hxxps://mega[.]nz/file/1Cs3mbTD#K1QP5UinUElGmMmrWz-Vn3rw_IMEgPQbCicLXtnuSCA

Analysis

max time kernel
493s
max time network
494s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/07/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/1Cs3mbTD#K1QP5UinUElGmMmrWz-Vn3rw_IMEgPQbCicLXtnuSCA

Score

9^/10

discovery evasion execution persistence privilege_escalation upx

Malware Config

Signatures

Enumerates VirtualBox DLL files 2 TTPs 4 IoCs

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened (read-only)	C:\windows\system32\vboxhook.dll	SyncExec.exe
File opened (read-only)	C:\windows\system32\vboxmrxnp.dll	SyncExec.exe
File opened (read-only)	C:\windows\system32\vboxhook.dll	SyncExec.exe
File opened (read-only)	C:\windows\system32\vboxmrxnp.dll	SyncExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3176	powershell.exe
2940	powershell.exe

Downloads MZ/PE file

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
956	attrib.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
2136	winrar-x64-701.exe
5116	winrar-x64-701.exe
5840	winrar-x64-701(1).exe
5816	7z2407-x64.exe
920	7zFM.exe
4208	SyncExec.exe
5432	SyncExec.exe
5192	SyncExec.exe
4928	SyncExec.exe
4404	SyncExec.exe

Loads dropped DLL 64 IoCs

pid	Process
3292	Process not Found
3292	Process not Found
920	7zFM.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001adf8-2664.dat	upx
behavioral1/memory/5432-2668-0x00007FFF03570000-0x00007FFF03B58000-memory.dmp	upx
behavioral1/files/0x000700000001ad69-2670.dat	upx
behavioral1/files/0x000700000001ada4-2675.dat	upx
behavioral1/memory/5432-2678-0x00007FFF16370000-0x00007FFF1637F000-memory.dmp	upx
behavioral1/memory/5432-2677-0x00007FFF16010000-0x00007FFF16034000-memory.dmp	upx
behavioral1/memory/5432-2680-0x00007FFF12D80000-0x00007FFF12DAD000-memory.dmp	upx
behavioral1/memory/5432-2679-0x00007FFF15FF0000-0x00007FFF16009000-memory.dmp	upx
behavioral1/memory/5432-2681-0x00007FFF12D60000-0x00007FFF12D74000-memory.dmp	upx
behavioral1/memory/5432-2682-0x00007FFF02500000-0x00007FFF02875000-memory.dmp	upx
behavioral1/memory/5432-2684-0x00007FFF16070000-0x00007FFF1607D000-memory.dmp	upx
behavioral1/memory/5432-2683-0x00007FFF12D40000-0x00007FFF12D59000-memory.dmp	upx
behavioral1/memory/5432-2687-0x00007FFF03570000-0x00007FFF03B58000-memory.dmp	upx
behavioral1/memory/5432-2686-0x00007FFF12100000-0x00007FFF121B8000-memory.dmp	upx
behavioral1/memory/5432-2685-0x00007FFF12D10000-0x00007FFF12D3E000-memory.dmp	upx
behavioral1/memory/5432-2692-0x00007FFEFF6D0000-0x00007FFEFF7EC000-memory.dmp	upx
behavioral1/memory/5432-2691-0x00007FFF16010000-0x00007FFF16034000-memory.dmp	upx
behavioral1/memory/5432-2690-0x00007FFF15F30000-0x00007FFF15F3B000-memory.dmp	upx
behavioral1/memory/5432-2689-0x00007FFF12CE0000-0x00007FFF12D06000-memory.dmp	upx
behavioral1/memory/5432-2688-0x00007FFF15FE0000-0x00007FFF15FED000-memory.dmp	upx
behavioral1/memory/5432-2693-0x00007FFF12CA0000-0x00007FFF12CD8000-memory.dmp	upx
behavioral1/memory/5432-2694-0x00007FFF12D60000-0x00007FFF12D74000-memory.dmp	upx
behavioral1/memory/5432-2702-0x00007FFF12660000-0x00007FFF1266B000-memory.dmp	upx
behavioral1/memory/5432-2701-0x00007FFF12D40000-0x00007FFF12D59000-memory.dmp	upx
behavioral1/memory/5432-2700-0x00007FFF12C90000-0x00007FFF12C9B000-memory.dmp	upx
behavioral1/memory/5432-2699-0x00007FFF12670000-0x00007FFF1267C000-memory.dmp	upx
behavioral1/memory/5432-2698-0x00007FFF12720000-0x00007FFF1272B000-memory.dmp	upx
behavioral1/memory/5432-2697-0x00007FFF12B00000-0x00007FFF12B0C000-memory.dmp	upx
behavioral1/memory/5432-2704-0x00007FFF12650000-0x00007FFF1265C000-memory.dmp	upx
behavioral1/memory/5432-2703-0x00007FFF12D10000-0x00007FFF12D3E000-memory.dmp	upx
behavioral1/memory/5432-2696-0x00007FFF133D0000-0x00007FFF133DB000-memory.dmp	upx
behavioral1/memory/5432-2695-0x00007FFF02500000-0x00007FFF02875000-memory.dmp	upx
behavioral1/memory/5432-2707-0x00007FFF12630000-0x00007FFF1263E000-memory.dmp	upx
behavioral1/memory/5432-2706-0x00007FFF12640000-0x00007FFF1264C000-memory.dmp	upx
behavioral1/memory/5432-2705-0x00007FFF12100000-0x00007FFF121B8000-memory.dmp	upx
behavioral1/memory/5432-2710-0x00007FFF124A0000-0x00007FFF124AB000-memory.dmp	upx
behavioral1/memory/5432-2715-0x00007FFF122B0000-0x00007FFF122C2000-memory.dmp	upx
behavioral1/memory/5432-2714-0x00007FFF12390000-0x00007FFF1239D000-memory.dmp	upx
behavioral1/memory/5432-2713-0x00007FFF123A0000-0x00007FFF123AC000-memory.dmp	upx
behavioral1/memory/5432-2712-0x00007FFF123B0000-0x00007FFF123BC000-memory.dmp	upx
behavioral1/memory/5432-2711-0x00007FFF123C0000-0x00007FFF123CB000-memory.dmp	upx
behavioral1/memory/5432-2709-0x00007FFF12620000-0x00007FFF1262C000-memory.dmp	upx
behavioral1/memory/5432-2708-0x00007FFF12CE0000-0x00007FFF12D06000-memory.dmp	upx
behavioral1/memory/5432-2719-0x00007FFF120C0000-0x00007FFF120D2000-memory.dmp	upx
behavioral1/memory/5432-2718-0x00007FFEFF6D0000-0x00007FFEFF7EC000-memory.dmp	upx
behavioral1/memory/5432-2717-0x00007FFF120E0000-0x00007FFF120F5000-memory.dmp	upx
behavioral1/memory/5432-2716-0x00007FFF122A0000-0x00007FFF122AC000-memory.dmp	upx
behavioral1/memory/5432-2720-0x00007FFF12CA0000-0x00007FFF12CD8000-memory.dmp	upx
behavioral1/memory/5432-2721-0x00007FFF12040000-0x00007FFF12054000-memory.dmp	upx
behavioral1/memory/5432-2722-0x00007FFF12010000-0x00007FFF12032000-memory.dmp	upx
behavioral1/memory/5432-2723-0x00007FFF11FF0000-0x00007FFF12007000-memory.dmp	upx
behavioral1/memory/5432-2728-0x00007FFF12290000-0x00007FFF1229A000-memory.dmp	upx
behavioral1/memory/5432-2727-0x00007FFF114F0000-0x00007FFF11501000-memory.dmp	upx
behavioral1/memory/5432-2726-0x00007FFF11510000-0x00007FFF1155D000-memory.dmp	upx
behavioral1/memory/5432-2725-0x00007FFF11B40000-0x00007FFF11B59000-memory.dmp	upx
behavioral1/memory/5432-2724-0x00007FFF12660000-0x00007FFF1266B000-memory.dmp	upx
behavioral1/memory/5432-2729-0x00007FFF114D0000-0x00007FFF114EE000-memory.dmp	upx
behavioral1/memory/5432-2731-0x00007FFF024A0000-0x00007FFF024FD000-memory.dmp	upx
behavioral1/memory/5432-2730-0x00007FFF12630000-0x00007FFF1263E000-memory.dmp	upx
behavioral1/memory/5432-2733-0x00007FFF114A0000-0x00007FFF114C9000-memory.dmp	upx
behavioral1/memory/5432-2736-0x00007FFF03170000-0x00007FFF03193000-memory.dmp	upx
behavioral1/memory/5432-2735-0x00007FFF120E0000-0x00007FFF120F5000-memory.dmp	upx
behavioral1/memory/5432-2734-0x00007FFF03540000-0x00007FFF0356E000-memory.dmp	upx
behavioral1/memory/5432-2732-0x00007FFF122B0000-0x00007FFF122C2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RobloxApiService = "C:\\Users\\Admin\\SyncExec\\SyncExec.exe"	SyncExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
228	discord.com
229	discord.com
230	discord.com
231	discord.com
232	discord.com
233	discord.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2407-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2407-x64.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4532	taskkill.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2407-x64.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\SyncExec.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\winrar-x64-701(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2407-x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
5432	SyncExec.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4404	SyncExec.exe
4404	SyncExec.exe
4404	SyncExec.exe
4404	SyncExec.exe
4404	SyncExec.exe
4404	SyncExec.exe
2940	powershell.exe
2940	powershell.exe
2940	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
920	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: 33	5032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5032	AUDIODG.EXE
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	2856	firefox.exe
Token: SeDebugPrivilege	6112	firefox.exe
Token: SeDebugPrivilege	6112	firefox.exe
Token: SeRestorePrivilege	920	7zFM.exe
Token: 35	920	7zFM.exe
Token: SeSecurityPrivilege	920	7zFM.exe
Token: SeDebugPrivilege	5432	SyncExec.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeIncreaseQuotaPrivilege	3176	powershell.exe
Token: SeSecurityPrivilege	3176	powershell.exe
Token: SeTakeOwnershipPrivilege	3176	powershell.exe
Token: SeLoadDriverPrivilege	3176	powershell.exe
Token: SeSystemProfilePrivilege	3176	powershell.exe
Token: SeSystemtimePrivilege	3176	powershell.exe
Token: SeProfSingleProcessPrivilege	3176	powershell.exe
Token: SeIncBasePriorityPrivilege	3176	powershell.exe
Token: SeCreatePagefilePrivilege	3176	powershell.exe
Token: SeBackupPrivilege	3176	powershell.exe
Token: SeRestorePrivilege	3176	powershell.exe
Token: SeShutdownPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeSystemEnvironmentPrivilege	3176	powershell.exe
Token: SeRemoteShutdownPrivilege	3176	powershell.exe
Token: SeUndockPrivilege	3176	powershell.exe
Token: SeManageVolumePrivilege	3176	powershell.exe
Token: 33	3176	powershell.exe
Token: 34	3176	powershell.exe
Token: 35	3176	powershell.exe
Token: 36	3176	powershell.exe
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	4280	taskmgr.exe
Token: SeSystemProfilePrivilege	4280	taskmgr.exe
Token: SeCreateGlobalPrivilege	4280	taskmgr.exe
Token: 33	4280	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4280	taskmgr.exe
Token: SeDebugPrivilege	4404	SyncExec.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeIncreaseQuotaPrivilege	2940	powershell.exe
Token: SeSecurityPrivilege	2940	powershell.exe
Token: SeTakeOwnershipPrivilege	2940	powershell.exe
Token: SeLoadDriverPrivilege	2940	powershell.exe
Token: SeSystemProfilePrivilege	2940	powershell.exe
Token: SeSystemtimePrivilege	2940	powershell.exe
Token: SeProfSingleProcessPrivilege	2940	powershell.exe
Token: SeIncBasePriorityPrivilege	2940	powershell.exe
Token: SeCreatePagefilePrivilege	2940	powershell.exe
Token: SeBackupPrivilege	2940	powershell.exe
Token: SeRestorePrivilege	2940	powershell.exe
Token: SeShutdownPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeSystemEnvironmentPrivilege	2940	powershell.exe
Token: SeRemoteShutdownPrivilege	2940	powershell.exe
Token: SeUndockPrivilege	2940	powershell.exe
Token: SeManageVolumePrivilege	2940	powershell.exe
Token: 33	2940	powershell.exe
Token: 34	2940	powershell.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
920	7zFM.exe
920	7zFM.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
2136	winrar-x64-701.exe
2136	winrar-x64-701.exe
2136	winrar-x64-701.exe
5116	winrar-x64-701.exe
5116	winrar-x64-701.exe
5116	winrar-x64-701.exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
5840	winrar-x64-701(1).exe
5840	winrar-x64-701(1).exe
5840	winrar-x64-701(1).exe
2856	firefox.exe
2856	firefox.exe
2856	firefox.exe
5816	7z2407-x64.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
4404	SyncExec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2520 wrote to memory of 2856	2520	firefox.exe	73
PID 2856 wrote to memory of 4588	2856	firefox.exe	74
PID 2856 wrote to memory of 4588	2856	firefox.exe	74
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 3592	2856	firefox.exe	75
PID 2856 wrote to memory of 4912	2856	firefox.exe	76
PID 2856 wrote to memory of 4912	2856	firefox.exe	76
PID 2856 wrote to memory of 4912	2856	firefox.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
956	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/1Cs3mbTD#K1QP5UinUElGmMmrWz-Vn3rw_IMEgPQbCicLXtnuSCA"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/1Cs3mbTD#K1QP5UinUElGmMmrWz-Vn3rw_IMEgPQbCicLXtnuSCA
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.0.607941325\250334599" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdf2d3b1-4544-438a-a05c-475f48d5dd06} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 1796 1e0912e0458 gpu
    3⤵
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.1.807608002\1525597443" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d404b0ba-15b8-44af-9072-4cb21b76b55b} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 2172 1e090ff9258 socket
    3⤵
    - Checks processor information in registry
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.2.1859921264\536794731" -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2904 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0bf9d11-9015-45a1-a335-68f9b4f0e8e4} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 2880 1e0951dc358 tab
    3⤵
    PID:4912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.3.2141855636\1788242378" -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05e1f82c-160f-4f3a-af14-8b93f8184bac} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 3512 1e096542958 tab
    3⤵
    PID:3328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.4.340730144\317390299" -childID 3 -isForBrowser -prefsHandle 4780 -prefMapHandle 4856 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4f78a00-7c6b-40eb-b0dd-fe6a3db0c3b2} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 4844 1e0972a1258 tab
    3⤵
    PID:420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.5.1884319513\1446164385" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 5108 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c05fe84-ebfb-46b4-a59f-9bbabf73e9f6} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 5024 1e0987b2a58 tab
    3⤵
    PID:2280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.6.18640529\1623404290" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26343 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88403f6e-0852-4c30-8138-b54bc915da7d} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 5232 1e0987b4b58 tab
    3⤵
    PID:3600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.7.1229190695\49501084" -childID 6 -isForBrowser -prefsHandle 5488 -prefMapHandle 5480 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50a76676-9fd6-499d-b889-4b5f0c85a4e8} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 4724 1e0983e9258 tab
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.8.1479862441\938974340" -childID 7 -isForBrowser -prefsHandle 4404 -prefMapHandle 4452 -prefsLen 27499 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fa028d4-b189-4861-80d3-20c01cdf7db5} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 3020 1e09845ca58 tab
    3⤵
    PID:660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.9.443241495\1111147450" -childID 8 -isForBrowser -prefsHandle 6440 -prefMapHandle 6460 -prefsLen 27499 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {266ec99b-3ec1-4c3c-be89-996f2fb06f92} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 6436 1e0a00e9858 tab
    3⤵
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.10.1342516840\116526068" -childID 9 -isForBrowser -prefsHandle 5240 -prefMapHandle 5428 -prefsLen 27499 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b94ac65-c45a-4c92-9c43-2c58489dcfae} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 6628 1e09f5f6858 tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.11.1508192696\1059016112" -childID 10 -isForBrowser -prefsHandle 5672 -prefMapHandle 5272 -prefsLen 27508 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f1bc0f-8e93-4ad7-a3f3-6599249706d7} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 5812 1e094cbce58 tab
    3⤵
    PID:5156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.12.1970498532\74180107" -parentBuildID 20221007134813 -prefsHandle 4844 -prefMapHandle 6188 -prefsLen 27508 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c1ec6f-ff37-457e-a7c1-84c6e2dcfe66} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 4492 1e09eafae58 rdd
    3⤵
    PID:5400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.13.66476774\881834449" -childID 11 -isForBrowser -prefsHandle 7256 -prefMapHandle 7252 -prefsLen 27508 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb4658a4-f67e-4325-94a7-10dbdd9740a9} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 7240 1e097f63b58 tab
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.14.2056467721\1853113338" -childID 12 -isForBrowser -prefsHandle 7416 -prefMapHandle 7268 -prefsLen 27508 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bed6781c-b759-45fd-b82e-50bd4462f9a6} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 7404 1e09c8f6758 tab
    3⤵
    PID:640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x200
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\98387c4d820248f6b64d69f05207a767 /t 1672 /p 2136
1⤵
PID:5708

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\041f5296216a4f14ac1cd6fdabe44f01 /t 580 /p 5116
1⤵
PID:2744

C:\Users\Admin\Downloads\winrar-x64-701(1).exe
"C:\Users\Admin\Downloads\winrar-x64-701(1).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5840

C:\Users\Admin\Downloads\7z2407-x64.exe
"C:\Users\Admin\Downloads\7z2407-x64.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3000
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:6112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6112.0.1369147390\1720532021" -parentBuildID 20221007134813 -prefsHandle 1604 -prefMapHandle 1576 -prefsLen 21569 -prefMapSize 233863 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a2ba10b-7b3a-4543-8268-6f2d692c0432} 6112 "\\.\pipe\gecko-crash-server-pipe.6112" 1684 1d24510c658 gpu
    3⤵
    PID:392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6112.1.1179948892\1191429275" -parentBuildID 20221007134813 -prefsHandle 1972 -prefMapHandle 1968 -prefsLen 21614 -prefMapSize 233863 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31410390-893d-484a-afd7-1aa1b66aeb4a} 6112 "\\.\pipe\gecko-crash-server-pipe.6112" 2004 1d232be2358 socket
    3⤵
    - Checks processor information in registry
    PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6112.2.399054630\569388742" -childID 1 -isForBrowser -prefsHandle 2692 -prefMapHandle 2804 -prefsLen 22075 -prefMapSize 233863 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a1f893b-9555-4eee-b524-ab358993e8d5} 6112 "\\.\pipe\gecko-crash-server-pipe.6112" 2776 1d2487bc858 tab
    3⤵
    PID:1088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6112.3.2126255321\494737828" -childID 2 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 27253 -prefMapSize 233863 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8fa7b0f-a8e9-4766-a276-cb2e7b6c2e02} 6112 "\\.\pipe\gecko-crash-server-pipe.6112" 3508 1d232b62858 tab
    3⤵
    PID:5776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6112.4.1088089907\1794779639" -childID 3 -isForBrowser -prefsHandle 3972 -prefMapHandle 3884 -prefsLen 27312 -prefMapSize 233863 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b5a5b75-0454-4b30-a2a4-b9797c447cdc} 6112 "\\.\pipe\gecko-crash-server-pipe.6112" 4004 1d24a4ee858 tab
    3⤵
    PID:3328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6112.5.375565366\718555741" -childID 4 -isForBrowser -prefsHandle 4804 -prefMapHandle 4772 -prefsLen 27312 -prefMapSize 233863 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f942892-bdb2-43ec-bdf6-d33dd233f844} 6112 "\\.\pipe\gecko-crash-server-pipe.6112" 4708 1d249e03858 tab
    3⤵
    PID:2596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6112.6.1600179313\1683000159" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4992 -prefsLen 27312 -prefMapSize 233863 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c27f8a-91b2-400f-8d43-2ad8e3c8d2ee} 6112 "\\.\pipe\gecko-crash-server-pipe.6112" 4980 1d24b756a58 tab
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6112.7.1677618617\1780129379" -childID 6 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 27312 -prefMapSize 233863 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08b5e296-8e43-4752-b5a1-fdfad123a5af} 6112 "\\.\pipe\gecko-crash-server-pipe.6112" 5176 1d24b756158 tab
    3⤵
    PID:1328

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\SyncExec.rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:920

C:\Users\Admin\Desktop\SyncExec.exe
"C:\Users\Admin\Desktop\SyncExec.exe"
1⤵
- Executes dropped EXE
PID:4208
- C:\Users\Admin\Desktop\SyncExec.exe
  "C:\Users\Admin\Desktop\SyncExec.exe"
  2⤵
  - Enumerates VirtualBox DLL files
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\SyncExec\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\SyncExec\activate.bat
    3⤵
    PID:5992
  - - C:\Windows\system32\attrib.exe
      attrib +s +h .
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:956
  - - C:\Users\Admin\SyncExec\SyncExec.exe
      "SyncExec.exe"
      4⤵
      Executes dropped EXE
      PID:5192
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "SyncExec.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4532

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4280

C:\Users\Admin\Desktop\SyncExec.exe
"C:\Users\Admin\Desktop\SyncExec.exe"
1⤵
- Executes dropped EXE
PID:4928
- C:\Users\Admin\Desktop\SyncExec.exe
  "C:\Users\Admin\Desktop\SyncExec.exe"
  2⤵
  - Enumerates VirtualBox DLL files
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\SyncExec\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
0009bd5e13766d11a23289734b383cbe

SHA1
913784502be52ce33078d75b97a1c1396414cf44

SHA256
3691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129

SHA512
d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
960KB

MD5
79e8ca28aef2f3b1f1484430702b24e1

SHA1
76087153a547ce3f03f5b9de217c9b4b11d12f22

SHA256
5bc65256b92316f7792e27b0111e208aa6c27628a79a1dec238a4ad1cc9530f7

SHA512
b8426b44260a3adcbeaa38c5647e09a891a952774ecd3e6a1b971aef0e4c00d0f2a2def9965ee75be6c6494c3b4e3a84ce28572e376d6c82db0b53ccbbdb1438

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\13712

Filesize
51KB

MD5
c62c294a8ec91a35b54272341ad0330b

SHA1
d5869e9f46eb762caba3dc63fc9ca6c83b562be2

SHA256
52a628cd862a28d48e167420da632db7825bfd242c93231b4bf48cb526a61b66

SHA512
7353275767ed2f7698435f8c425f47c829a1e85355d8c0f7604a03fc3ec142aeb3c03cbc658b09a9f1f5e393e192f23924370711c6908777e25405bb7e0f0136

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\20427

Filesize
9KB

MD5
5375851e32e8a64792eeae1b4ca4d6bb

SHA1
a98e21136ebe308fc92d2d05c502c5e0e9187a7a

SHA256
6aec3b9b4b763298b993f55a937b5dbfa8c94b6e58442d64411e286281df0180

SHA512
4eb51db38eda538d34e88b404ae69ad0fbada358e1b1dbacf8f79b5fef25f8d0971a99aff066f3766afe0f12646294fe4f08c651c75f79b008cb0d12559eca32

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\2343

Filesize
9KB

MD5
67e9d3cda43b7b34a7736f983eee1b7f

SHA1
580cdd1a5481fd48c4ede67668c25ac5c4f8faf0

SHA256
9874e6b44e2719138e10e91c9caa3ab52c584edd5b574dde937b64b5be4461f4

SHA512
0c9de7035a775cbeab668cc9cf0eec1b23b209325717724c9a748f11b60dd5c540b17e932a6a2f07de7a29c663387cc3a05867c04dbcb8a084786cbb8b89a3ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\147A588A90D0B0FFAFFA1CBB45DF05667E471A65

Filesize
36KB

MD5
2c933cd93cc4f09814c8e0035642096b

SHA1
b1de914428bd0256f6cc5e14d732b5747e211261

SHA256
51360aba636dea67eb4777a09d97fe60c021e0a4f8501c8ac09188d7ab7df631

SHA512
b01429fd085142dbc3b04a40162ffbdba77a3a5ee4ed3724381d5fe0b37af173ac9855592b9253deaa659baf2d8a425dc7841a0ba10c4b90c5987b3571f2f5f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
d878d57fa3f9d1e6cdb60fece7c0436b

SHA1
0e4bc5e982d2862ea03df8aa298712f126cf3dbe

SHA256
d28a03751b22b4f31b19502ffbe09344f240b96e235761565fcdf8bc506a9e9f

SHA512
2786b8d73ef8127f2aff9788d707f1cc6a6e589c75aebfdf13221a441dea3fd0d918670d50cc2f4fb27b51174ef8a85cada85a653a437f81b919622bfbd0e8b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\2547F4F8D6358638CDE0B31A1322D63360CA032C

Filesize
219KB

MD5
29898d1e1b6da0a5f5f1c7bf5211e2c1

SHA1
29664b1db94f6ce7c717d9df67c5b615de279fe1

SHA256
bb7124a32f764246a9e24f00c594c09649b408d53c0ffb53742ef5b36fb65cfe

SHA512
3e6df05d4c5a747ffd59e941d8c9761677f4f40f2421a5faa3e03a6c0ffc19100d52468af4b4beab2d4f1e75fc6cebfa0917a991868563fbecd8b70ea2923b04

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
ac79407520149e252ffe625ca9cde0f3

SHA1
24b9f7deae63e74025342ce2c36072320504b460

SHA256
f1f62c59ed2e680c69a2a94bc9ed272f89d4c13e3a8d7d0e5b1cf246be0739a9

SHA512
7d8eb69d8fab24df99258fff02d452e6a34b4a5c9497b7dcf287816a5f485b7d857dfc8914d187ed5456ca49e2eb92b83e9ac6992481fd4b947998136f699a74

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
11KB

MD5
43ff72b12c6bf8d9c22ce10e8d5bbdf0

SHA1
e46ea0e489518527614bc535da392caeca1be9a5

SHA256
358b373fedfd083709ac934ed6b699cb05cb11cb706cdc0fd86177de18f257e1

SHA512
8045d1edc1222e7fb5d7be96dc3ab594c0cd536170f00789cf2e5385f18214b5774d1f4c1607ba830b4189cb921df1f32b8a2a4769418e45473f4f2d880a85bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\8A011D3FEBBDA9B9C46229715A74F1937B2EEC47

Filesize
60KB

MD5
b43aa744c436b018337068494a00060a

SHA1
8b51ba010b7705d276ca2689ba1b5fb177221cdb

SHA256
a20c4b176150ffcdb3527da9b77c6f65b0bebfc8571e92bd261a34e6dc2e18e0

SHA512
6bdf6ccd2ff4e0d4767266e495b7472fd126f6ffb1e71f8f8835a9517edb96c199ff5819c37c38147d78e7dd964efa6a489e6e824cb43cad75f289ca07146c73

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\startupCache\scriptCache-child.bin

Filesize
458KB

MD5
ecc75f6374fe4c127eabaf6ba184bf8f

SHA1
fcb9bfce7df6533dd18dc516f262b5907d08cd40

SHA256
c7d9559755cf0059c53582443c969d6293545163a3c84096d9f75170ce471315

SHA512
ff5c5dc043bf0078adf070cbe68f0d1d54102681273df6cc6ba0d01d3a067ba150edb5e00f7c9d44241a31c1478b97820b593abb4535e4452ffb455660ea49b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\startupCache\scriptCache.bin

Filesize
7.8MB

MD5
cc483fe5474c481a9317b80eb1fcc028

SHA1
83ec2c4589536c1e863b9b6bdfd9a66148ffafc9

SHA256
c4c7d1cfd7c88c3d6dcd7f37c14ddbcaf63c28afc282d1140f8caba6685d060b

SHA512
18c2d56e8987ce1fab91a016b4bf1b304d5083a2691d0be9af422e0a554d110c93a6cda7f31df4e97c9d0ffd30bef8aaf909993fbba7b4e34836da0a0656d24f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
7885d939562507524a49acc4dbc53e49

SHA1
9b50a19b2132d3f3c1cfeb1a4be3825cdacb7f68

SHA256
e5dd85c7555a97375c824241ff825645315e99698a66fa1f55e62bac6d94ad2a

SHA512
9e1bec2620393d55f29d96b30407d3021355ee7d676239b10e3b65cb6c9eca07752c82d4e742584328a16cba741a0891df836a3540692b7460314b1f70761efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42082\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42082\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42082\base_library.zip

Filesize
1.4MB

MD5
481da210e644d6b317cafb5ddf09e1a5

SHA1
00fe8e1656e065d5cf897986c12ffb683f3a2422

SHA256
3242ea7a6c4c712f10108a619bf5213878146547838f7e2c1e80d2778eb0aaa0

SHA512
74d177794f0d7e67f64a4f0c9da4c3fd25a4d90eb909e942e42e5651cc1930b8a99eef6d40107aa8756e75ffbcc93284b916862e24262df897aaac97c5072210

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42082\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42082\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42082\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\pygame\SDL2.dll

Filesize
635KB

MD5
ec3c1d17b379968a4890be9eaab73548

SHA1
7dbc6acee3b9860b46c0290a9b94a344d1927578

SHA256
aaa11e97c3621ed680ff2388b91acb394173b96a6e8ffbf3b656079cd00a0b9f

SHA512
06a7880ec80174b48156acd6614ab42fb4422cd89c62d11a7723a3c872f213bfc6c1006df8bdc918bb79009943d2b65c6a5c5e89ad824d1a940ddd41b88a1edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\pygame\SDL2_image.dll

Filesize
58KB

MD5
25e2a737dcda9b99666da75e945227ea

SHA1
d38e086a6a0bacbce095db79411c50739f3acea4

SHA256
22b27380d4f1f217f0e5d5c767e5c244256386cd9d87f8ddf303baaf9239fc4c

SHA512
63de988387047c17fd028a894465286fd8f6f8bd3a1321b104c0ceb5473e3e0b923153b4999143efbdd28684329a33a5b468e43f25214037f6cddd4d1884adb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\pygame\SDL2_mixer.dll

Filesize
124KB

MD5
b7b45f61e3bb00ccd4ca92b2a003e3a3

SHA1
5018a7c95dc6d01ba6e3a7e77dd26c2c74fd69bc

SHA256
1327f84e3509f3ccefeef1c12578faf04e9921c145233687710253bf903ba095

SHA512
d3449019824124f3edbda57b3b578713e9c9915e173d31566cd8e4d18f307ac0f710250fe6a906dd53e748db14bfa76ec1b58a6aef7d074c913679a47c5fdbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\pygame\SDL2_ttf.dll

Filesize
601KB

MD5
eb0ce62f775f8bd6209bde245a8d0b93

SHA1
5a5d039e0c2a9d763bb65082e09f64c8f3696a71

SHA256
74591aab94bb87fc9a2c45264930439bbc0d1525bf2571025cd9804e5a1cd11a

SHA512
34993240f14a89179ac95c461353b102ea74e4180f52c206250bb42c4c8427a019ea804b09a6903674ac00ab2a3c4c686a86334e483110e79733696aa17f4eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49282\pygame\freetype.dll

Filesize
292KB

MD5
04a9825dc286549ee3fa29e2b06ca944

SHA1
5bed779bf591752bb7aa9428189ec7f3c1137461

SHA256
50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde

SHA512
0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51922\cryptography-42.0.8.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tg5l5mhf.0kk.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
a4cb6ba5fb8846b88ae1f8af52683cf4

SHA1
334dbf866d24891fbc3ab20e48be3a90fcb7c059

SHA256
ef0f9878b04c8f19e11e85d5b5f881951e6bd59996c34b28ec7985ec26eeeb7a

SHA512
e5ece2d373b7b2a3ac69a09ed7b9c6a347f9dd662f3cc9b04850cfda3985ea3be8fc2aac0ef4b7639c9a6dfb02c9e15b7638923d111249a6a8d5086cb3c4880b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\AlternateServices.txt

Filesize
2KB

MD5
d34c1347e02028037f98f519d87d4a90

SHA1
fdd15dab7f3be191e7fcda81a5d7b9b82d7491ff

SHA256
2520fe33a2ac1b442c4c8efd842f59bf32b558951254f7bc6123a9239fe236a6

SHA512
c29b2ce754a90d501fcc6a4414eddcb340a68be103df335ca58416b67f8c9f9832c31b484a76bd2d2cf3d30be43eb4536ef0a372db080e3a3243697de3c4e4a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\SiteSecurityServiceState.txt

Filesize
692B

MD5
4361492b2fb52ec7b72b299ea23a8445

SHA1
6b3a55219fc81cc17bc5be01cc6e1b3bcd3c3789

SHA256
f35b988c1e0b9dd08b0a409a35e78a29100dd8d44ac16fb85e1d816f1f371851

SHA512
9931d0a87e71a2dcd3d12fbd685a3553156559472917e37ce6086035777a0e6bcc22ca7fd512a60b72f93bacc26742fa0d189c1ea618acaf15fdb5ecd5f7c8ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\cert9.db

Filesize
224KB

MD5
f6b7ec5d72f8801e2aab670d4d7a19cb

SHA1
cb8b703c6c89a6c361a29ca6cd64846f503c6309

SHA256
541b572914d995c6b33824bc4c1741a75f9d5a2026c3809bfc2f00e38ad9a12c

SHA512
bb37d3cce761e7fee3389cf2a80559a2d479d36a023f56c3769d0b7aab15494f235848877039684ce38c4247014e485fd812fd947c936cd3c6d90e65b72b814a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\cookies.sqlite

Filesize
512KB

MD5
082726ca4527f61b2179825ac9e21b5b

SHA1
d9d4e6ba43b3c00552fd30998f96ce6ee4cb78a3

SHA256
9fab26de849cb806196c7bf7d62e78eb204e2905498843a967a4ba033d40a9d5

SHA512
f53f7c5704c30845a6f45d9560b11d5baec5a6c2192d899ecf7608746a683b26877185500938f291b3e541e1dbe6e60554d8094d8b5a94f8780eb38c64361d12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
17KB

MD5
f4d28ecd2a2c26251ace5101748ac2f7

SHA1
a338dece51fc09e216fd8c8ee39e91144716ac5d

SHA256
e35da669435e6cca9796808833ea022be8893c7b4256d534da61044ed9d81d7e

SHA512
ac620f8094108ee9f645629f5b7dd6a74928fab4da564b8b2afe0a9b3fb25099ef44e96fc8cefbebea22fee958f354ea929883e9a3f491825b54a86506bb8555

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f15aae4131d3b608b50a87994d8ba571

SHA1
a01f2bc94914d8cb7f9a1082b0b5328531f13489

SHA256
242d369da90d0e2d9bd5fd32d164ff98b3dd189880b6aa7e0b1d8b8fe6f9ce17

SHA512
43d1172328d16a30cc6b31ed0cfd87ba31d030b20040411d702cd52242feda942479529e219dfbf142055d53ccab63c21e6c53700fd0b7d10d553c07d88b6ca6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\events\events

Filesize
321B

MD5
e684cc2eeafaae677fa9733a10162a2f

SHA1
fc072ebbc82555d601acdcb96c8b30d8ef3e4e23

SHA256
8ccb70686caa779c558df3d108c743bfaf61ad9543e2c7e8c60baaa44164aeb1

SHA512
d48157534f831cee23468e216814636773db086008cbeea4394dd16f6f0c5cae1fff857ec9d80a7d58af3f60bdd0155d7f7856fa1022ff283bbe83443a3e6fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\3d0dfdc4-1137-41ce-8fd9-6838175fd77d

Filesize
1KB

MD5
4ec1e7287fcb06da839962553d493f8f

SHA1
e04eb207020d4b3764fc4a764b938ae27a30a296

SHA256
af5f7f008ac6a1678f629f90a1235f830a2e769e7128af44ea73ce3ec7527f0e

SHA512
1d96008a2917006895bc6a4d3349a3e74ad1479177b83f734055dbd0b07bf4b24ba91a157d806531a387b4f0fdaf8bcb025cdbdc3ec2ddc29114b3934e6ae99e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\824ee3b9-4d14-4c7e-9f7d-bd08b8a4972d

Filesize
746B

MD5
0206ec2db03a32f1e783f192b664f542

SHA1
6fdfaf561a970287ff07f1667c85b96055e9cec3

SHA256
fc7805e7838ed68aff421cefb67754d68d112d6cdaefc9485fb4aab9f937f1d9

SHA512
3a99a7e19d480b9aed115d7574a4d7dc1a006d7a57ecce479bebcf1d23151760859443daa80dab8616548ed3d8fd3d178a24f20f237137dabb24b6a2abca4d18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\9553c162-4234-4490-bb9e-e57f72b4de9c

Filesize
837B

MD5
d04896fac751224bf7d90b8554d85434

SHA1
83d3b54ba90d9bd721644d12315794b0af665fca

SHA256
d9bbf6bbe0ebaccad737c0c39ed7f864acd5e5f65a98ab3944da97129ad0ea67

SHA512
77f78f7fc3ba4962059cb1778d610f67b4d89c947d0c57917f58448653c9607a661e5de9aa53602cc678964954549e7958d29d389176ca396d2a13f3e8984d64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\97fc1aa5-a24c-4fc1-a170-396906947828

Filesize
10KB

MD5
db959b8a4b503a17cc946ab9b8d353c9

SHA1
f89ef0bb9488977abebeac323fc18237faac3eb0

SHA256
6c486f25968c59f0c666f25757ce956008e2dda148e0618a7748a5b40eef8185

SHA512
8a12118295d4fecc73fd09ceff2ff7289d109f2f2326ed3d725930fa933c659b16bc0a3867b164f93e39d23b989708d5850eb62024bad326affe249f86de4ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\a36b6a56-4045-434c-9fbc-7832fb78233e

Filesize
713B

MD5
744132ac9f6fc2576e4d03662ef4992d

SHA1
181a0438da8d3b382013d1e4176f37a89c914168

SHA256
0a5540bd9a767961917a278846cc70fdd4100a1f065e36833f8aee0ab8a41b76

SHA512
bfbb682dc4e3e9b1b6f55ef0c954b484a5dddfe4c993f217b493f4540a8fd24274f7e3ded74c50b8839eee9408b0b902296db613b47095f2954d00282336f831

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\f980b8f8-3b8a-4c77-a1ac-7f0f50a1f83b

Filesize
855B

MD5
ed1212fc51426028ba6a99d6be22a577

SHA1
36090943c8960a09677bcdf593a2a4ad071ed555

SHA256
fcc00c951a737752fbd408add863e496c895fce72f79b6455d8e89233459f104

SHA512
94d1adb66b7298d08b3e449940c7f1dbbbd6ff133fb30678358f61e2484a32343f2e37faba83a35c344d618ad02f305ab14c61d5cdd3b903445454f3b2ee23e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\favicons.sqlite

Filesize
5.0MB

MD5
fe7921dbd8e9c9962fabf09f88c1b1c8

SHA1
b99a62fe53b22f355cace116a2a902cca6428127

SHA256
6542fcf52643df78bcb7890e2da3eb85c8a64b95f370de3affb7efef9753ced9

SHA512
324583b73245cbdedba1b52ca6556b574f2ef8c6f82b80167c0dd4110e38d253950a976764137e5fd8ef386dce7b27a1910bfdbdb5a9519b40a5090b37bd1d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\permissions.sqlite

Filesize
96KB

MD5
b46d4c9e041b5104a54580492ac35697

SHA1
b425b46ff06027c2d18a3fc0cd7208390fc89eb3

SHA256
77916d79bcd944d719dcaa62e8933eb0ebb79b246d1a090a1fd7e09830354734

SHA512
a78f662f26a160bed782f92525fa458f9fcb1dac2c16fe9d0818c5b7c5f1772d4e5bd1c8dbbbd8cbe1d9fd656d17e7b47aa4d2fe2ab1246188e11ff5055a8530

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\places.sqlite

Filesize
5.0MB

MD5
1f5bb4bd7552471939c9dd33e2a8195d

SHA1
36dce9cbd5c102801728db15521b057fbe6c175d

SHA256
9e048d7e80b11e6e192e6f2d05e87a9020fb0620fd91a6369a32519d5a2c1ae1

SHA512
8e8c7758dba5182361b8b59ace3d3126bba4366666c13d51b695632eeede16162c245094a96037aa3124f1578f12059c95e61c7351e45618a6c667afa6769e63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
1fc3591af59e08628f28781e39e73b68

SHA1
474d16614fda97bf4e8be66b7fcc9489994c9ffc

SHA256
c807cbc22e8cfffcb9b43a484d27a77001237893829485a8ff55736a3bcfe781

SHA512
e48452387b6c67ac8a59f965a4a359d249326bb92428c15e0930761f1ba7c83256737df107a05010e83473811d4412905d1ad3cc7b5c4831056965f38a4d3fab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
e8b84fc9b07ebee6b01192021d40eb66

SHA1
06a86d127fdae2bbc8ac8e339b481740f9df879c

SHA256
72dbfef4e6e674163efac7a8043c70c59a32a6fc5bfb937a14b034963963c370

SHA512
272904e9e90a3378ea9d4b2d996f55f85748b984c2d37d747eefa7eb661d1d6daf333fd879fa456c95f99931006f3d4410bc51464716fb8f45d792d6d6b11d25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
84d853181c4e7635948b65df3fe4fa30

SHA1
dcbd69303e73560e2be5a7bfcf826ee5e8b82fc6

SHA256
6f500bd6aed938244dcf0229241aa45db8d5d0cec873734b34307accac124ca1

SHA512
ca1613d2d7edb2fb38cd6b05bac20dab44a77068999237ffaa656487feab7725b3941ef97b1d4e7e80bc29eb90f4b18ed3866243a729fc1a317d7bc258cfee5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
424a7ea066a0f44527eafd19dfbccd1b

SHA1
2ed4e345b288aa1a521dcfdb11c7b67309dd85d3

SHA256
42368ed7e5ca6aac742daa5685d422ebc8e78901153f727102cfe6048365046a

SHA512
14ecccdc39ce1917874cba59af8c24f7ad5ddecb3b3417c3da1fdb783f5b0d19eb5adf4c6a3e26118a40e1afef220d1ce5d487d2da1a8dea35e9ddc651f2ab9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\protections.sqlite

Filesize
64KB

MD5
49397db0486dc59d607907a086f40c9b

SHA1
08742ce9db9569062def08e99eea8470702feb7d

SHA256
890033ea279f13478e655150a823a5f84176d2f8f2ec3724dc61dfec775707c4

SHA512
fc8dad1ae2215cd96c41bb3e683670bb9138467677da46c19d1e58972775842a995b70123c22ea1efb659d043f5116d0c9dca422035a6646b35f81033c9f5f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\serviceworker.txt

Filesize
153B

MD5
2f864d3ee4103726037c150354c0d6aa

SHA1
e5f2bfecf39fefdea74f711f4a4a1900b5241cfe

SHA256
bfcbb659fa8c24bc0636c440217fc0c5d905d23e50570e312afec5736eb342cb

SHA512
b4610983401f6bbd10484d362dcdf64f20eaeec334d909d60e82df92b3b3dc372893643428541774b44ec4b201b8f920ec488701b1d032a9b43d62ba01f0baeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
75035e5bd3f93c27a86b81b3f24fdfcf

SHA1
788b8c9ff1c3c787320da1973b16546b594fa930

SHA256
fe46f3fbd4abd67bec9bea1b501d2a3cd71be0b2f163fbc04b96b0c8b60c22df

SHA512
e2c353cdb1320bfaa7bd39dd9bf1394cc6f6a1aef57a2f0440a16adb3135f74d4a030b2f767949809973dac9d11f4b51335a7ca08f18f981bb28e8970ef4ad21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
be5677f2c0e17e8f71a7b2dfe0d56cf2

SHA1
f54f10d6c4cd41c0c4c7aed1ef8bfd49d4848d1e

SHA256
0495c187d78e9ced83e441248a3d07858e0d934230e6109c2e1cf20da143a1a8

SHA512
e8adc0d496e6467488d56c5a7e450d1e9c3c6816a0546a99b4cf20b9d9f375aaf6dfa81fee75860d5323e7de2aac21e67efd6baed04944575a115a03806a5361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
df5c4ac2841cfae6f3bb18e9ba691120

SHA1
beb16a5c4820c07ac6c307c733e4ae9c096bd3bd

SHA256
9a318e6e4ded4bbbf1d7dba8c9253dcc520f4275dddd1b97abaafed61b318d9f

SHA512
15b918972221b8f5e71ac464ab5dd0013f392564827fccf341d0613d735357c94fffdf4f2430d0ffecc0ec9fe59cb086292443c092a904a6c3922fde6e3106a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
764cbe6f6828216fe0e7c1980ee66a42

SHA1
46bcbc8eb87786ceb867faca1db5391ac6cbf42f

SHA256
3663cc919660862a1e479f68d8fa47d037802eefac5f2a46d3cb86d1bf15255f

SHA512
abf5403e92954b8e8d9a509e81e49224dd33a4ea7644d7661dbc7e5bf957c14835ffd1d3ef32639a7cb33e7efbb6f9d15e23602cbe922dcee9cd3f24e4ad4b99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
cc1cd6cf2561219f0dca7034a505bb33

SHA1
4e1fd794173f682bfd58afbb4b8b32ae493c2ddf

SHA256
1f5c799be2cd956bf91762ed45ff0eb908b0830891c08857b99e50325fe399fb

SHA512
0459c62ab26f059c12534bd2d4b9ac317d1c5e4ceac0fb837df1a34302a441d59daebb5d65ed0255f02c943e82fb44bdc4c1a5e4f52c89093a46cfd62ce55031

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
7fbe4c17fd4a3310c043d52794ad20db

SHA1
0fbb7ab5ad23116d8739d7463073e9366e91b076

SHA256
607f21348ad36a98b21f8c089b5e07dda0153a989e21f769fcb8302c4ac3a1ed

SHA512
224be80c73dec3fe4cdc71ba5f09e5cdc5ddbb6e86d2a4a90a8c9f419d786db45270c25e5f5d88250f75a0a60d0eab959bed0dbdbda6537628a773c72b028145

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
cffa5475661e7b82f01baf599e567178

SHA1
6cc21058b69fff756a8acde86298b9024fcb9406

SHA256
2e1c326e04511c0c64e7a1cf56c3a29d2b6da6468d12e1bf328da69cf555b34a

SHA512
cdfb3305e11df9f5dafed3847b5f1d789abce81a4f7d48094c3336f367b9ec6ff41eb188c57cb95aca0e032c323b84952af2276b627fa068c34f1810a696169f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
fca55dae713e3f6fc9ada35eb78a8034

SHA1
1ae1262d70e8a1a39f5cc5cce99be332b91213b4

SHA256
6971f105ec56562455a608a2aa9ca7bd90f2e3ec05f48af9ccfff978f39c6941

SHA512
bbeb651baf160ab100997d3114728b0eb82dabbe03d15d9f8319f7cd6502dc45968508c167af0d1d8ae2488ffad1f2f0c75c6f192de904c824fa63138825b372

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
a18dbfa9fb1390784831f4e26ebb4c83

SHA1
295ad373d0ad8af86daeba2c3688883bb003ae85

SHA256
6c5a8588b45073cdd5603f22a5a0bad25d3e31dcd5d8c76fc146c7fb35b471a8

SHA512
c0f5a4426e9c37e8c22f067dd8277e2c9e0d91fe8590e1014a3743d5970e9ac398eff1945b6693d445961d040424abac0aeb390c8efe71ce627780fdbb85a3dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
11KB

MD5
d82a30332844fce9859ae16263a387ea

SHA1
b7fe2922691f7f11d381473b601adcf39d451347

SHA256
30f92e876e69bfcd403518383e9e488d7a2125676316d0f4193e6680d445a91c

SHA512
7d7cdf6b9f5ba19d0d6f18babe73d4a78e4cbe4dce3d9ed64b1aef4a220cd17fc4329cbdf4c98d80287bfd5dc75aafc967e70539bf512595d8d9b884c17a48d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore.jsonlz4

Filesize
880B

MD5
80e43f218bffcef03c80d93da5fa3a0a

SHA1
b9d3abcf7b07059271b2be1c0af462793d8e3117

SHA256
550533059328192d2967c1e4d4346a6b454f904a9ed23fae6fa1a51161302f2b

SHA512
d3c8d644414fe1b711e9cf4634832a6d6eb7aa1f0f9941f6fa297ba63dab33df8e6dc5cccdc323e21be66c40bfb9f9e0c59ae72a94d1d049b050103498b383b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage.sqlite

Filesize
4KB

MD5
887d137aa7ecb0623b2b6742971ce568

SHA1
25ad73ec66e2ca36e0e4b2f53e7057f8223ef228

SHA256
ff3d6d11f5433cdc5b70b4b3fd06c13b8e41735bd13b9803f724486de4708d43

SHA512
67d5262a97defcf16dbede9ead0797db399bc1440e8798f3a338ed80234dedf7dc4f8bd56efcf3efca32180da2bc8b3c11768368c2821d03230392ceceb639d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++mega.nz\cache\morgue\138\{a925eb38-8cc9-42c4-9373-7c62426ec38a}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
5bba085296f941f43b4065638fffdd87

SHA1
83caaa24c85fc80730b0c23012477d45a7761e76

SHA256
397291ca00f8e8db13f420efac2cc83a81b849b1927dd1a7799154ad57b68fcc

SHA512
6db948cbe22555e654f5a2db0e1d8bb7a24d52948a575d52d381e12f9640ea758da261e86703b2510fd691cb8f58f5afbdd7d0ceb5fa718eefd4947f77eeb91d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
17d01b6a95dd943d26db90c8f8b9ec2b

SHA1
4a13cd800219430260a9b8f56f05e5d5a5760ee7

SHA256
37d95e793fe042021acac25f79ea658d0f9b504f355ff3679c90d639c390fcf1

SHA512
43ef01fb21b574ee89c5ee22abb0be2b4b06a7e5f5f2fcd17c191cb5f8bd3a06acc4ebebc1aa0ad6878c8032d6734ad563508d55e1ea4fb6262d40b96a0b9345

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
208KB

MD5
37265e025e25c6b4638fef9a1194d7b3

SHA1
c7a259ed9e26c1b0a912ba0a87ec060228ebacf8

SHA256
6d465f0845c1ee8db17c9312c57d9fb16bb5457215833da1e475c38bd3096358

SHA512
e7978f0fc9cecbe00a5b3f8839c947204df1f88a328980785f7f1f2d0ba036a5f5ad396b99f1564c9173ffb8d6cf052a247997e9a89ee329bcd80d05297539a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\xulstore.json

Filesize
217B

MD5
58e240288763218d12bf235d34e5aee2

SHA1
89135494b57f590011c09668dec3b90d2c5ee9ae

SHA256
615f80e71dfde24711e7fefc1b7959f7592c5e5cf9ad0f3aecb4235b93187176

SHA512
caed2638902987aead199e73cffb90881bf245bbb616cb38c46b281d4aaaa54dc20a54e9bfe17a8d6e68847394c113fb7606e94b64f44ab0b52bf7846f26e936

Download Submit
C:\Users\Admin\Downloads\7z2407-x64.6e-s836Z.exe.part

Filesize
15KB

MD5
1863a933f19192af21b62bc67d741121

SHA1
07c998e9d972b41ad5af8d4457f65677d2d84a70

SHA256
f45dcb9cd8e4f02c0cf3a406075ce8d743dce293d7d85fa1d73e8b683c75bfdc

SHA512
fbfef4c62f8cfb7d3d2fd76c2ba920e625365e5d05666ae553f5eaec6c623b89f3de963e1227559473b3a89b960292740754b403aca29245768f892e9c7c9086

Download Submit
C:\Users\Admin\Downloads\7z2407-x64.exe

Filesize
1.5MB

MD5
f1320bd826092e99fcec85cc96a29791

SHA1
c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed

SHA256
ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba

SHA512
c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a

Download Submit
C:\Users\Admin\Downloads\SyncExec.FW7Ya5AJ.rar.part

Filesize
77.2MB

MD5
e3de6bea6e4b21ef47f2ea90a8605ee5

SHA1
c938e1c14fc63d64451676b0ba4d10cf8824a3a0

SHA256
3093d9c29f7096b7919c9bf1141df040637bfcb7f803f29b935644b698dcdb2d

SHA512
cc03efc9322688742363a4333f53330d8223e70cb84f7620e836a6d3efdf41f54dfe31f0960e0a96eb0098a58d0555cb1608b8654b34a44cf874aa460b3deec5

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.bcyfXoJV.exe.part

Filesize
63KB

MD5
d3ec96557834050f9edd29c3ed88cabe

SHA1
af26f02653f4a0d2a3c673517b6c517ed529051f

SHA256
bc7747c8272ce56edc0d941e81df1b9e93f8c03be786be59d2c240b985a6793a

SHA512
77e5121874fbb294bb072dbb4b823f0ec343952b49adc96c357090bee6758944f52d09b817307b5e84921ec679449d3049009e6ffe572e9104172f7518f2cb87

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
8af282b10fd825dc83d827c1d8d23b53

SHA1
17c08d9ad0fb1537c7e6cb125ec0acbc72f2b355

SHA256
1c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca

SHA512
cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8

Download Submit
memory/4404-5477-0x00007FFF185B0000-0x00007FFF185BF000-memory.dmp

Filesize
60KB

Download
memory/4404-5486-0x00007FFF16370000-0x00007FFF1637D000-memory.dmp

Filesize
52KB

Download
memory/4404-5475-0x00007FFF03570000-0x00007FFF03B58000-memory.dmp

Filesize
5.9MB

Download
memory/4404-5481-0x00007FFF025B0000-0x00007FFF02925000-memory.dmp

Filesize
3.5MB

Download
memory/4404-5485-0x00007FFF024F0000-0x00007FFF025A8000-memory.dmp

Filesize
736KB

Download
memory/4404-5487-0x00007FFF15FE0000-0x00007FFF15FEB000-memory.dmp

Filesize
44KB

Download
memory/4404-5488-0x00007FFF11450000-0x00007FFF11476000-memory.dmp

Filesize
152KB

Download
memory/4404-5489-0x00007FFF02070000-0x00007FFF0218C000-memory.dmp

Filesize
1.1MB

Download
memory/4404-5491-0x00007FFF15F30000-0x00007FFF15F3B000-memory.dmp

Filesize
44KB

Download
memory/4404-5492-0x00007FFF133D0000-0x00007FFF133DB000-memory.dmp

Filesize
44KB

Download
memory/4404-5493-0x00007FFF12720000-0x00007FFF1272C000-memory.dmp

Filesize
48KB

Download
memory/4404-5494-0x00007FFF12620000-0x00007FFF1262B000-memory.dmp

Filesize
44KB

Download
memory/4404-5495-0x00007FFF124A0000-0x00007FFF124AC000-memory.dmp

Filesize
48KB

Download
memory/4404-5496-0x00007FFF12290000-0x00007FFF1229B000-memory.dmp

Filesize
44KB

Download
memory/4404-5497-0x00007FFF120C0000-0x00007FFF120CC000-memory.dmp

Filesize
48KB

Download
memory/4404-5498-0x00007FFF11E60000-0x00007FFF11E6C000-memory.dmp

Filesize
48KB

Download
memory/4404-5499-0x00007FFF11B40000-0x00007FFF11B4E000-memory.dmp

Filesize
56KB

Download
memory/4404-5500-0x00007FFF11A80000-0x00007FFF11A8C000-memory.dmp

Filesize
48KB

Download
memory/4404-5501-0x00007FFF10BA0000-0x00007FFF10BAB000-memory.dmp

Filesize
44KB

Download
memory/4404-5502-0x00007FFF10B90000-0x00007FFF10B9B000-memory.dmp

Filesize
44KB

Download
memory/4404-5503-0x00007FFF10710000-0x00007FFF1071C000-memory.dmp

Filesize
48KB

Download
memory/4404-5504-0x00007FFF10700000-0x00007FFF1070C000-memory.dmp

Filesize
48KB

Download
memory/4404-5505-0x00007FFF106F0000-0x00007FFF106FD000-memory.dmp

Filesize
52KB

Download
memory/4404-5506-0x00007FFF03550000-0x00007FFF03562000-memory.dmp

Filesize
72KB

Download
memory/4404-5507-0x00007FFF0C140000-0x00007FFF0C14C000-memory.dmp

Filesize
48KB

Download
memory/4404-5508-0x00007FFF03530000-0x00007FFF03545000-memory.dmp

Filesize
84KB

Download
memory/4404-5509-0x00007FFF03180000-0x00007FFF03192000-memory.dmp

Filesize
72KB

Download
memory/4404-5510-0x00007FFF03160000-0x00007FFF03174000-memory.dmp

Filesize
80KB

Download
memory/4404-5511-0x00007FFF02F00000-0x00007FFF02F22000-memory.dmp

Filesize
136KB

Download
memory/4404-5512-0x00007FFF02EE0000-0x00007FFF02EF7000-memory.dmp

Filesize
92KB

Download
memory/4404-5513-0x00007FFF02EC0000-0x00007FFF02ED9000-memory.dmp

Filesize
100KB

Download
memory/4404-5484-0x00007FFF11FF0000-0x00007FFF1201E000-memory.dmp

Filesize
184KB

Download
memory/4404-5514-0x00007FFF024A0000-0x00007FFF024ED000-memory.dmp

Filesize
308KB

Download
memory/4404-5490-0x00007FFF0B0B0000-0x00007FFF0B0E8000-memory.dmp

Filesize
224KB

Download
memory/4404-5483-0x00007FFF184B0000-0x00007FFF184BD000-memory.dmp

Filesize
52KB

Download
memory/4404-5482-0x00007FFF12020000-0x00007FFF12039000-memory.dmp

Filesize
100KB

Download
memory/4404-5480-0x00007FFF12040000-0x00007FFF12054000-memory.dmp

Filesize
80KB

Download
memory/4404-5479-0x00007FFF122A0000-0x00007FFF122CD000-memory.dmp

Filesize
180KB

Download
memory/4404-5478-0x00007FFF12AF0000-0x00007FFF12B09000-memory.dmp

Filesize
100KB

Download
memory/4404-5476-0x00007FFF184C0000-0x00007FFF184E4000-memory.dmp

Filesize
144KB

Download
memory/5432-2709-0x00007FFF12620000-0x00007FFF1262C000-memory.dmp

Filesize
48KB

Download
memory/5432-2728-0x00007FFF12290000-0x00007FFF1229A000-memory.dmp

Filesize
40KB

Download
memory/5432-2727-0x00007FFF114F0000-0x00007FFF11501000-memory.dmp

Filesize
68KB

Download
memory/5432-2726-0x00007FFF11510000-0x00007FFF1155D000-memory.dmp

Filesize
308KB

Download
memory/5432-2725-0x00007FFF11B40000-0x00007FFF11B59000-memory.dmp

Filesize
100KB

Download
memory/5432-2724-0x00007FFF12660000-0x00007FFF1266B000-memory.dmp

Filesize
44KB

Download
memory/5432-2729-0x00007FFF114D0000-0x00007FFF114EE000-memory.dmp

Filesize
120KB

Download
memory/5432-2731-0x00007FFF024A0000-0x00007FFF024FD000-memory.dmp

Filesize
372KB

Download
memory/5432-2730-0x00007FFF12630000-0x00007FFF1263E000-memory.dmp

Filesize
56KB

Download
memory/5432-2733-0x00007FFF114A0000-0x00007FFF114C9000-memory.dmp

Filesize
164KB

Download
memory/5432-2736-0x00007FFF03170000-0x00007FFF03193000-memory.dmp

Filesize
140KB

Download
memory/5432-2735-0x00007FFF120E0000-0x00007FFF120F5000-memory.dmp

Filesize
84KB

Download
memory/5432-2734-0x00007FFF03540000-0x00007FFF0356E000-memory.dmp

Filesize
184KB

Download
memory/5432-2732-0x00007FFF122B0000-0x00007FFF122C2000-memory.dmp

Filesize
72KB

Download
memory/5432-2737-0x00007FFEFF550000-0x00007FFEFF6C3000-memory.dmp

Filesize
1.4MB

Download
memory/5432-2738-0x00007FFF11480000-0x00007FFF11498000-memory.dmp

Filesize
96KB

Download
memory/5432-2747-0x00007FFF03530000-0x00007FFF0353C000-memory.dmp

Filesize
48KB

Download
memory/5432-2746-0x00007FFF12290000-0x00007FFF1229A000-memory.dmp

Filesize
40KB

Download
memory/5432-2745-0x00007FFF077F0000-0x00007FFF077FB000-memory.dmp

Filesize
44KB

Download
memory/5432-2744-0x00007FFF11510000-0x00007FFF1155D000-memory.dmp

Filesize
308KB

Download
memory/5432-2743-0x00007FFF0C140000-0x00007FFF0C14C000-memory.dmp

Filesize
48KB

Download
memory/5432-2742-0x00007FFF11FF0000-0x00007FFF12007000-memory.dmp

Filesize
92KB

Download
memory/5432-2741-0x00007FFF10B90000-0x00007FFF10B9B000-memory.dmp

Filesize
44KB

Download
memory/5432-2740-0x00007FFF10BA0000-0x00007FFF10BAB000-memory.dmp

Filesize
44KB

Download
memory/5432-2739-0x00007FFF12010000-0x00007FFF12032000-memory.dmp

Filesize
136KB

Download
memory/5432-2750-0x00007FFF03160000-0x00007FFF0316C000-memory.dmp

Filesize
48KB

Download
memory/5432-2759-0x00007FFF03170000-0x00007FFF03193000-memory.dmp

Filesize
140KB

Download
memory/5432-2758-0x00007FFEFF520000-0x00007FFEFF52C000-memory.dmp

Filesize
48KB

Download
memory/5432-2757-0x00007FFEFF530000-0x00007FFEFF53C000-memory.dmp

Filesize
48KB

Download
memory/5432-2751-0x00007FFF03150000-0x00007FFF0315C000-memory.dmp

Filesize
48KB

Download
memory/5432-2756-0x00007FFEFF540000-0x00007FFEFF54B000-memory.dmp

Filesize
44KB

Download
memory/5432-2755-0x00007FFF024A0000-0x00007FFF024FD000-memory.dmp

Filesize
372KB

Download
memory/5432-2762-0x00007FFEFF4E0000-0x00007FFEFF4EC000-memory.dmp

Filesize
48KB

Download
memory/5432-2761-0x00007FFEFF4F0000-0x00007FFEFF502000-memory.dmp

Filesize
72KB

Download
memory/5432-2760-0x00007FFEFF510000-0x00007FFEFF51D000-memory.dmp

Filesize
52KB

Download
memory/5432-2754-0x00007FFF01D00000-0x00007FFF01D0B000-memory.dmp

Filesize
44KB

Download
memory/5432-2753-0x00007FFF02340000-0x00007FFF0234C000-memory.dmp

Filesize
48KB

Download
memory/5432-2752-0x00007FFF02350000-0x00007FFF0235E000-memory.dmp

Filesize
56KB

Download
memory/5432-2749-0x00007FFF03520000-0x00007FFF0352B000-memory.dmp

Filesize
44KB

Download
memory/5432-2748-0x00007FFF114D0000-0x00007FFF114EE000-memory.dmp

Filesize
120KB

Download
memory/5432-2764-0x00007FFEFF4A0000-0x00007FFEFF4D5000-memory.dmp

Filesize
212KB

Download
memory/5432-2763-0x00007FFEFF550000-0x00007FFEFF6C3000-memory.dmp

Filesize
1.4MB

Download
memory/5432-2765-0x00007FFEFF3E0000-0x00007FFEFF49C000-memory.dmp

Filesize
752KB

Download
memory/5432-2766-0x00007FFEFF3B0000-0x00007FFEFF3DB000-memory.dmp

Filesize
172KB

Download
memory/5432-2767-0x00007FFEFF0D0000-0x00007FFEFF3AF000-memory.dmp

Filesize
2.9MB

Download
memory/5432-2768-0x00007FFEFCFD0000-0x00007FFEFF0C3000-memory.dmp

Filesize
32.9MB

Download
memory/5432-2771-0x00007FFEFCFB0000-0x00007FFEFCFC7000-memory.dmp

Filesize
92KB

Download
memory/5432-2770-0x00007FFF03530000-0x00007FFF0353C000-memory.dmp

Filesize
48KB

Download
memory/5432-2772-0x00007FFEFCF80000-0x00007FFEFCFA1000-memory.dmp

Filesize
132KB

Download
memory/5432-2723-0x00007FFF11FF0000-0x00007FFF12007000-memory.dmp

Filesize
92KB

Download
memory/5432-2870-0x00007FFF02500000-0x00007FFF02875000-memory.dmp

Filesize
3.5MB

Download
memory/5432-2887-0x00007FFF114F0000-0x00007FFF11501000-memory.dmp

Filesize
68KB

Download
memory/5432-2886-0x00007FFF11510000-0x00007FFF1155D000-memory.dmp

Filesize
308KB

Download
memory/5432-2885-0x00007FFF11B40000-0x00007FFF11B59000-memory.dmp

Filesize
100KB

Download
memory/5432-2884-0x00007FFF11FF0000-0x00007FFF12007000-memory.dmp

Filesize
92KB

Download
memory/5432-2883-0x00007FFF12010000-0x00007FFF12032000-memory.dmp

Filesize
136KB

Download
memory/5432-2882-0x00007FFF12040000-0x00007FFF12054000-memory.dmp

Filesize
80KB

Download
memory/5432-2880-0x00007FFF120E0000-0x00007FFF120F5000-memory.dmp

Filesize
84KB

Download
memory/5432-2879-0x00007FFF12CA0000-0x00007FFF12CD8000-memory.dmp

Filesize
224KB

Download
memory/5432-2878-0x00007FFEFF6D0000-0x00007FFEFF7EC000-memory.dmp

Filesize
1.1MB

Download
memory/5432-2877-0x00007FFF12CE0000-0x00007FFF12D06000-memory.dmp

Filesize
152KB

Download
memory/5432-2875-0x00007FFF15FE0000-0x00007FFF15FED000-memory.dmp

Filesize
52KB

Download
memory/5432-2874-0x00007FFF12100000-0x00007FFF121B8000-memory.dmp

Filesize
736KB

Download
memory/5432-2873-0x00007FFF12D10000-0x00007FFF12D3E000-memory.dmp

Filesize
184KB

Download
memory/5432-2864-0x00007FFF03570000-0x00007FFF03B58000-memory.dmp

Filesize
5.9MB

Download
memory/5432-2722-0x00007FFF12010000-0x00007FFF12032000-memory.dmp

Filesize
136KB

Download
memory/5432-2721-0x00007FFF12040000-0x00007FFF12054000-memory.dmp

Filesize
80KB

Download
memory/5432-2720-0x00007FFF12CA0000-0x00007FFF12CD8000-memory.dmp

Filesize
224KB

Download
memory/5432-2716-0x00007FFF122A0000-0x00007FFF122AC000-memory.dmp

Filesize
48KB

Download
memory/5432-2717-0x00007FFF120E0000-0x00007FFF120F5000-memory.dmp

Filesize
84KB

Download
memory/5432-2718-0x00007FFEFF6D0000-0x00007FFEFF7EC000-memory.dmp

Filesize
1.1MB

Download
memory/5432-2719-0x00007FFF120C0000-0x00007FFF120D2000-memory.dmp

Filesize
72KB

Download
memory/5432-2708-0x00007FFF12CE0000-0x00007FFF12D06000-memory.dmp

Filesize
152KB

Download
memory/5432-2711-0x00007FFF123C0000-0x00007FFF123CB000-memory.dmp

Filesize
44KB

Download
memory/5432-2712-0x00007FFF123B0000-0x00007FFF123BC000-memory.dmp

Filesize
48KB

Download
memory/5432-2713-0x00007FFF123A0000-0x00007FFF123AC000-memory.dmp

Filesize
48KB

Download
memory/5432-2714-0x00007FFF12390000-0x00007FFF1239D000-memory.dmp

Filesize
52KB

Download
memory/5432-2715-0x00007FFF122B0000-0x00007FFF122C2000-memory.dmp

Filesize
72KB

Download
memory/5432-2710-0x00007FFF124A0000-0x00007FFF124AB000-memory.dmp

Filesize
44KB

Download
memory/5432-2705-0x00007FFF12100000-0x00007FFF121B8000-memory.dmp

Filesize
736KB

Download
memory/5432-2706-0x00007FFF12640000-0x00007FFF1264C000-memory.dmp

Filesize
48KB

Download
memory/5432-2707-0x00007FFF12630000-0x00007FFF1263E000-memory.dmp

Filesize
56KB

Download
memory/5432-2695-0x00007FFF02500000-0x00007FFF02875000-memory.dmp

Filesize
3.5MB

Download
memory/5432-2696-0x00007FFF133D0000-0x00007FFF133DB000-memory.dmp

Filesize
44KB

Download
memory/5432-2703-0x00007FFF12D10000-0x00007FFF12D3E000-memory.dmp

Filesize
184KB

Download
memory/5432-2704-0x00007FFF12650000-0x00007FFF1265C000-memory.dmp

Filesize
48KB

Download
memory/5432-2697-0x00007FFF12B00000-0x00007FFF12B0C000-memory.dmp

Filesize
48KB

Download
memory/5432-2698-0x00007FFF12720000-0x00007FFF1272B000-memory.dmp

Filesize
44KB

Download
memory/5432-2699-0x00007FFF12670000-0x00007FFF1267C000-memory.dmp

Filesize
48KB

Download
memory/5432-2700-0x00007FFF12C90000-0x00007FFF12C9B000-memory.dmp

Filesize
44KB

Download
memory/5432-2701-0x00007FFF12D40000-0x00007FFF12D59000-memory.dmp

Filesize
100KB

Download
memory/5432-2702-0x00007FFF12660000-0x00007FFF1266B000-memory.dmp

Filesize
44KB

Download
memory/5432-2694-0x00007FFF12D60000-0x00007FFF12D74000-memory.dmp

Filesize
80KB

Download
memory/5432-2693-0x00007FFF12CA0000-0x00007FFF12CD8000-memory.dmp

Filesize
224KB

Download
memory/5432-2688-0x00007FFF15FE0000-0x00007FFF15FED000-memory.dmp

Filesize
52KB

Download
memory/5432-2689-0x00007FFF12CE0000-0x00007FFF12D06000-memory.dmp

Filesize
152KB

Download
memory/5432-2690-0x00007FFF15F30000-0x00007FFF15F3B000-memory.dmp

Filesize
44KB

Download
memory/5432-2691-0x00007FFF16010000-0x00007FFF16034000-memory.dmp

Filesize
144KB

Download
memory/5432-2692-0x00007FFEFF6D0000-0x00007FFEFF7EC000-memory.dmp

Filesize
1.1MB

Download
memory/5432-2685-0x00007FFF12D10000-0x00007FFF12D3E000-memory.dmp

Filesize
184KB

Download
memory/5432-2686-0x00007FFF12100000-0x00007FFF121B8000-memory.dmp

Filesize
736KB

Download
memory/5432-2687-0x00007FFF03570000-0x00007FFF03B58000-memory.dmp

Filesize
5.9MB

Download
memory/5432-2683-0x00007FFF12D40000-0x00007FFF12D59000-memory.dmp

Filesize
100KB

Download
memory/5432-2684-0x00007FFF16070000-0x00007FFF1607D000-memory.dmp

Filesize
52KB

Download
memory/5432-2682-0x00007FFF02500000-0x00007FFF02875000-memory.dmp

Filesize
3.5MB

Download
memory/5432-2681-0x00007FFF12D60000-0x00007FFF12D74000-memory.dmp

Filesize
80KB

Download
memory/5432-2679-0x00007FFF15FF0000-0x00007FFF16009000-memory.dmp

Filesize
100KB

Download
memory/5432-2680-0x00007FFF12D80000-0x00007FFF12DAD000-memory.dmp

Filesize
180KB

Download
memory/5432-2677-0x00007FFF16010000-0x00007FFF16034000-memory.dmp

Filesize
144KB

Download
memory/5432-2678-0x00007FFF16370000-0x00007FFF1637F000-memory.dmp

Filesize
60KB

Download
memory/5432-2668-0x00007FFF03570000-0x00007FFF03B58000-memory.dmp

Filesize
5.9MB

Download