d69299761308057d6288300f98222484af40c1ebc98432bcbcc9c737ac219245

Resubmissions

13-08-2024 08:41

240813-klh2nstfje 10

13-08-2024 08:34

13-08-2024 08:31

13-08-2024 08:22

13-08-2024 08:15

13-08-2024 08:11

13-08-2024 08:07

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13-08-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free-vpn-3.2-installer_96-miv1.exe
Size

1.7MB
MD5

2798a45b6137fdc262bc01d6c13a2c7d
SHA1

743587eb5afd358591146b8222d2b97d82cb9d1f
SHA256

d69299761308057d6288300f98222484af40c1ebc98432bcbcc9c737ac219245
SHA512

4c8b70261ec5fe915b2c3dcfb6ff644873adcf0d8abb1ba83be30eb600bf1c7fbd6bbd5d0730a610f129e3492517e7cd77e882e9f7b3bfa214e73bfbd361be1b
SSDEEP

24576:W7FUDowAyrTVE3U5F/XkbjztjfSKh7P/1Ks6vk9XpSwR1HNmJrFxgzUsYz:WBuZrEUcztdqAXpSwRWNQ9Y

Score

7^/10

aspackv2 defense_evasion discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000400000002ac53-584.dat	aspack_v212_v242

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
9	raw.githubusercontent.com

Executes dropped EXE 4 IoCs

pid	Process
4704	free-vpn-3.2-installer_96-miv1.tmp
1688	Curfun.exe
3204	CookieClickerHack.exe
4080	Flasher.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Curfun.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Flasher.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free-vpn-3.2-installer_96-miv1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	free-vpn-3.2-installer_96-miv1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Curfun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flasher.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{7EF34AE7-E049-4FFA-A855-F0F196C4BF73}	msedge.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 663824.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 939111.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Flasher.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 83439.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Curfun.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3148	msedge.exe
3148	msedge.exe
4216	msedge.exe
4216	msedge.exe
3372	msedge.exe
3372	msedge.exe
2416	msedge.exe
2416	msedge.exe
3576	msedge.exe
3576	msedge.exe
3852	msedge.exe
3852	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2156	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 4704	2404	free-vpn-3.2-installer_96-miv1.exe	78
PID 2404 wrote to memory of 4704	2404	free-vpn-3.2-installer_96-miv1.exe	78
PID 2404 wrote to memory of 4704	2404	free-vpn-3.2-installer_96-miv1.exe	78
PID 4216 wrote to memory of 4484	4216	msedge.exe	84
PID 4216 wrote to memory of 4484	4216	msedge.exe	84
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 5004	4216	msedge.exe	85
PID 4216 wrote to memory of 3148	4216	msedge.exe	86
PID 4216 wrote to memory of 3148	4216	msedge.exe	86
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87
PID 4216 wrote to memory of 416	4216	msedge.exe	87

C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe
"C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\is-A1QFG.tmp\free-vpn-3.2-installer_96-miv1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A1QFG.tmp\free-vpn-3.2-installer_96-miv1.tmp" /SL5="$50104,837551,832512,C:\Users\Admin\AppData\Local\Temp\free-vpn-3.2-installer_96-miv1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4704

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb8f573cb8,0x7ffb8f573cc8,0x7ffb8f573cd8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Users\Admin\Downloads\Curfun.exe
  "C:\Users\Admin\Downloads\Curfun.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Users\Admin\Downloads\CookieClickerHack.exe
  "C:\Users\Admin\Downloads\CookieClickerHack.exe"
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1828 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,7708108108912112654,1419246971421474324,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Users\Admin\Downloads\Flasher.exe
  "C:\Users\Admin\Downloads\Flasher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\77e0a49a-07f8-4123-bb06-9c4b7764229f.tmp

Filesize
6KB

MD5
dff79dfe9275d4b6c9cdb616b6445c1c

SHA1
828109cafbffa1742974d01a6371684f56368882

SHA256
c747009b6f04722ad386e7c0f5bcf12bdf21dc5083ea58a88a1c020b7badda04

SHA512
1e11707bffec81ff394b51015e2dc22730a5c4bf81c7a3ccbb61235b90a5d9706ebd93143cb324631fd2f20cb47dc7af761c52f29edcc36bc8262fbd2c48b650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f3def0d1f91cb009706c3bd7c04421da

SHA1
74420859244e056b951d6ada3665b624c592955d

SHA256
22a7a1d194b1af329864ab3846d685faf8724835ab68c9989e2634b0bd33870d

SHA512
4f3093d8a608b89abef354c933009b505419212e7e5fb605728fb8b15e84e25bf169c33ec14a055ebd6654835487af2ecacc95d002c1c05f6fc91b227f1b6710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
1ff5d1bbb1989ae7776d608c1585b22f

SHA1
170fc16361e5f8ed039476d9677a4efdbf86f08d

SHA256
09596a7fee70921960cb08a870dec0b0d69659a0d8a67b6f8d7c90341aff0aaa

SHA512
a675207641aba6f99fb1da800828f9278555a990b03892fb6cd04945ad3d813f778cf198ebc811f57ac2d5f90c80fcae4f2314c1ea04e47a674f3e0a7a950ae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c579adc07fc132c6b35d8bcd7f2c4e0a

SHA1
0db85a193965722a142612bca07f49c2e4c17cae

SHA256
de11f4e1324a97e3c7612880f8471ac5951ee793a60d7f4a608b0a15c6027c87

SHA512
592811d90ae90cbc9556cf66afa0b6f383f991c74c04c3637c17015155fd447755cbe6f7fabd780ca713a66b17eef4bf9cc8f9f643a053a67b3e532c3dfc7baf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
746132215611b7e5202898a2de2088b6

SHA1
adc067196974edc2f933e6c5ea10c5cafc0174ad

SHA256
7094bd5358bcb8fce5c26d05449dd4be80441f5cc64b8850b56e46e5a2308a33

SHA512
3b79adfde15a7ff4b4bd584318a602b98e53b862f2eb0da5bdc7ef143fae8c627567f0b9718a9f50506affbea770cf8c8c6979bb8d277d23291fd6f9c17ab97d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
02ebcc892145b4f479c223cfed6f6c73

SHA1
4eac44054177468a87d92360ada32ab36e704e85

SHA256
9e3dcb5d88f3883e0902f1702a4ce21f36b5c8ecbdb64dcc69d8b204d4d0f717

SHA512
39dc06dc91d5ede25c67457ba4b855521bbd689e2a3224f29f670f38afb9ebe37254da49add8c2166301f4a53be087b65841ee3bc87cd10cab394ec7d8ac6789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc6ff3d2dd4ce0ec8e004fef830d6018

SHA1
2ce20ec31cdab1148e7e0b325ee02fe274890ca0

SHA256
6686e98486994379d0fce000c94256dc690878ca47b50d37e8287bfd7bddb3c2

SHA512
1e60b4859e3e76dcc2469000d16aad82ce3d9f60679ee2ffb192f4807c0baa365fab6d9266de2df5c91ea9cbdfcea4dbcc825a4bf8b60bd0b0a30082dfbff9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a45cb8cc7ac48305a6321898f9abf7c3

SHA1
c71f6ec49604c9e040f89a9f64209fa6e22ea200

SHA256
9cbdbc8e1584a3b8daa8f135d7026c7fb67efb64107e1df49dc3156ff8ed4c3a

SHA512
66b751398751ab30f76236fcc8bd02074660edd6bd2e867996a6d7da6c750d2436dbfd4b0d940b181864678660e0018d9faa1debcff7852b96b38123c86b46d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
096358f267cdc660aa5c4abd9c922214

SHA1
f0b08f61e40789cfc8f97ddadbc90b8f33bb61fa

SHA256
4e735ea31b5e0881d40f70491f716fe25aeb1e343477013c3d85ebcfa5d8793b

SHA512
fc752bb76f51e152327e5fbe97f53de95163951facb9c35b83b8324d9af97395a9e029e38b3aabc836a3cf7b2c4cc85921de06996616e61c646dfefe298df759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
be8f89ef4f33af78d6897f49398fbefa

SHA1
b00e029278b12dc1feec3ff879a134dea16be5f8

SHA256
e239b613c5aea2861cf460b275f14951e3bc216459417aa079dca7b0ad42a3ba

SHA512
9048f40e5e249345962572122faca611acad3ff8e1c7f4055c75681da68f75756e0bcd740b94c2b73ce8bcde2da8ac78673a23d29d13d2fe35ef4bbb4143f529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
779d54b3183a9a4cf994fd4c04c7c1c1

SHA1
144bacf5e14f4738b250b1d959561b43f3d8883b

SHA256
83238b3a5f0ce2244b3f45e26a26a7d151fd0c30934f23ec67a68e1c017e8e2f

SHA512
8e311e85a28ad8276462d478e742bc4c6d16d17b4cedf79d43d50a314b3f83adc9db3de0734808e3a2f8d0a63819b221b71d8398e5dbfc4dfb60c3a41032d55d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
da46fbf2241ef2c8522642763b1502e5

SHA1
64639ae1f77dea25404edb10b9cbe67b0daae92f

SHA256
bd16e31bab2a835a6b3f65a675534a51946875b1237133dfbf639334e72b597d

SHA512
b668d1725e2eb9dd57209bb44b3d7d212408752dfde592939d695dd0c3ff1798f4f89fbe87cd027d25858bb219722d59bf5da9d60c77e367bad5f8d1c297000d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce1d6de3d91f8560fe0258addcbffa6d

SHA1
637d5f9d204bca0aca0c7786305010747ec3d84c

SHA256
ecc3a46b324ffb88bbbcd22be10b91a0b498b2084ce3e11cfd338d6f9eeef947

SHA512
d08ff6a513b5f421fcf482e581fc3e3d2eb09ea734d066c330338bf7d7d5da663517fcb8aa2834b35ef5962feba2ebc70a1db5322456c584b847026f43f80eb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58463b.TMP

Filesize
1KB

MD5
df7bfd80682b75e2f3f921d0e3335e53

SHA1
92dabb29d9991d5379d798d20dea35ad6299c760

SHA256
1a0cf7e1b6d2775631afd0ced70da6a51d9d75407dda4cec8ce58a49d605dfb7

SHA512
e6819d9a1572dd01ae11f223422c13d34a2654168fc5b6edfb1940d337f188f77fc517e63d69fd07975347df7c086b57be01f72f13bed251d4f7c4f990cd9794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9e1c35c6ec7c978e44785a4345035bf

SHA1
20b9bb8e037229c2fb98f2e02f4439ac880c337e

SHA256
3a6b0d90770ec121af60d206d63545be3145557ec54ab01f9a84acaa14935a87

SHA512
ced26f9bb3f9ff3b01d8f91909397e0fd1db2771a71c068efb31e623b1405951775e36542919f35dae11a1ff9fd5b1e3ee0480abb034ab3c479a15181ddcee8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1295d8b5f473e7928425da2ca465ec17

SHA1
334039e68ed0a13376a1a816145b5cd7a943606c

SHA256
49df33514423444dba9635c11178e98ccdc906b672f1ae0ff36afb3ffca0ff36

SHA512
1843900304bc4b067379528fb8ebd5e61104d85b2312ee5b97453beddc60fc1b8215d9461cdb2eb24307631a1d9bfd2c69fdfa9b3cbabab314bed3035936e826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
847f254fed71f94b7ed25af118d0c6a3

SHA1
eba4041ed7e0af551b430f0a6a86e5dc21d65481

SHA256
a3117791314219d235fe3029fe3bb840a94e0d4dc782617e7d50d886f036327f

SHA512
6429c8555ad80515475e783ce27f220b45b0c36e7055f89a42876f341b7f75aee1547f3bfebcbf8f92297e8534e17e47dc89ce86710ed4752f370b275ec01066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d9c20e13181e0476be72500b4f58a8f6

SHA1
ac180bcabf1359b7f95c24620517ad8f08c7045b

SHA256
7f7bca61de5d76bfb52baf98d6d45adb7c3949ace344c5d029849a79cdf6b505

SHA512
c24f35b7a19d13fd714899646c9ee0ced6cc4aa142a5509a39ec06de23bd631fcad4d1d5c92477cddf850e4f4cf68e369c23c8dbd116251d7d8812d8e7f3fa62

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a7f391566ceb7d310b04c1376aa66a07

SHA1
eda88e9134d3de209152481c9e8aa02054d4c2eb

SHA256
8ecb81fa22792fa6bb09abc86b9b5afb50773e2c5537def45dd8ba297f6c714e

SHA512
163bad20eaa9108286367367e6a54a9ac612026954ee2466b8f88f732a992695fe160d3fb5f092976ef15c1c1b71400e577a9a4833dfa616d7c9ee6a8237033c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A1QFG.tmp\free-vpn-3.2-installer_96-miv1.tmp

Filesize
3.1MB

MD5
db28fcc0fffc6630fe26b980989bcef7

SHA1
5df0b8072c9d6e5eb5f60300ff021774c03fed4b

SHA256
03f35384c001acb1a19371cfc66afd98507b1ad93b4b20cb530679c64b2a8a86

SHA512
e323d28d5e7b8b37a545f52cf7310edfdf6a3c5a3ce0d7e2a2e37ecfc5b72de9c39fb9db177d5420dd16503e4d39a04b59d55f0d84132aa6764349444859ffc4

Download Submit
C:\Users\Admin\Downloads\CookieClickerHack.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 663824.crdownload

Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 83439.crdownload

Filesize
138KB

MD5
0b3b2dff5503cb032acd11d232a3af55

SHA1
6efc31c1d67f70cf77c319199ac39f70d5a7fa95

SHA256
ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b

SHA512
484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 939111.crdownload

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
memory/1688-552-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1688-591-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1688-515-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1688-633-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1688-532-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1688-551-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1688-628-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1688-501-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1688-458-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2404-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2404-18-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2404-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3204-510-0x000000001B770000-0x000000001B816000-memory.dmp

Filesize
664KB

Download
memory/3204-512-0x000000001C310000-0x000000001C3AC000-memory.dmp

Filesize
624KB

Download
memory/3204-511-0x000000001BE40000-0x000000001C30E000-memory.dmp

Filesize
4.8MB

Download
memory/3204-514-0x000000001C520000-0x000000001C56C000-memory.dmp

Filesize
304KB

Download
memory/3204-513-0x0000000001010000-0x0000000001018000-memory.dmp

Filesize
32KB

Download
memory/4080-645-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4704-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/4704-16-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download