doomed\3699

Filesize
7KB

MD5
48f61582ace4091311df2d655be73ae9

SHA1
e749a5fda5082b8f51003419e53ed893abc717b8

SHA256
d6710542d26b6d3fbe44aece42330726045eace3b793df0562da77d536d7fe41

SHA512
6c8b802cc69e161915bdd10aa9728ac699e1c5fc7598a4bde08d3a5df5f348114071b77e7b0227b025a12a632e7603f494e8299e019442d926fc3ebbc0a97f46

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\cache2\doomed\545

Filesize
7KB

MD5
5fe26e788fe04f94a16a786c845c1a26

SHA1
f994f28c7586f2b44c8b4160938049617f5d671e

SHA256
7c58f06a1cb6f3f1fab1f7acbf624dc9c1febd23c8269a266ce0a06828250a02

SHA512
5493d1904aa02293d27fb0bfbd1e19a013b350430057485dff2c7fc164e1a3039265769187f73316ea7f527b08c9d5fc7a9f90c8fa5338cd16a984d064b94cd4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\cache2\doomed\9557

Filesize
7KB

MD5
a2c393955b326062238551f5fc2b4432

SHA1
ae013346fe928aec73e531286c05a8caa82eb101

SHA256
3f15308b5965ac7c84fbeac2c42967d7fb519e7aee5d268f6f04a4759d47c7a2

SHA512
59e3b224a904ef1def193341180692402f6c0754adff60e14b77e5b26ec05f2adfb87df87bf86769d38ff8d1e9805803e9db1dfd7f096d4ac5ef9f00c76365b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
ed855f2dac588568a471015ff1452302

SHA1
73159268fa49293550ca0d739ced546192eace2c

SHA256
e7b13dd28b458f55fad0088f521801da28f5402b9dbe93356c290ec78a80096d

SHA512
0316977e7aa67f51d56ba67a146c8f3aaac3ddde02952d71fa4ce8bbfe1b82affc53c6031fe16bbfe3d7e89842d9929f202fa6cf69afcb2168b6a70cb1e0c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.vbs

Filesize
39B

MD5
9d27dce77d2ba254c0a5773ee7df52a1

SHA1
af1db1a5d3245cf6d0fc9533e3a4bee257e36ab8

SHA256
99c8d2a9321bfbcf0412bf55ef4398a2a5e6cad2195134fb3a09cbda6ffa963d

SHA512
4e34967ba5d1771dfc066c5ce674c96f0e1d00059ff3171351de53f478ed3bcbbee9e1ee9708dba5ac1a33c13005e2e6e6b7a063153810e96d4dc358c816ca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
1KB

MD5
39cd12bfa2b05eab65adc4171c71927f

SHA1
7b35f5347306eeca5cb6c5f6dc254c2e54029038

SHA256
aa35a35958c7ddbc9f09cd1de57b5a314d8ee1bc8d5df75277c96c2945aee68f

SHA512
b448612f3df06eb9d206208619fd5cde1407a36dac880662e8773d22e17ec51994c157b0ce7f574ee37b041e979cae56b57a2cbabd6816468490995034d504e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRCPJXUV-20240508-1311.log

Filesize
58KB

MD5
dd695e376425b5abfad2ec5bbcc5c998

SHA1
8fdba5548a3ce4dff3532ec0b266f556b3f039f9

SHA256
2d7b83fe9c108443340682e06503630c5b6f3c56fc224eff2a12d603b93b666d

SHA512
f9d6bf68780bf64df714909dedf680194e99d91896299c5937c9bad29d4f2d51ce1e0031137d35a008d209e9b306133f8c30849e9f5912c41248ab1307065884

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRCPJXUV-20240508-1311a.log

Filesize
179KB

MD5
c3c4237d05a198ba87bff43017071e0c

SHA1
a8f099d432cec99242c4ce47d33a8d3ac09252ee

SHA256
57d4e33a02b2f7c9a2b58ff82c6e5b70c54aa161d06a6b893754ab99335fd243

SHA512
64c6d9958adf635978265a015f7547b57bdb8f14239e3c5140d9898a45987928cc1f9efc90ef824ad52a6b33ee55803451b08b5071fe5254168eed5f97873811

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
31KB

MD5
08eaa821778e0b3901568e7bb50d7016

SHA1
9d8c3496d9ca3988d2a68d2364dd6d94bf334cc8

SHA256
e3add0087aeeb864bd4dc72655225b8a87974fd6d6db67bff4705111af66f6ff

SHA512
749e7ec5947d42179f6698293aea7402a1cfb0c96a2a89f41f2e704233c09f03c22bc07fb589d3d155d2b09fc305743d21a34c648e28043f82925d21e827117d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240508_130634884.html

Filesize
93KB

MD5
41bccf7ce3472f9ec3241c4a289db504

SHA1
7f37c491b72ac639dbe2f7cfcfb6edff63b3966a

SHA256
4dfb54a17dcfdde3b784bad0f6acc3b322f63178991f250c73b6dbcc8df5e8ea

SHA512
fb5a6216e8e87bd2d1b543055aea209fa25085714f77761a5ace5956a2be7ab5204bd40be9ec65d9f01fb10a4797825500064322922a766fc65aa95c927ffa7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508130655.log

Filesize
15KB

MD5
0eefcbcbdac405e2ecb9b50830d5972d

SHA1
08e18e74c87ae3289eb4a4862e5dddef35088f5d

SHA256
1486f87c9b6bd660bf534528d5ae98cc7da1313c1cd21407cf477b49e98bedd5

SHA512
a777679329405d6063eae38f9e66276929ee2930b6fd1db39df729491dfbd820ca5461fb5e608fdcd51a35ac1921195ad39a252ce9bea0a7fc9ca20d935a1b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508130655_000_dotnet_runtime_6.0.27_win_x64.msi.log

Filesize
551KB

MD5
5cb5ae12825237d9a906be2f90a2312e

SHA1
df5fb930662f8d8aee3ecda619217038c59c9c7d

SHA256
7a9cb0bb3024f7e44cbc59596ac0b73fdafae28818101e290b4ddf21b76b4fee

SHA512
84c3fbbcc21bdedb6711bd78850380ee22d1419a7e0e54bb114c341c46a8e5b97d8b48389632ccdda2f3cfe9495af5cd0db6b45d6e8049d8c12d4d04df31a1c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508130655_001_dotnet_hostfxr_6.0.27_win_x64.msi.log

Filesize
95KB

MD5
81917002c3f9f156ec68de01c7dd28e0

SHA1
3a4a79f63be599696621703f1c46ef52f9893d4d

SHA256
15e7947fbf79652c1fc3a6b6802a3ed59272ad7258cf8e14d47a8f1325d9868f

SHA512
a30b39ba359010da122837b3688ce4c7524dbac444c368dc5b5410d4f860c0654f98a912aa69ff0bdebf1235a915afecd5a2a75a0d7d3558aa7c5a77d97ce593

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508130655_002_dotnet_host_6.0.27_win_x64.msi.log

Filesize
105KB

MD5
9c2dfbd08766664f5b8e43616b004141

SHA1
3cecda26a2128a30e60c1153f8eea403d2f1a092

SHA256
55dd9710a699307320d19ba98aa62bc3b82a53ceaab59ffc849758816d89e4f3

SHA512
ef1a3ecc580db94b915a8ced5f152f396a9c60102b6c6ce6282be64d814b9d19e7db75daf0dec698e8d65a0a25a33835f69e6b79fa83194d11636dcc3f9edfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508130655_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log

Filesize
847KB

MD5
c34c1f3db7f15c30e7ddd62b40e80b6c

SHA1
c97adf02d4441778f0ef1e88e3c1d8813bb0c877

SHA256
6bc51f48192935e2e5b813fc6ea755709b0bffceb5f2226bf293b64578743325

SHA512
79caa4008e9bfdd658f796be2e41213bd002245180236b121b4760d5b5a4ca169e673bc3065790ff52e773964a1e1dc3d55e464fe7c450fbf32e9c4365c76f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508130732.log

Filesize
15KB

MD5
91b0f3d708bf4204bdf84f3dcf3ee253

SHA1
2fbcfe9607de20c32dac13d5043a2e76fc92d338

SHA256
0c35b8c5d027cca412fd85c9c99bef80a2a2112474e81b37cf20fc0717d4d67d

SHA512
4179e9bd6d625898202573288928db6202a26d7da0c7e96da4493a7ae33cb40fdd01d24f3df75f50807a3815de78091a419c59505ab01329de6138c04dcb44f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508130732_000_dotnet_runtime_7.0.16_win_x64.msi.log

Filesize
470KB

MD5
e7015f803ddbda5565b35b475abbb394

SHA1
3c3c685e714e9e8efc15f012fd8d09c709bc0cee

SHA256
2e88297069ca34f5cc3e2308d92a0a4582627b04f8c9b719bc7c23660680294a

SHA512
f4d00e99accf0efeca8e502bc8b00477793bb9551621dc58097809702422f787166aa7950ec117d192821a3abc3522dce990845896ab47bd0f2252945b76fc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508130732_001_dotnet_hostfxr_7.0.16_win_x64.msi.log

Filesize
95KB

MD5
0997eafcf2de8339893549787f2255ba

SHA1
df35b33bec95a77e410dafdebd9e88bfc855b3b6

SHA256
0ae8ff2b171f8aef445d1202e65f5eab10733680c7e89f043c51ec89b53a1b4c

SHA512
cb817c22aa4c009172a4b1bf64b22a7ac961c20e39d873513453e82e196874f0557e1722e8b1342aeaea15d31d0c17872adfaeaad09bc4c257c056882dfb3a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508130732_002_dotnet_host_7.0.16_win_x64.msi.log

Filesize
109KB

MD5
c308f5bba07e85f3b64d984e2da45061

SHA1
37c55b53ab25e3f5c935ecf39c1a2a506fccc4dc

SHA256
b412004c2925cb154ec7d26b389415ddba1deb65a9a83af4da90370cedcb1cb8

SHA512
accf455f735e47c1b3db2587e0cac0eb213eeec86b76f1ebaa24b9dd0d03ad09d4515df2b1a5e7472734e556c67f90246152e4ba92757392107b291eed9b83f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508130732_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log

Filesize
852KB

MD5
0a61e554be70b9d9f4551c1bfee3e8c0

SHA1
997c5235e49345dfec031a99ebd157373a1acb5a

SHA256
9df6840ef4dee01b1afeeff1bd6f774981678be5ca84b455788ad1eb14ac0574

SHA512
af086ab2c8a5210cba97fc9bb91d3ad92a657f8707f3d8116bed75f11dff7a3d6da5ef2bc806fa1290a29071a38f269b1ef96f9121b463729c2949e3830f062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508130753.log

Filesize
15KB

MD5
0b526e0bb5ab2cee392aae45a263843b

SHA1
86de3112408b6585b5a63856fa07ead1ee78a95c

SHA256
81b544584ad37993331adb2cd6dd46829c37ae85a00ecd067b76a5f28e98e88a

SHA512
7400d2215bf2dba77edc962954f5f7537b2b5ff2f11335b867f65aa36f8fe5e3af0bfb691b6ed8d286a7d19de40ce05fe9802e14e9847968824e32a9c1e79c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508130753_000_dotnet_runtime_8.0.2_win_x64.msi.log

Filesize
469KB

MD5
715ad8a2dbc2f1c18063ccb71f4caa41

SHA1
1db3ffff932e144c07707955109b1471071a7c5f

SHA256
fe8c3c2f31e79a81e690f0019480e04d63d61cc9a77a14e93e31de572989f31e

SHA512
a4887bd24c3ac1ce4c0478bc80783e02b49010121a5e8809209918d8a121a3bf929192c669d279f77d8ca6b6ed19c5b8b8df45329c0b5d7b8e3b654514c86294

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508130753_001_dotnet_hostfxr_8.0.2_win_x64.msi.log

Filesize
95KB

MD5
87d7181964f426162c9dfa3681a50c70

SHA1
25053f1c869ea44d0bee0dd7ce333e9439bb3b0e

SHA256
518d23e3572a090d1bccc69ccef5d137656d915ab5c789f1ffdf6fcb9a443973

SHA512
5f062d5bb2fc4b4f230808541108e13519810f325f795aea5209be4fc5f5c956af0cd469996a9763b62436d4c8b9477ca1fdd006d8c506e28e1aa4907c5e9949

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508130753_002_dotnet_host_8.0.2_win_x64.msi.log

Filesize
109KB

MD5
0519e40e2b3a7e8f96be2c137db65b68

SHA1
a7ad277ec257a827990228f31a9821cc98bcd224

SHA256
9d805c8828b70f1b96f7ed18852ce3fe9fed1ff54cbb288f27a91b22c9c54e72

SHA512
15dc3b38b2ff880b6de546df7eb8e6525b2f79107f0fac336dc571c9f758b28c6f27578dc38872a17f426f339ca65a41c2c7cfb2403ecff6522462814c2ae18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508130753_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log

Filesize
846KB

MD5
21ff13ef9a5c145b931913a6f2df4ec3

SHA1
1daf76861a52df8b195fde8b732a469e8b6ab96f

SHA256
971ed6985aac257e3485bb465c30b9d2f1e304d88116af5dfac8f9998f144c33

SHA512
4d460c7b871b377e7c2e32aa52a6b45c4fadb569794ab355735d5c0ae54e52ee80fbaaf15ca60f6ce7568455cf5617c3dc30331433ad979b0e7b1577a7ffb350

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-1924.log

Filesize
470B

MD5
e7c512f2ca4056d2fb6052959dd6ade7

SHA1
bf4e615cb742f78d84c9ad994d8372dc1eacf4a0

SHA256
eb63f94aa76cf29c99e1e37867ba161197da2aad0ac2e737739b3f9b4bb2fcfb

SHA512
0c8de669652727a43b018709854280ca20e14cdd74daaa96c75aac08edbbf04f47d020dce22e46e35b9394d7bf9161ac35dab58ac9f1a4d5886d18c7c6b67fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
575bdab9ec79b539e1bf33109b6f696d

SHA1
d24ce37abb6c68689332ffa11aa32ab5d7cf2c4c

SHA256
294f575d2f36ed19bd5f0ffd89b21adf9b198ff4bd33622e01ad083d18e26171

SHA512
f1a3ba030770acf43c292fee25114097ce364456742df7cc2262ddb690ffef6b437dcc4b0131d22fe67f0b7105ff876fbb02e0f04f2a36d5546b5682a6a29015

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
9c739ce04d420866282f79a433eaccf2

SHA1
fe594dcae7a33a26ac039a9b6bdb7a867e4eaeda

SHA256
b0584b920445a73839b0a569444f75c80dd5a0a38a42fa4c6f32b11ebee274bd

SHA512
2bfc950958044f99dd1a3ae7e501cdf9fda6cad5c327151e3a29a644291d141bfbb68d967d4c89baa7368ab0097f78e09ae711f2d112c1fd8aade3e590c43dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI0372.txt

Filesize
426KB

MD5
6736ecb737deb4da9fc5339ad190dffc

SHA1
72243a8474fb6c4c4c1fbee76db2454ce14efdfd

SHA256
aa185ee08c45be172b06f3491c8a0b62521b2c698d61de488a53fcbaf4fceac6

SHA512
fc53c63510a5e5909fe34fcbe53718734dc87232ae83137953b69ae79572e9cf6db2dd489806e58d089330363c2f576acced481c857e3f9587084b5156c8218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI038C.txt

Filesize
414KB

MD5
2ba7235edb997999aee2487269afbfb5

SHA1
14234eabded8aaba2ac1ca81f652d5d4200202ca

SHA256
ccd68040b6781b26df61243818fb42bb58e30fe637661d3d700ee62c83542a68

SHA512
3703cc91c3e4c150ca3a0401f2786181163b9aa4c6088bf1a42753b42d2acfb45e112ab521ca8c83ec992c29be6462dc49770d3d5294be893ddb2df10def1cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI0372.txt

Filesize
11KB

MD5
23b67892e9211dd1345e1a247de803a2

SHA1
5f3f0d5e691e0fda70466426a215133e72de0b28

SHA256
a2495d48122918f190ad4eeb4d75612d45c940d83b7a5f1d71833b4af6daafec

SHA512
5b09bcc872ed9c3d2a57b19f27ec09003f9f7be8aa2dd2fc85994c6bd2acbc545f2c38e3858b7d48735871861e941543de438b1ab686c4801bd63308c9c3e111

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI038C.txt

Filesize
11KB

MD5
7dbe4d04304ea71fcc4f7de97b62f189

SHA1
3cab3299f60dcc5473e94eb1d9df6d8d7348e31d

SHA256
f1480b99e97afc57289b117c58aa6b9cf5986f56941a9b8b335163422f584ab5

SHA512
a631193ef511748ffc146f3ab54bb801d65e4606242ca44b609b3c6386bc89a785d00050014175ef048bacd040733ffd9fbd51e03d126321d349a93d108f453c

Download Submit
C:\Users\Admin\AppData\Local\Temp\injectCS.exe

Filesize
1.2MB

MD5
b436c1bd4c19692d61e5e69cd4305c6d

SHA1
0008c9ffe8664744e088110ba1d8b7e79f694c6e

SHA256
d1cd74c4887d89be23ce6bbd958c5c77a5bd7fec0b409f719633041066ff996d

SHA512
3ab9308ec23991be4d10fa81fce4b5c0b600196b72ed8edd6d5993b9b0c294344685f69eba8a291c8e598a5336aad364dd97700da5c774e8299f42055a940906

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
295KB

MD5
ed71f6e9c5f0aede38034912335415d7

SHA1
b5b0e1a2ef428eb1f9697233205c784fbe71a0af

SHA256
8be5aceb7e96ef60e04e3f1c15db3f7a2506237347e3c554404d04a3c34e8fd9

SHA512
9764f9df92ff376ff8c8a519fafa72626307c12bfcd69c9e06f1f9c857842fb50ebd5e5cc002ce065fca19a0662f4a8656712b2223a8cf9356b9db4ff6459ebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
2KB

MD5
a1dfb715a2651c2395dba20570c694e8

SHA1
1bb0674728b4ef3e6691439a865f4ad1156f7458

SHA256
8840aad293e5802fc0e12e6e8ac9458ad8ecfe72204f5360bd08768cd688da17

SHA512
360c5e9229740c034944e635c1b0f8e3b5f74a9bb77c04e9b5b21774a83139d8c6bccf605444bb82cd8e132f6b492176001e4272c1ecb9690a2b6f5b62e30b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\neverlose.exe

Filesize
93KB

MD5
97012c1ca6735e36d78365055951f40f

SHA1
c6f2b2c5ae4a8ca33afb0cb6844601d7f4827d42

SHA256
15e6248e9a229c0d6f8b2f6e404f5e4e992a47e2936fc3696989b51acad2838a

SHA512
ed38e740bc00542eb125d7493e47003845bdb4a35a5258e272b918d1d137034acb4b5159479782cd481eb1b4b1698826aa8dbc47487da6983f2aacc5022b6eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct6D80.tmp

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctDEF6.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
693B

MD5
e18c8197de103e2ab3c925ba50602303

SHA1
39c875be7ad68d1c8050749799b801d57ee213f5

SHA256
70a008e37df235fd068423a8b33b3242b2d315deaf8ad5d4f4e7bc5c646ae247

SHA512
04fd4a2dd8956a1008477aeca52a3afb3adf80e359a80f0fa5e1c4ba2e42f56e24710a88486cfd4d883a9fecd9680cb8b3b55938b7179de95a300b151ed4e13a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{39C1AD72-A71B-4417-BB80-F1E00AC08C79}

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\cookies.sqlite

Filesize
512KB

MD5
1009fb53422439b9b32db0d29b81dfeb

SHA1
aecffa2c7ae56561c1264ab0132d183955da0b5b

SHA256
336998b73c75098b3664022b19db09bdaafd94748e430f6153ab6e7fdb26338b

SHA512
570164a5ffa104d6aa80a5c9e7aa0670cbe8121cbf16ea2e158cc07b9a94055391de74d9371d38a10ccaed86ca0af9471fbe9df547e44e24eef58a82a4cc61f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\places.sqlite

Filesize
5.0MB

MD5
111aac0df8e5ab8a215450d19694d724

SHA1
af1cecc7aead0952e53c2070dc9693f99a74a089

SHA256
dd7c450d2c9721f9c844d306382cf9ddd7fb0c1ae2d7cc77bcd96716e7f324b2

SHA512
0d620a1ce1d34de0a7dceb47dfded19226ac36d7bb04bf0ac25448a3396b7f4a5869f46f96fd6e4de7f586b1530982d7111a3148e5829721e5a37847dae891aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\prefs-1.js

Filesize
7KB

MD5
2f5ca5aedc6426753c05d12787fe85f7

SHA1
3a21ef7d7a57f5f10482cc6880085f6aa4f6ca1b

SHA256
d00dcc89ac540c75e685b34911897f7ec490930a04f04fcdd6cc71db4d41297a

SHA512
3984cadfb223cbf04e154ef96efed071b91ac6cb8bd4f53a39e86eb0880cc07843368464f49d21f2de4b595a0daf18c8208aa0c087a86a06cfc7f79b3ad6e0b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
5a1b131a659eca0f176b6538964396b8

SHA1
ac4626f8230a8bc60bb196dfe3dd13a2e6bc11c2

SHA256
0dc5b33c3ce655285e6f6666ad2b91f9c963f27acd9794a5e93fc1ce928a9493

SHA512
5104fcd424546aeee6a85642d64385b3d024611285323edfe8341777af727f5395a7989789ef77696451609847457de1680c3d5b1d96a9575aa515a1b9e14887

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
966818ce9f2d2c5246858f49cbd783e3

SHA1
293c2c6a792d79bb9c10339e951c6f96631533eb

SHA256
1cd163853951ad20b8bc3b6fa9bb9b002a24343657d4b484cff3239ca1870f81

SHA512
75be00cf91bb41a63c98d86e8e4788f9a7d0401e0d4d41a42715400dfbb89a5bc43e5216d62b9b1e479b1a783e123ef6c202707074f99261e3551b1e4bc51977

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
ba3342b8989e4cad921ea4c2b7d838bf

SHA1
aafbcd16ce95bb66cfa12b2a5b642995dd0994f7

SHA256
9e5cbbdec9973507a4599d82807b5f2868443a9541b5a3583e2004d9bdb661e5

SHA512
b3a5e2c3583dbe72da18a35ed843f4a8ced7cc1fe52603d119e21afcdda19824920da8b9dbb03fcd797f3f1631026865494772f6e2a8c11233ecdb0dd1669275

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
53ce6d1ae8885b5d12e654469f456c83

SHA1
9d8b30c523ddef4d24134072b27716bec7d94d6f

SHA256
d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2

SHA512
c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d

Download Submit
C:\Users\Admin\Desktop\OxyProjAW.rar

Filesize
9.4MB

MD5
880b06bbf93433dd21edae95a52e1725

SHA1
8cb84aedd57a12bfece4cc2e770ac72159464d3a

SHA256
d45289065ebcf69ee14f2da2969b0689105b8dbcc63fb53b14a0f881d943da64

SHA512
905917bfd6a23665954ca3192f332205df852b1915cadea0aa8e005ae0cba3dc4ba42ee142c3b97b3c4780c5c3d336cbea4d1bfb06e8e48fb64decb75d25451c

Download Submit
C:\Users\Admin\Desktop\OxyProjAW\HOW TO LOGIN.txt

Filesize
182B

MD5
beac35f0e4f82d5278387a3aae0f344f

SHA1
e46295bac113fb3b872f744246d7edf43be5a3ee

SHA256
bff99cd77f2f4d05edd2a5bee204fa64356610d4fb47c13ac1b9bc0dd922d73d

SHA512
b9f12c02b0ac53f114ec2a5b47d77e880c6d575064d65957c5b9bc27f6daa874d767ca1e352e1674297ec2fe368439af6bf82c154e7bb966ebdf9ec7c4e9697e

Download Submit
C:\Users\Admin\Desktop\OxyProjAW\HOW TO USE LUAS&CFGS.txt

Filesize
220B

MD5
0d14a7ad95673339e4ea53a4165688ae

SHA1
65b8335ff195d23a35c9285aadc967ab4bde7f8e

SHA256
3a48e600db1699ec2b805e443d73c56f7eb616f4e591d65cda4b1034b7258959

SHA512
dac2f90b43519bffb7c57f17204fc4808d861ff94b30c194bacf872e5f556019acc0035f012657749ab78aab991d63e4805b5ddd952ede84cf272ddf72ef00d6

Download Submit
C:\Users\Admin\Desktop\OxyProjAW\Loader.exe

Filesize
1.5MB

MD5
8111a5ec9fe972dc0e138956512a8b2e

SHA1
b980a8fab858a6f72ea4a67b59edd6ae930b74f4

SHA256
0fc512141bcb60be68a15196651a9898d338045885191bfad1498c0e331364fe

SHA512
ac20039bca094dd164c3602ff942aace53cd1cf83c551a59693db94e0665ffb9505f648407078c0b980aea0bb2b6792c148d45060c5d426e37d27aef6714e40e

Download Submit
C:\Users\Admin\Downloads\OxyProjAW.6mgNr56e.rar.part

Filesize
64KB

MD5
a056b1f2430b7a64164ef130878f6ca2

SHA1
0de9b55d2ccb30d617bbb6cfdad400489c2fd3c1

SHA256
3df6cb80713f1a3bb51e8c0c6423deb4c71c3d1fa497a8a90b753240f3c13401

SHA512
472114872e60a4c112328880f0df439b4364c8747ca403aa2dd7dbdb6318ca31f9e7317989b7cd5234dec8fc06334b905ac6e5a9f2f6a2239871d55caea4ec66

Download Submit
memory/7520-926-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-919-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-924-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-917-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-923-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-918-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-925-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-929-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-928-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/7520-927-0x0000025309370000-0x0000025309371000-memory.dmp

Filesize
4KB

Download
memory/8064-731-0x0000000000B20000-0x0000000000EDA000-memory.dmp

Filesize
3.7MB

Download
memory/8064-730-0x0000000000B20000-0x0000000000EDA000-memory.dmp

Filesize
3.7MB

Download
memory/8064-887-0x0000000000B20000-0x0000000000EDA000-memory.dmp

Filesize
3.7MB

Download
memory/8064-728-0x0000000000B20000-0x0000000000EDA000-memory.dmp

Filesize
3.7MB

Download