hxxp://google[.]com

Analysis

max time kernel
529s
max time network
501s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/08/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

9^/10

collection credential_access defense_evasion discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Contacts a large (982) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Clipboard Data 1 TTPs 64 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
676	cmd.exe
976	cmd.exe
6000	powershell.exe
4824	powershell.exe
5524	powershell.exe
2100	powershell.exe
5732	powershell.exe
5788	powershell.exe
2004	powershell.exe
5564	cmd.exe
3960	powershell.exe
4016	cmd.exe
424	cmd.exe
1820	powershell.exe
2944	powershell.exe
5924	powershell.exe
4892	powershell.exe
5832	powershell.exe
4748	cmd.exe
3944	powershell.exe
4060	cmd.exe
5700	powershell.exe
1860	powershell.exe
3580	powershell.exe
5612	cmd.exe
1524	powershell.exe
4100	cmd.exe
976	cmd.exe
5408	cmd.exe
2352	powershell.exe
1252	cmd.exe
5172	powershell.exe
3636	powershell.exe
5136	powershell.exe
1524	cmd.exe
912	powershell.exe
5784	powershell.exe
4032	powershell.exe
1012	powershell.exe
4332	powershell.exe
2932	powershell.exe
1524	powershell.exe
4456	powershell.exe
1556	cmd.exe
1052	powershell.exe
5168	powershell.exe
4824	cmd.exe
2704	cmd.exe
956	cmd.exe
3960	powershell.exe
5556	cmd.exe
1540	powershell.exe
3860	powershell.exe
3992	powershell.exe
5608	cmd.exe
4200	powershell.exe
4860	cmd.exe
2268	powershell.exe
2352	cmd.exe
3844	powershell.exe
3328	powershell.exe
2100	powershell.exe
4888	powershell.exe
4980	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
6712	winrar-x64-701.exe

Loads dropped DLL 2 IoCs

pid	Process
6048	re-yang-win.exe
6048	re-yang-win.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs

Web Service

T1102

flow	ioc
77	camo.githubusercontent.com
99	camo.githubusercontent.com
189	raw.githubusercontent.com
196	raw.githubusercontent.com
197	raw.githubusercontent.com
1509	discord.com
100	camo.githubusercontent.com
102	camo.githubusercontent.com
177	raw.githubusercontent.com
181	raw.githubusercontent.com
184	raw.githubusercontent.com
190	raw.githubusercontent.com
101	camo.githubusercontent.com
108	camo.githubusercontent.com
182	raw.githubusercontent.com
188	raw.githubusercontent.com
195	raw.githubusercontent.com
106	camo.githubusercontent.com
175	raw.githubusercontent.com
183	raw.githubusercontent.com
185	raw.githubusercontent.com
194	raw.githubusercontent.com
1528	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	firefox.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 8c0031000000000014599994110050524f4752417e310000740009000400efbec5525961145999942e0000003f0000000000010000000000000000004a0000000000473e7f00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7z.exe	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7z.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\""	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "3"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7z.exe\shell\open	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications\7z.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Applications	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000000259507c1000372d5a6970003c0009000400efbe0259507c0259507c2e000000279e0200000006000000000000000000000000000000ad98e00037002d005a0069007000000014000000	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\NitroGenerator.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ReYANG-Windows.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
4828	powershell.exe
4828	powershell.exe
4828	powershell.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
5172	powershell.exe
5172	powershell.exe
5172	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
5724	powershell.exe
5724	powershell.exe
5724	powershell.exe
5732	powershell.exe
5732	powershell.exe
5732	powershell.exe
4824	powershell.exe
4824	powershell.exe
4824	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
3440	powershell.exe
3440	powershell.exe
3440	powershell.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
1860	powershell.exe
1860	powershell.exe
1860	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
5452	powershell.exe
5452	powershell.exe
5452	powershell.exe
5788	powershell.exe
5788	powershell.exe
5788	powershell.exe
5700	powershell.exe
5700	powershell.exe
5700	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
5844	powershell.exe
5844	powershell.exe
5844	powershell.exe
2312	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4828	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeDebugPrivilege	5028	firefox.exe
Token: SeRestorePrivilege	3960	7z.exe
Token: 35	3960	7z.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	5172	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	5724	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	5452	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeDebugPrivilege	5700	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	5844	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	5432	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	5548	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	5240	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	6068	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	4200	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeRestorePrivilege	5432	7z.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
4036	OpenWith.exe
4036	OpenWith.exe
4036	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
4828	OpenWith.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe
6712	winrar-x64-701.exe
6712	winrar-x64-701.exe
6712	winrar-x64-701.exe
5028	firefox.exe
5028	firefox.exe
5028	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 3756 wrote to memory of 5028	3756	firefox.exe	81
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 3524	5028	firefox.exe	82
PID 5028 wrote to memory of 1716	5028	firefox.exe	83
PID 5028 wrote to memory of 1716	5028	firefox.exe	83
PID 5028 wrote to memory of 1716	5028	firefox.exe	83
PID 5028 wrote to memory of 1716	5028	firefox.exe	83
PID 5028 wrote to memory of 1716	5028	firefox.exe	83
PID 5028 wrote to memory of 1716	5028	firefox.exe	83
PID 5028 wrote to memory of 1716	5028	firefox.exe	83
PID 5028 wrote to memory of 1716	5028	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://google.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://google.com
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5319a45-e07e-4aa7-a462-7342b4b98552} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" gpu
    3⤵
    PID:3524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b611cd14-9a66-49e8-bff3-a53d635371ad} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" socket
    3⤵
    PID:1716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2856 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3252 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dc621aa-8c6b-4722-bd72-f4685ff1dbac} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:3360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3688 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {750410e6-cebf-417e-a4fe-5c69cc4af764} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4632 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4628 -prefMapHandle 4624 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80e8aa31-3fd6-4430-88a7-9f626be3373a} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" utility
    3⤵
    - Checks processor information in registry
    PID:1152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 3 -isForBrowser -prefsHandle 5288 -prefMapHandle 5244 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc9ba9e4-8d32-4212-ac5b-eeb6cfc6e572} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c70c6399-124e-48e0-81ab-e9d64881cdda} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 5 -isForBrowser -prefsHandle 5464 -prefMapHandle 5408 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0985719c-e122-4e68-8e08-057c09d6d1f4} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:1620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6044 -childID 6 -isForBrowser -prefsHandle 6036 -prefMapHandle 6020 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5bc0f05-43b9-4e3e-a4de-e2e47146118d} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:5044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -childID 7 -isForBrowser -prefsHandle 3984 -prefMapHandle 3724 -prefsLen 29276 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ee6b956-e36b-4712-8cdf-6013e8e1a2e0} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6316 -childID 8 -isForBrowser -prefsHandle 6408 -prefMapHandle 6404 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f131cd9-7d4e-4ed0-822b-d72fb905a4ce} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:2076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4468 -childID 9 -isForBrowser -prefsHandle 6568 -prefMapHandle 6688 -prefsLen 27566 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8622ad06-fa95-4762-9a1f-afea4f1d9e9f} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 10 -isForBrowser -prefsHandle 6200 -prefMapHandle 6664 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b88e7f6-c806-4b49-98a2-964dbf254fb9} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:5936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3340 -parentBuildID 20240401114208 -prefsHandle 3624 -prefMapHandle 6068 -prefsLen 30530 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09844ea7-2e49-4694-b823-ec38ce8d5786} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" rdd
    3⤵
    PID:2884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6260 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6916 -prefMapHandle 6868 -prefsLen 30530 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cebc4345-9efa-4b5f-a5fd-4970f5fdda3c} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" utility
    3⤵
    - Checks processor information in registry
    PID:5124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7204 -childID 11 -isForBrowser -prefsHandle 7184 -prefMapHandle 7196 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28dcd96b-796e-4dc0-b4fb-62f2fb986193} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:5440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7460 -childID 12 -isForBrowser -prefsHandle 7220 -prefMapHandle 7388 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55818e99-4847-4405-b32f-a2f1cedad694} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:5808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7508 -childID 13 -isForBrowser -prefsHandle 7568 -prefMapHandle 7520 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e60314ad-26fd-4419-85ba-f4315cd1d73c} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7768 -childID 14 -isForBrowser -prefsHandle 6708 -prefMapHandle 6652 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe1ec00d-c601-40ea-8dbd-65f2fb8e6e0c} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:5652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8184 -childID 15 -isForBrowser -prefsHandle 8176 -prefMapHandle 8172 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e695deb1-9705-46b8-8ea8-78a01bbcd6b1} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:6120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8336 -childID 16 -isForBrowser -prefsHandle 8348 -prefMapHandle 8344 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c79a5a0-46ff-47a8-a8ca-9d3476f5ccde} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:3856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8320 -childID 17 -isForBrowser -prefsHandle 4176 -prefMapHandle 8940 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7109a277-9c39-422f-ba86-471eb3dbc35d} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:5284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2732 -childID 18 -isForBrowser -prefsHandle 7900 -prefMapHandle 7840 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf9946d0-372f-41df-9a8b-5c4da75de156} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7840 -childID 19 -isForBrowser -prefsHandle 7864 -prefMapHandle 7948 -prefsLen 28338 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e79ddc21-5736-4cbe-a605-b54d1587a846} 5028 "\\.\pipe\gecko-crash-server-pipe.5028" tab
    3⤵
    PID:6228
- - C:\Users\Admin\Downloads\winrar-x64-701.exe
    "C:\Users\Admin\Downloads\winrar-x64-701.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4828
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NitroGenerator.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3960

C:\Users\Admin\Downloads\ReYANG-Windows\re-yang-win.exe
"C:\Users\Admin\Downloads\ReYANG-Windows\re-yang-win.exe"
1⤵
- Loads dropped DLL
PID:6048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:5564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:5408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:5608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    - Suspicious use of AdjustPrivilegeToken
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:5924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:5172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:6000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:5168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:5524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:5556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:3960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:5612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:2588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Clipboard Data
  PID:4016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:5784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Clipboard Data
    PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4248

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NitroGenerator.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5432

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NitroGenerator.rar"
1⤵
PID:5160

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NitroGenerator.rar"
1⤵
PID:5732

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NitroGenerator.rar"
1⤵
PID:5172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\01ABD05F24B7C929E9BBF7B620E2289C4EE00CD6

Filesize
70KB

MD5
15a00f6f03c8248fb84b804459fb258d

SHA1
8e7a2eb609e3cbabca273aa05bf86b894c46b13d

SHA256
d24468474c3fd53b78de0598958de6b73bee44ee7ae722c8bf0e27be5dffddc2

SHA512
17d2d6209a63082dfe3db0a0a653ac0f63e7cf3aef4f63eb4ac189b0385cb358320b9fdf831f275e361070ee8d2104413f4acde1a244de75569386e5dfd07494

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\01F54350C8B73F18E7F6B5242B37A11BD26EA91C

Filesize
268KB

MD5
44401eab317c7d342d20dd827af629a2

SHA1
ae13e0cda2e6b0f2540cb52387af7a80dba77b01

SHA256
11bbf04c9e8b8b5f76527c7d641c981329c5399d161777aa9f42c38c65f7b94a

SHA512
0527796c652ecf8037d3f6cf41bfe99f4d22e823409d21600ef82be85ee2567df0965dc0a13182cdc4304dad1e0d1ba3e422fe9ce85332a6230f9475404e1e0b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\03AED98177B4AAC3835AD369769EDF6B01485615

Filesize
605KB

MD5
e1f33fdd4e26548a05b46da7a876de4f

SHA1
626410b3291841b6853729ba80b74cda8aeaed4f

SHA256
497660e5ac7cbf0d3cb739191a17988049b862b3ff9b994fb562df355b4fd537

SHA512
202564c4fdba2c53b4d9b1615570a26de7c07158884cee566db02e390f437e38147290fc6b179daa1ee38dd774a63802947fea0ada367476111baaf4de0f9cc9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\04829417B698B01200BA3D1BCB51E49891C7BE09

Filesize
112KB

MD5
dc8534487ef64d799e496b9c144ead79

SHA1
911442310f1d8aee2c551be7df28dd51f17dfcac

SHA256
4fb3f4ee88ed07a1d9e26b7f4720d7a451d15da5f9e9092aa7190a18a0a4b5ca

SHA512
f38a517ecced2442d9e6d2b66a212f525becc869c5cd49309d94d27f237912daf56fa0df151b7e5bb219def4f2d454b6f0dbea809a3d9a1fd55b47755f374e98

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\087F96B189611952C6B30E20692EACCCD08B35EE

Filesize
22KB

MD5
5c458615463aa5e9a8a313652a12e9a3

SHA1
6f3d5a6e1cce0db42b8b9e801c17580b2a330ace

SHA256
bc458d77ebad3d9e0dc559b5d719dd0ef9aeebbc7ef168774bce5dc1acda7491

SHA512
c57323dc3319f8e5b217b2ec878a332117e36f6479783429926985f6c6ce0757d87dfc5313ddadf298e2f53e260abb1e9172b0a2ecbe0ae247017acecd06265b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\09AD4CEB9F7F9E5BAF7C81843BE4603E1CECB16F

Filesize
265KB

MD5
1fe7439d305477a4285af59b4cdd83c4

SHA1
53f5d53bcc02db0ce8a8fa7212120d28761ff239

SHA256
25668d6ed7bcf66f5436c9f7f67646a4f44f3c69d576d52d8d6cb3b28ad9ed7e

SHA512
a9538479c4a2598ce0c5dee53f696c615ed5d31a1491ccc08bf4a29e04fe0b21f8e44780a27e0a6280fda26d93a6fc980a18af6b20c42d2f0256e41f8547ced9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\0A14640657965B8513D3F26C8B0E6802EF353192

Filesize
13KB

MD5
fb8ea763f9b6652e98ab55b1721c47d4

SHA1
867cdd2d1658e689013c008ef9f59ca532f497b8

SHA256
9cd0e489d563226e5d8d2b31b1744911ce2d1949c478562095521d9ccbd07f35

SHA512
32c01c3950e30afd67802fe1ed35c47c861265d9942377efb876f7ccbb48c7d0f4daaf9e9e57ba6034946969846cc1eaa1a2805aa66a423e60440b2e04d9c835

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\0B6CD5CA4E54040DDC05DAE0A839F91585DF5F7F

Filesize
14KB

MD5
ae4869f6b90ef77338c911c8802f7b0e

SHA1
c7c3613fcebf4431e486885bfa93752e5195d5ab

SHA256
e35c9c782f7d621b7c619817c059bf885dd1ff4a20edbcbb87575e727bc9cc1c

SHA512
aced1e1e496456b4261ac300ca5241d961ae3af7c97b104422433ba62440d1327f848a0f7d7c49d69d8c809a5f24b6b46c15a1c9e4d00ef3d423e33903b1ba81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\0D2FCEF5530165A1D25C0E404458F2BAC00BAA9A

Filesize
18KB

MD5
0a10e6b258dd34eb4d85ca8f07a75fd0

SHA1
86bb0979f6f95fad9f8e27614baf0d1b2e324fc9

SHA256
6e8841367916dc43102e6cf4dd3176b843489c75ce5c6ba560267fbfda919f6c

SHA512
f634724e681b1e5b917f3843f0c0222524960f03b5d9b822a386a8134ad67e7a35a4253410e74b8a100c0a3c342193cc01d351d7b97ba1dc6fc54f0ae0815ad1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\0FC0D2E39B11CB3765F534386C8F9B92E09CA1E1

Filesize
14KB

MD5
2f08a198b144390f0e1f87b90b0868fd

SHA1
d8e2bbff31e79a905270bda267bfd55e61290fe3

SHA256
363d85da0cf17f6fb2da7c86a3cf2071249c081fdc852e50b47ebd88cf2cb75d

SHA512
f424640a163fc9e3113c1bf9d19781c317936136db30c0329995581672d51eac84e62bd2a54669bc6a458e6eceb340b08127a9357967830aa2fd27c3e739c2b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\10D3592934913BA27D380ED0943335F42838EA52

Filesize
373KB

MD5
6033cc9506dcc1b69a830f7801327e2b

SHA1
ebadaf523f4c42b5d84c266f27a146efe6ebb60f

SHA256
422c0709cd0c5c3a392ec8610293ece9de055dbcf9156d6c236d078d372682a7

SHA512
42966b442d2d60aeb17b9d3d117d5fc02f0dedb04cd2b013d9a6178e3d7821b83e8d2fb931a46a8071f53a3a5433b57832264e754183268c228cfffcca870f81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\166C7CD42D77DCA59102CACBFA6286C8B1656A3C

Filesize
19KB

MD5
01d4f3180e5677a7ff9701109ebb9c18

SHA1
b8dcca5ae58c6ca1a9bb037ed9d2135e61d885e8

SHA256
72afd14ff6bc1b5dc467f9c5fe92f8f41581c321b826f27464334722099e3a7b

SHA512
8d085b58eb50ec7d9e3980c1f7005040f9522923052ae6fd79ac1565ff18e222cf6062640f4dffcaa00a3dcf0ee3a7a6e3eae8385723850f77ba65810f35c244

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\16D3E6A057A124E8E3BC96689FCEB5904949EBB5

Filesize
14KB

MD5
d2e3a4fdbc7a4269c09198dc3da9359f

SHA1
1513d563b9f2290fc4898a8248329d9c7930ba95

SHA256
725613b0a729fd88e9afa5a2b0431fda60464d5849fe2aeabdc9fc82c0837491

SHA512
720b7732e1ff0b3cae4e13d03c20a334dae24397880664fe2e15f2f509fa10387022801441ded4e187004edbb50ef074b97da723c681f45f099a767759b75d60

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\1A46D3B03B4914D068209FF81CDD6A6313AE1758

Filesize
143KB

MD5
1dc7a053afa6d6aa5a391c8ba3b07c30

SHA1
3bd5e6e28991c4ac773abbf298b532149377c003

SHA256
7e11305fbf02db6bcb88eaa05c64a9f7e26514ee97d1488ca915a81a724ed29f

SHA512
8616594fc5108fd9aed3bebe1ea10c3e6f73ab16acef6c774e3f71675c80f1f13c962e624ab2921768168b3b0b685f407abc535414288b1496c32acd470426a2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
63KB

MD5
913e50f2d519da01b616de561c667b58

SHA1
50b7f6af61b72ea01939ee0ef53ecc17df9cb69d

SHA256
208d480a298e2a31b8f0db8b7f85ad64e8f010df8acd1757dc7987d233fe461c

SHA512
a863cc9224f95d816c001d3a2f665293536dd52b049e1980c0fd9790c060515945228ed4ac480c5559b2adeebca2728ce4b7f5f3705975c667b44d199b698402

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\2842554DB98F3F407860E172D9087A5CCA96CB21

Filesize
14KB

MD5
f7f9c095daf76f9f883885617a86635e

SHA1
b4631e7f49c8db953529154f9685a492255d5180

SHA256
f18aa97ffb1d3bb2a75d84a23ce4df450dc72cfbec3adab9b1724712ba5a2abb

SHA512
0ab4b3d4f7627fce1c0c4cda468566d748cb5f5ac420e68f5e284e6651e973af92c17b49e5f4a57cfba653f4ab5464d3f019e51a5dfc6f07d33b2a764cf15a37

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\2E86BE7BAE68B6BD4FDF3CFEBBFDD29AF4885C5C

Filesize
415KB

MD5
e2746304e632c73ee88df16dc689e21a

SHA1
555735e8ce23a1b771fb57461a888e9b8babdd24

SHA256
fa762f5c2f72579022e38ee6c5ff55755843ecb56343270abea1f8b3be5f5c99

SHA512
5d51e787be19235aed335d4e28f5486e29227a60690ced74185df91aa9f62bc967c8cc515e056fe18434928bbfdd1fdaf29628d0902a0fd69625e7f407e8ed64

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\2FB4870AB5CBFF30AABA53EEEED7EB0006167D52

Filesize
19KB

MD5
c3cb4f37e167d80f95589a32757e38ee

SHA1
e495971fe017116a08b11b3edef1f1b1c734bea4

SHA256
4d031a3974cb8ea814f55d83f6c62833c2c624b5439a2ea0e7f71fbdc192e413

SHA512
d22c2886fe896f2109d75939574bc84a49faab0f51ee85680d5f912b78022a1211922c0e2b4824699a4efa64eaf58291eb062d3536362b43455ccdbf5de18501

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\30AC9E9C28EC1FE2B05598F46EBAED7EC52CEEF8

Filesize
18KB

MD5
470f7b851acc1583a07790f671d9fefb

SHA1
521f0a6073bbeb892f067776b7fe8fc5503916a6

SHA256
b1316633f5681b4f854449217ced9c40da786aa0766986be2f47536c131ac890

SHA512
91f92d71ecf833bb1b0cae239fa9f9571e689719df8bd7c1b713ac4bc57fd8dda1447933f4fc8fa5d4f703a260b1df9ddc9e0b476bbfe94792f3f768b58c43f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\33366673A001DAE58C4FA732FD14D01603D29259

Filesize
16KB

MD5
2f01bf1f3e8e7f408b91e7afffe4b4de

SHA1
5ef5f844cf455a625bdb391c891d16579558af1b

SHA256
0175a30b20f82153fd1de0193b48b4b33192e4fac784e734cf3d048900eb2fed

SHA512
d3a9c35817a03bae3a1427ee7d1c62ab830804768a03d439d2439e7fefc1982cc7370ba81aca11404d0f95c0ebd5dd54bea61a81a82c65cb087e7326b342b1e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\333F6657EB02E4E81EF932E9611E5C1AFEA06660

Filesize
254KB

MD5
662cbaf788357fcdb1d1f1b786a49722

SHA1
d4895b07819871167a93ed7b54b6caa11cf77106

SHA256
91970c08771635c2c38d4df4ee9e620ae535bd151622e5a9a6c2a2268a62298e

SHA512
f658e73aa57be0d02edd7e1645d997ecae392db79d81bce8814630c05f6308965f20eb48271d5a926211a1aac0337c84cc3c8c50c4756f2e15e6d9af738083ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\3499E0CDB4968FF402067428EA75B46BFF8FE5DE

Filesize
14KB

MD5
0b426e942fea3c917278e84d527d855b

SHA1
05973cf1ffa8130b61b1d656b06305bc1fe920e5

SHA256
c96f2b16bd5b0362f78653894e1d064c86d49a3da238dfab6c4d18f9e0389f5c

SHA512
e5b5f88ce6980a25a78c18d701b59916b5a1bcc5c281ee499c33706a9a0c40156e847d31ac1aafad57dcd216ee3bd07da3036ad6167e3318c5ba36b467cd0493

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\357E389E7B2A8CE4A979BC48F1900D7D28DE4634

Filesize
15KB

MD5
d9c260303def664bc999ee471bf354f7

SHA1
3a80bfd0d228d42374d519592f355a4e80c83c16

SHA256
ab1b520d37b7f928bc40ea57baba99b08385f9d2a8335b67245dd85f4c38774c

SHA512
505bc05f212f648f1f8b06f8333494fca754e4fcd1ca6fff231ab38042646655ae829defd58a5ddb908d530031aea33cdb53d2e54d33510d6f8287d0f3f4c6d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\3C2A744CFAE6CA56F7BFF7905B0136F689288CEF

Filesize
70KB

MD5
4fbe4d6f0c305a21b9ce6357bebb1f83

SHA1
717c400ef2f91f1263ce1963911dc258790f918a

SHA256
2ff853814ec627cdcbd0aba5169d384f108d6e448249be12b47572fab1b505be

SHA512
a86ec73a0f4ecd8ba84c7c3fb045f459fb4b12f2df748557a5a5b0671ba4d2b0eb4987e2331a81a9f13b7314feb5a4ef6b8829c95b71fdc70fd118ec6c633733

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\3DDA16BC6DDABAD758EAAD1BB9028434BF62D323

Filesize
14KB

MD5
55d210bb1d9d0bb7a9ee99226329dec1

SHA1
552b41990e908580de167cad8615009f17a91086

SHA256
4eeb4b25e034b61c5737e12cd5cb71e50966241162c8dce887fb168c7b158183

SHA512
175a25dc05e7db74923350cb0ef668169e972bc210bf25a48c3d495e7eb539fb8b89545304df32e14b67710349fa7474ada86d2a995cc576dcbff1b424b76d3e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\4263B1A2D70C7C417487FECC88693B6E7E40E2B7

Filesize
93KB

MD5
7f376118c08aa344c8933a7686d0e4a4

SHA1
a49d4d372391e8dc7fd29909ce9dbe902b67cfc4

SHA256
83d5ba0d89a200331d4713a37577d9bc378c4439cb9e3309d08468f6e54be1c8

SHA512
203453fae26dddef125d3747af990a0bdad61c076d1da754985e94187c6c59727a996adf8ad0cb30bb566129d23694bf165ed014cdd5c23d7a605b75c285d60c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\4581E80964B1526EA2613707C014EA4C804C59E7

Filesize
14KB

MD5
2bb5f383509cb98a00f7483c26a11241

SHA1
f46ae042379061ef71567c5c9a17dd762becead9

SHA256
607cbbe6a2eb3704efdf1914ad7999479e178be3155779b4c9297768c6d5effc

SHA512
c73e4e53bde070e2202d36fe8f30300ee91673e67a8c56086d636bf44e113743b669745e0be682a2d84631f39800407dd00169003b9d7c2e4805c75ce988a572

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\49AF65C60E9467DC868F8EFFBC6F0E1FE2D6093D

Filesize
124KB

MD5
a00b54a7d939fd41d898356d0e6783fa

SHA1
6cbbec5731042dfa95fcdc184892b03c3d7c0aca

SHA256
7cd07d14d967fbdf569b9a1c5c1bf04dd3d735dfae346b6050777015cad1d202

SHA512
141a489134e739f2e52d4192d7cb2b74c4f5b329fa1941e6aec866ad2d3a20110df6fde607a24aa25e084ab198518a58597c083f3f47a61d9a7c6a63a313ede6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770

Filesize
14KB

MD5
2d104b56fa8a54c2454c625bf8ce77e4

SHA1
b2ac7cc0da2d21ec15a8ffe66a2c9bdb50934379

SHA256
091e9cc7e7ff0118a21952f898dcc28a9c79301821a9c6829ad25faf50fd2220

SHA512
2668a1f726c7d191afad81d4a98fa28b17e3f0682c2f74cdd62cffdd48f7be91a432533a3e0cc7ce0ea7d3d52e852e036a835bf248fd931565ca2ef369387581

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\4CA2E679CEC293F142684E37B6B4D5F01FB00E81

Filesize
89KB

MD5
62b668fe2bce463b7490b84f495876e6

SHA1
882bc9c71ff34e322b1d7adf1017984634c27eae

SHA256
8616519ab2850adfd36a7f86c9a4e4ca28519dc527aa4510d1ae4b39266d1304

SHA512
706e63c7ba80872c290e05eaa3f10b40e17ef350918bd5c640947d576296e5826f72d72fb4f278e961a2f43b5820af66a1a63141b4600765930afb10ed406367

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\564D2D83F94FB79749365F693ED0CA848E388C20

Filesize
66KB

MD5
2628a194a7d2c77416386c2731cf1ed3

SHA1
65507bf022df7c36f49ccc820276ab44cc69410a

SHA256
b3700e90b968d00cbea905f4dd8d736838a9733b17934d2761aa6d2fddf244b3

SHA512
63a2249118f7f12276dbdff1cc980f9f049e946e408e2665c1ad70dced650600e3a9bf4dbaf59fb56b4961be751e798e058c9ff31dd57db3e4b8f6a5af3c1180

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\569310489AA355180F229B54E68092E3E2C0B048

Filesize
17KB

MD5
c758410a0657d0be2ce2d7d7b818039c

SHA1
96db460fea06e818c29989e579bca84b5b055d24

SHA256
bbae6cb347801a1f8d016a00b382b2003df81bd61a918946e1c6b0308081cd62

SHA512
fbb742da2b3284b754834add72ed876d8c059c6ae17f6b56f4a8dde7a456a660ba4255f2ab292d4521fd52f26f4a87026b822139c3cdead4d3e29f001e246ab8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\594A37D74B576C00BDD5DE5CEE5353E7EAD1DCC1

Filesize
15KB

MD5
821f687a6e06358b2d1c0a1220f9742d

SHA1
1410d8c990df19cbba49ca4d942102ef563401a9

SHA256
9b06f6f2713d357d650d30ac173773463a7b0998b2bade60ce10689aa61b0d0a

SHA512
2bd6944ea8f0b5e33c37f956b80305e205a0a56e71ef1b658df8e306bb3cff13c4ad9c8dd3b259374e2ee3337d3e6dd18911862e7dddae5db7e99447e1faedef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\618D9AB1809CC9B5842D1F113F88DFAE9C6C3098

Filesize
15KB

MD5
7a9455a84ba963fe15f924af68149322

SHA1
546ada87bc69b7e055860cae2b7ee84a919b46b6

SHA256
15f84dacf276c9733380782ee829f861fdfa6b2830a2438200cb52f126608cfa

SHA512
12b4d44f309ef8d1f7ca74952aa38ba792872b3100800fd4e1475d0cdea13e7722f589c6b1f30cae1c1841a46469a6499e342bf802f9b93ec0aa89b98b419bf9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\6973955F832C3780D91B32513BB9D0AB49A2165F

Filesize
19KB

MD5
905a3699f8d7e18b84ce32de2e7c2c2b

SHA1
501a0eb4e1791caf141b15072f6e176f4693d30c

SHA256
a78d08de3287aa1c9c8b6f62d398a29a0b1d061329c276788f31e9dde09b4d64

SHA512
39132c1a33a8130605f67b7a9e563d6c730becbbbc017a7dcbcc57499745a4d82d53c08ceb109be85a890b4471704959fc51beaf86aecac3b8e5b2f267508200

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\6B4DB52338644A6A772A175E61E5FE1628EBC513

Filesize
13KB

MD5
45fcf7b923637c033883c4298383336e

SHA1
946e4fc7862a5bd646c71beeb5c37aaa3e554400

SHA256
e5c558c3363b64861a339305e44591043bc5a9b6b5bd862d6f8a1a6ef87db18f

SHA512
ba81a82689f2fc50671e4c973d3266f9fe4e1e259f7e6a20b01b03cb35ec6c00b9d7dadf0eed660840f151be2e00e84f69b04f0d3333361e79be40cc4c7f1170

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\6CA49CF400300157554A25EB3C1AC6A292A66B3C

Filesize
157KB

MD5
32fdff7393c3aebf11566e922952d33c

SHA1
3a87202f2c015f3cd670714157158e00567cd5e5

SHA256
0ebef7607940ee550b7ac6ad83ee40dc4c51426ebd4033c6d437807418b81773

SHA512
3c6a0cc754c0e5af82942c807a5948dc4bf09b3dd4e47367274c3835018225dc81cbaefbaece760aef650e910f5a0c5731e7d8e4f75dbdd4cab5435d3d28ee80

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\6DC564E164FD75A340F0A4D4FBC10EC8C9D97EF2

Filesize
296KB

MD5
5de2ad05e5a7ea148dd64976dceb87e2

SHA1
031863bde4f709d88e9c4a9c47ef6c1d8699eba2

SHA256
0765d13539abff79b9ab03f3edda717052879da941257d31679aae87cef70411

SHA512
91da25ab1aed82415dce869ebffb37f43cbed7679375e6281a9378bb305de827d2944710fd2f1cc58f52dd315a761d442a07b8444b3a57d15653158beb11c894

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\6DCC7219BDD68F40B49C898294B3611102D7A89D

Filesize
14KB

MD5
2e96c18137c6c90df4fae8a9e52aa00c

SHA1
a4b4af601448b8219da7a1db5f95ffc0ea3a8851

SHA256
7a9cca845e6352b39b83a286583a55e0214c12abb4cd95608e443a6ad2d8fd3b

SHA512
5c6a494d2ac8dd1b9f1f6ebb399a6918313eb53cb19a277048616965ad6461284c2dee02d1805e4e3e51c711c0a82241b3714832fee0ed371260816b0e1e279a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\6EAB61949AA154B4D4B519A2E8B104821698EC45

Filesize
47KB

MD5
5ecc3b4f40a5f95a02b0f7e6a54015e6

SHA1
9789a1b39c6c04eb8530869facf8458366b40eac

SHA256
495fe3e2d05dd701ad4d7cccb0d56f44f8df8415d0ce378989f9c0653e374588

SHA512
8427727ff79ef6394e9e8690e8820b08e7db0819322dba658ff1d8ae5087c9ea7c9a5cb4de2eec83315b86eefc696596bf1b6fcd254907c4044b972ef7090d5e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\78F46BFEACF3898E8940DFE6C8421DE8908450EE

Filesize
14KB

MD5
4232bcd4a927ea6bcd9eb5127af434ed

SHA1
0ab686709fd7d72fd87d789d43528b4cb11d1c2c

SHA256
5ce786ac7d74b2298790d19e2a350a9f7b3472966aea6d14dd5ff95e05dda31f

SHA512
dc4b10454454d0a37278b8059ccdb548348c4ca498fbee1bee6d856defb8277a00d8347d35976f982adb06a810175a736457b1558fa1acd78e7a245f96d6625e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\79AA3703A952AF8FF4E8A6BB1DA7C486DDD36E48

Filesize
19KB

MD5
42887c0d29cc8cad3803a2ab31d3b9ab

SHA1
0b7cab610fd95b374400cbbc5b7ef9f00dd387cc

SHA256
8ea1b25122107d1d34bc531ef905272db72be43ae617a583c70c51137bb148a7

SHA512
a9f821e539ebd651cbb5f9c927012fb7e8776f9cfe1d343f8a3302920e379072427302c07e0d8a4d0a3c3ff542c2560d3a5c5e968fb97fa79acc7c40864a6763

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\7DF7C2185C0075D029DBEB95BEC8DE27CB89582E

Filesize
75KB

MD5
1c1ecc8f5adeb557e94f34f8bc43bae0

SHA1
fe572a16f24eebd47c397b117b653ce3536d227c

SHA256
70f3da19c63d30ddaf23b0a39b313d9346627d06ba21daee6509ed5b414a2a6f

SHA512
79e27f5abed991b29333aef197386e3f05bd255f89027f5ec79e129dd9490fecd213263590776e8013f53e4f6ad94f2d5856c4f5b15cbc7aff0ba743a1c371fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\80285EC16EDB2FCB53FE4D6500B0396AC776DCD0

Filesize
1.1MB

MD5
bbbacf2556aac128f0f289336ab0b24e

SHA1
a3134bc0a284635b841e77fa47192c97ad1f55ae

SHA256
40b0898c6ef55a68d1081a2e9d74e037b4514201d86957acea2bfccfe397ba29

SHA512
496f25d0f0a93e729c8f81d9b67c1d70e7857c2b9a6ae7bb62d2ee4597b9c26381168cfb159855a4e78b86909dedb5e512fdd7ef33e30c0a68f93f59b1ecfb36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\8AB484CC5020606718ABD199346615B70630C694

Filesize
71KB

MD5
450c9324335e1de833ded61ef57b5929

SHA1
b8029a462c3c8f6f29a84687bca0fd6dc227a60d

SHA256
7dd25a0c040fa12a60ecdb6bf9133e1aca1d4ff6478bf7c6653446f9abc8a8df

SHA512
c52d3a3ccb303ecdfa430926f73451e0fd5b84e5d48bae7e62e7f9fd89e70296e0e6fc3af608c4d2bd706ebe514cee02a2ae8135a2a6e3f53f9d0286fe3f1d5d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\8F082A631652764B0D68631196BA68D03670A4D5

Filesize
70KB

MD5
a4354d968917f54231d013df1cacb6c7

SHA1
028980da80e7f59ba58fcffcc2b32a76e851b9b7

SHA256
46eda207823eeb592ee2fb43b41c3f055565229141022f061162af7f48500b19

SHA512
440901e54c0bdf3ab026e6e755abcfeabbdf74ac610f79f546b7e078a1f8b0237d15e130485974fabac8871013373f2c5cbbed57cc0b9d805a4c48d208bd4b45

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\9357B92D7A82DC731CBB46EBC4F197AB314C7C11

Filesize
218KB

MD5
e491c2b37b38fb39b9ccbe2379d5eacf

SHA1
65ad56cf3a1fc00c49a4cded58b24bd2941b2457

SHA256
d12a44fe50a0b0910056626f0a4b5e3d6a64c006dbf22866532ef719f1b52b46

SHA512
4f5d3db710d069ebdc45e8fcc244b96160f7bc1e11ebe2e24d2dbd1a3053ef36aa31cb99cd892f139fa72be9af449d5f4fe6bf7422cb0834d7668c1f6dac9d1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\9695EF6C5E0CE18BF6742C5C0EE08F02BAE83E2C

Filesize
20KB

MD5
3c2f5fe221bd335d228344aabb18bd1f

SHA1
92f744d699754db446051e54cb3d295dc594b31e

SHA256
787b106663332ca26cea53dfbddffa210a745428674a50dccdbe461f8c727fca

SHA512
f5ad0dbb918e13a7a42bc668e0ad80817e0515a0ca4a09c80b7b286daad073ca285d2afed66390704734036b6df89b70ff8757f36245d0c75e639d0de59427d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\98D70A04175F12872A9CDC60C5E95AF55040F134

Filesize
14KB

MD5
97fac7b76b9e1f0e1ece577ab6371461

SHA1
4868c5edc808e138126a41f9fe56f912db413388

SHA256
de36679fc30794c90ad14b750fa2b616c2af0610202da3236a34558b82bde2ec

SHA512
3397cf62dc664587951c89aa8edf37b25ba1f18c47219d37250168cf88fdd1f5d8b7d5bed9d32124069ca80a5b6b01c8b2befcf573926bf765a38aa4eedaedf2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\9A4AA513BF56A7AB641F6E9EB6E3B4567F7DEF5D

Filesize
16KB

MD5
3dae639b63a0c05359d3e24678a62e70

SHA1
a85e4c620f1eb8ba77ae62984d3af485c1dda544

SHA256
65c47eab8479a4cc4dc33c41127f53ece90dd485590c5ee2b562950fda260c63

SHA512
aed4339073ca3278120636f1ced3a1382c95fe44aa6b56ed7827d5404b1d9adcdd36a1f631b42e0357de6e10b54261c40f6225016498c63f537bf5b16255f50c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\9D8812F6A558D1927D5A858D18A6FEBD8A1B6869

Filesize
14KB

MD5
cb6d9062a6675227918688fd04d4c716

SHA1
6049bb5030b81620bbd2c11840af481b99bd5ea1

SHA256
4c5fcfb7ea804b9374ca51a38aad5158124794540e733c006128ee46c779d0d2

SHA512
7749204450a1bba868ae2f999dd5727d2e0b9f751342736a1f816cc9fea478762e8e07aafbc9b3da29db457123ff676f7af515089fc6e724603ba9b685abb277

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55

Filesize
39KB

MD5
053914ab65ade230acf1f31f576af360

SHA1
127628a3ebb8bbadfa15abec137d8cd4a6daa780

SHA256
645caaa2ee3c388a586b63178d1bba96c39c3d70e41452be6014b8b59aa54402

SHA512
fb9128e417193a57dd41b327edd741dc52be0732cd4d1a3814604934d822edc5582403c451b74aa9527c42cfb68f61193b69dd9bfedc5264de840e3e4bf28272

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\AED34AA9DC5AFFEAC1A32BB7DB28B9004477D15C

Filesize
30KB

MD5
6e3d215912c4f403339da5ac91725a5a

SHA1
373e4e07185c3542437647ae93b4160b50834b96

SHA256
bca19e721657427986c08cfc5d1cdecf47c79731c8751f087494878f4af50e23

SHA512
4b5c8a111bbefc2fd097939d5b38977918331c137c86b5baa2aae38e630e3fe4c1bf819b36ded57752635d2ddfc01c3036da56cfe57037f046d0629d9fa721c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\AF03FC63EE2DCF906028B9769C39326FC68D2579

Filesize
14KB

MD5
c96c9cff2116ff6d533e69cfc9246277

SHA1
75497fbe34478592afad4ec1b90b559469d18849

SHA256
a67b572f0a8200620f54da1d39190c66474b059bd4d6ace5e3aa23186acaa015

SHA512
fdd51d2ada0d5b14416cf6f164bf1eaf029ca9769b45327813cdf957a46f0fb19ee7f02f729d37ba7350f9110d73311e73201556d558731f5be1264dbb7ab46a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

Filesize
14KB

MD5
4dfd0991e1da8c0a49288454f33e9af8

SHA1
b3a876f29aa3831c1453d2bcf2bae65ccfa771d4

SHA256
588c38b3eb2114c8bf5eb3d05e53b3665df5de73def603175ed0c698473595fc

SHA512
21c3e305fd43fed2ba151dfab00100e7763ffbc5dc0db39a30536e173761255e30212f54bd518a7b0ccba7dbb075d5457be88068253b6de5ce8c156f2ef70419

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\B4F692A321DFB9D3604DE8BE72864C7F0AF5BC36

Filesize
20KB

MD5
3d87047db1796221a62dfb40621311ff

SHA1
7610dd18209d8331538f7b1d2ddf961a4bfd2098

SHA256
29559f0288452a9502a0f7ea4384302732def2b7959f70c7b7ecc8ba01d44763

SHA512
897946e3f431d3fd3173f53806286576149b0ccea85a7e016295ee17ad0f2848c4c2ae9b154d956f22f923627159999051a8dcd14b227a6abe1e22dd32960c6c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\B5F57F18B38F075423434044438291B3FD84AA31

Filesize
16KB

MD5
172d5152578c30601a79bbbab0f855f6

SHA1
0afced6e4105804bdf2f58bace7f828fd841508a

SHA256
3a0dd18c54d79760c30d3f08d813494ba9a8c32ede8fd1c49e94292afe8522f6

SHA512
07c938c1990ace5a2bef08685459fc642d0f85c0241d8b5f79fccc982245d70a509d11a3fd1140d50db8d58c301657accaf3aa26d6f841d5fbec1049cc02d7a3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\BB5FB70C74C290CCB9F25BF1EAEDFF4CAF215688

Filesize
97KB

MD5
95a5d693d36d26df632815988833b433

SHA1
11569246bb616388576b7e2d85ed54a673d17f08

SHA256
4414436010b95c13c234292e8c5c0bc1fc34872057fc98c2541e8a0ea456d9da

SHA512
3d480ed46e37f3e02971d0e5176752026828549d8771b5b10ce83072781b3f848502b9f6414ae9be31b58e57bf29fc70b3977aea0f538d0ad1c0adee962782d6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\BBD71EB7C6FFDB728EA9C264F063F7938A56C418

Filesize
15KB

MD5
7f970d6204875dce18adaba89601d0a0

SHA1
70c5961c172098a8e0022aa5713bbab6e7b0ffa6

SHA256
c5c2ca4578dc1a854822570c88b39974264596849fa7ec9cc84466f6a2ddb7b5

SHA512
6fc05905b74957fba62ddc0a7e3a01b1619292afb20df2447bd11a9c0186b34bd3c85794f618a39d2288ac781bdccf706fb7a1a1ed7187316e87221c8e511192

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\BD518506D48E5D9A2A1A812001B343D87149620C

Filesize
320KB

MD5
95cf299067d543f98ce032f61fc3436c

SHA1
54947d1e72677d0df9359258e3f1ec836bfc2eca

SHA256
521de1a1344b6abddb49d26b0797a8b6b147ae69c65e28fc57482371e818a299

SHA512
6beb736ee686d257a75bdbb125e2be8140f65575ffd8673078f11e026b36b52d50cc90ed28ea0a8481993553a87a898d132c708638ee4e883437b09921a64dd4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\BF0923D6C9AC3F4148AB74C98E937ACD57DCEAD3

Filesize
97KB

MD5
6d50c96415ba5522c4406964d6d509f1

SHA1
abbeaa28465799da23d24fedef2c7ec571c92eb5

SHA256
f78bdf8f8fd9d82392a4a86fd5d6d0160c56b94d65024d43238ad385007cf19f

SHA512
3a232137417794e86faa74ad678b7dce4380e63be29ab1ee936865201221c574066d4e1e4506deec117eeff199ed795cccabfc3e0c7ddc6ed14699ec0d73fa0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\C7F3BDB645B2CB752401A31681C973E76B91554F

Filesize
17KB

MD5
7ec9439c5955d17bdc125dd04a3651b6

SHA1
b858f8f08d90ae3e359722331645cc67d9e7e341

SHA256
dd2c3d8f6e87aaa6ab13e2557f62b6829390a0a5f823c9b4379b64249f6d8107

SHA512
19b461d4ccd778013d7be32f5023c16f61d6ffc988e54a5de47628f9b1bcd38ff5b6d3d9f222b50ac564102bb2d702c8072f0aa1a27422fe7c72764461231ff1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\C88FE6FE8ED0018995E76FB6B4CAEB37655B5835

Filesize
147KB

MD5
0c64f9bc2ec5127d34a89dc02ba01178

SHA1
012010dd1e03bbe25f132b556557890381da0e51

SHA256
0efac272b241301c3b5634d0ae0da0cd8411c357a1e7bccea05be6cd8a5bb214

SHA512
f82914c07ea9738d2cd9184a064c679f0b3707536855be9e7a5b0206bd76730e41cbd4d9705428f6af2a66a5df12d784a80a9852dc2d9caeba69e5b70c6374ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\CB0EAF1259AD2DADE8C50654E69498C8760A785E

Filesize
194KB

MD5
1df45696f4416cd50b683145423051ad

SHA1
3851bb8591523385daa3fd97354a1f6e6bf03db6

SHA256
7bbd5a1e711e119f4c340e457288a8fbd6fef88871c6e22968baaad880731559

SHA512
e0acbea8a2ae6919c63f890fa786de29eab115d26194f5c75675c0ae4bcfed6d959dd9e173b7fb98dcfea9aca46c72c2235e5054be6db0a3bdd4a07f5dd82703

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\CBE152E732457D11A2FF91CB928C19D99250FEF9

Filesize
69KB

MD5
9b8dc89176764d7a531ebd41c7ee0672

SHA1
f2d4803d253331a877eda59416e3e72d71ca9ab9

SHA256
9c693b15e39dc3952a6e3bc629cd508f4c1afb2388f64c360a6e4299eb9e5afe

SHA512
9f4ba1f2f841cbc3a6a0aab3cbec80c52e90291f77d74fae0cc90df8635b013e9afc8a19d6b0d7034a3629378f67b34601ced5e0225ea12b725fea172ef701a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\D105AB5F954C0907C9073BF810F90A3C36C6D3E5

Filesize
1.3MB

MD5
746e317b8a5eabdc37b3bf7aff4cd89a

SHA1
63ea9a285e7c00eac8f0b6f82296478de1c287af

SHA256
a298c868bf4ac83ae1efe6f5099a6721343d227594bbec031c5d5abdb5fdabb5

SHA512
fb4a972663d2640cb567026eeb6745b805e659397c39b2990ea197e1b244837187cf4a30e53a210f8a9b13812c8e792f9d4380fb1d96d19f61d7b1376c1abc17

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\D207CA89781848E7ECA4C658F22D4AEF1B168DD3

Filesize
27KB

MD5
390818ee19f2c68ab2519424179c0e5a

SHA1
6c70f3b91c99c688dc5955be93ace910485eb12f

SHA256
99bf00ddc7184e14f3cde9c21db60e9689c37af761bea6d663ee4cff901d7a2a

SHA512
e5ee4a856900ad69edb5308bbc19b131ab19e11a45ff6f948f7d370187a32896830996e333087659cd461e439a7ee0bea261cd206542de2b8f6a880435f5352c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\E46AC26CE1CFDEAC46577B910A1E38F95ABD3ADF

Filesize
14KB

MD5
b6b12ef2ee39944131c0b98572c70695

SHA1
d490025ee410192524ccbe63e91ec03f70262b0b

SHA256
5158221f3e58a7bb241ca32c830ef5a90df493a238f3da78ce3768c8ebb033d9

SHA512
142e7fedf217a991efc7f38695ffa65b57e3f83c69bde072549098cb1a845f3531f2385f23f93e433c2ada7f18117faae561fd866b1eb7568c7ac1c1fa9f38a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
14KB

MD5
27dff12685ed8f96dc1aed9e13e7d581

SHA1
5531f6f27bf243cc7e9a396154d22f5044aa09e5

SHA256
22bcbbfcbe5f53a3e4c0267ed555452ef41cd702520d9134bbcfd1ad920ee5c9

SHA512
57a675b9ca87c7544e6d6b30d1abbff4f168d47430003a1c2b5e4e1c3366a7d606f5b1b8969276dafda76bb44e216804f9dafa01aa361bfbca1e63b6771d77d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\E834B371DBDD4B77E3ADB83079A4419242742F89

Filesize
17KB

MD5
6167921df8da4d597a01e7371c73c537

SHA1
1031a9894679120e9517a65aebffd6917f5ecc15

SHA256
93f71786370fa26fca0c1d993b7dd3fa628364e0e9a97954bb65e996f44cb939

SHA512
645dd70d5d6540ab1dcef6be41e8801d0d77b4b5c2fde6e914751163a2885784c27712967cad432c5c752a4417a1f3f825fbf4a6d41954d678973530e125951a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\EB7DD385477F8D3CCDE2B439033C907AA695EA66

Filesize
32KB

MD5
87bc2458862222d91fc9177021b218c9

SHA1
5d2400a478f09dfefad18c8a2d5294a10aa34678

SHA256
dc5db1cfd8cae05ccc580b0f661b1c3613903337a49b8dd45a7f8d3200ce5918

SHA512
3aa2a0f769cb64ede5c91db4ce7401b163ac73ff0d4c7c39a36ca8ede7ac0d291f15cb71c83a986a56877542159cb855cc1e7e289414ddbbd014d384bef8063c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\ECE281212C7D34C2D33214DAB8505B450499A76C

Filesize
86KB

MD5
c030718dcb3f9ce04950d400b9b54629

SHA1
154e353b65683614b25c3648a7d076f8a4eab0c3

SHA256
88b08c06a9ca0d612f23f6617839f904ca6d397d00ae97e52d81b3f7a6b6277b

SHA512
aa459dc0262580ec1d732b04b8d2a6328aeb4c84be76aa68541ea41f0387f03c242b41c3b872acaa1719b026db813a1c913231b11f13020045b19610000f4bb4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\F042D0F0CB1D03F626670DE9F0BE80F1C09C7CB5

Filesize
16KB

MD5
32cf1a6bd69ab5f8e39c2011a53deeb3

SHA1
75dd91239d51cedfa1283abeb5aa2eb657985a9d

SHA256
881d543c02c65db4b69f7cf925a188ee3c97308d68257f27a72321f3bdd1e752

SHA512
90098403c0a7184b0b61afa10e1d1ef0830e7838f2127e59a7511b762f940db131d8ae42704cc6121ba7245079f0095d63173e9d47cb533a370c8ba306637968

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\F0C20D9E2478309B3114D8A208965000B4B1F984

Filesize
70KB

MD5
ead75e53527374c003d5f8fdc4c0b7b1

SHA1
2e8e9775df2a5003f8c55eb5d36cf906291b54c8

SHA256
1e6bc8e9864d1d78a511f59238e7b7ea9d99b88cb0b0a6d389b34986a2c8909f

SHA512
5c095023ecf51edc1faa1131aa32824071f3ca642e39b65daabee92bf82d0e1f936109bfb4a847659bb2b9a29360ad96d011c042f57fb44d4e2ef6577c4e62a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\F2B38213DE7DBF61B5A68D6BBC630ADE3C9936C1

Filesize
23KB

MD5
45f82c608ec35f1206cc6800bebd9cd9

SHA1
178e28b628dc947950099ee5a6b341cb27be45d1

SHA256
b50e440de1d7c4660295c161cda528cbc3b71c600efed69f696b8391e3f61947

SHA512
75adfad7c999d706e2f5d4d9c645be3364fdea351fd378f2cded87ef4b30db5d87d0f5dbd61615d8b8640144a9e5190556f30c817a41d79ec3ecc213d35a1401

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\F2E5EB143D82DFAC8777E8A98874B61B072FCA68

Filesize
14KB

MD5
a03d978e139135934405f90104287513

SHA1
cd2d6cc497cd9b66126d1efa9d55c2f04737cf2a

SHA256
b2dfb2dd7c1b03aea5a5d406edcae8dba3173485f7f43eda13b45e2768a79e9f

SHA512
fb21442f8eef1a75218ebac474beadb4f0858f14353e6f6eb9480d45c7903dfaf0a30e6a913287ed04581609470d90a4f24279372b4e288b9d0b24684de7ac6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080

Filesize
14KB

MD5
f39348e73f8298bea3daf9e85cb74e1d

SHA1
d919fe49371f58ee8311f1ada7c376eac129e151

SHA256
385e58873ae8e459c5f1ffbeca3c8829f53c84b3faf2b551086cbd11aef3bac3

SHA512
2c8621a80c70b2e15bf66d80e381a1b5feadbde6744e24ce077add764803b9e89278db7b5b389a9e8bfd65146d5b0245d54c3eed7dcc54fce41a79ffb1f3b9b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\F8E551FE6EF3E6467F170041C4FF2EFDFD32BFF4

Filesize
16KB

MD5
0b06b249de4f0107c0f1c285590fe158

SHA1
87b0cc41b5c00fd65e4bd9ab79658f859b2dfd6c

SHA256
523d101156b08cdff489b35f10e61afdc4d508d6c02046e08fe3a506e8c23e9a

SHA512
883296345085534d03a37c1515882e9daec52768a2545f1c667970549700d4695fe4a7ed308ed07dbffc26f073e655cdd3cdac19cb56b803f5cde54637ca7ee7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\F8FD20B3FEDC40556B36AD9EF0C3340C3B574766

Filesize
127KB

MD5
763b3a0410ccc9ec91af54d97b49c7ea

SHA1
354111111efb04598f5598e3142cb385f70ee322

SHA256
acb5702be2b31ba5f9064bb40a4300d4dc5be94d86a21edb6d571abc39467ee0

SHA512
e63527aa3f6dceaa15a5c7c11267f90ead5096959b9e3dd7755b2ba5a6d7f221867bf1d2b95d913c53feb38b0b6bbf90d820d22c936aafaf8e681f27676b43a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\FBE15710F23A8E7EF7FD3D6A4385AFF0D22B7450

Filesize
15KB

MD5
870aef00ac1cd2a822f777bb930f87e2

SHA1
9f580b9437cd05cf936c9b8487e7b65dc6712bde

SHA256
f7d9f3174514297d5eb8005946d444d48251ff32d214db8221a1d7ea30099564

SHA512
ed9175533efb25b0e89acfa0eb0bbbec45b819def23c7e71fa5f1db6f7591ef35fe85876deb828be01f84111dbc90fec55999619f3dcebe04b8f4336a1d48a5f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\jumpListCache\ZnaqiQyMDx+YYz8u4Nk+616dWgQBGaGwZ8v_ILDvkxQ=.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i3evnp0p.tju.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-ePVM1R\5c9a74674baa49a8cc3965a2d84a4f89cd4ea1a459a9b493fc02a581c95bf3a8

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg-ePVM1R\b9a7b76665d92af2d90cc6a15ffdc1a79635559cbc1c40bd1f83c4c4449cd442

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
b2391230ae8c0f684936c6cbc64c6d56

SHA1
3986f42462ccf72807ab01ff8c9e5433dad5d7c8

SHA256
002cbecb4bc7b7337756052959084a372651f3cf856b738025487730d4d5c214

SHA512
a1b0393f993340989adcafdad342678fb2c42f7e271fb42eb0e0fdca594ad08b9f1508ddedef093cdd6d2f0ce5a531bb4ddf963fffaf126b6c0c5481199dfdd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
5633bb00c346ef4268509c8c367256ea

SHA1
e7fe23ded957e74ca7aaab482d09ef28ecb49287

SHA256
f76b65a707674d25e3598419d5edba9b1ea9211025010916ecc2561db267f19a

SHA512
b4c10adcc620d5f572adad27b8c00401ac7ec1cdfdb928d3d4d6c82449d51d5bc502b05c463f6d47a2261a75c71720e5009a24245329e747c2974faf7883eae9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
37e015b73f2d94bcd59d0a0aa0e9b7ea

SHA1
e8a1557840ad3b3c564ecad7f6d628fe067c5a9b

SHA256
959e6c9fabf3461c7471014b570b598d61e82e53f9aeaf5fa5d55e22489a4349

SHA512
e091205ef9287f59f53c2dcf38bc6935f5de14337a5cfa7479face615dc7d9c5194b375a75a86d6bb36fa9f21f8b99ab2931a70b389a5e83ab8ff332378b6657

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
a780116b89b373b41b8bcb8553a0c41d

SHA1
ca725a6447f1e96a917bab562dc5751f12908314

SHA256
e6efc01d864ceef9c6ca98262d77d479eefc57fa20823f08e50a8d68a5cfd149

SHA512
7eb85b12dc2fec5d070608f834d76cbbb20da831b3f974246b28a2670e82d0d04da6042118d09d5473353f8deb9973c244676be6ef201e253e6db4e55997ff2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin

Filesize
8KB

MD5
e664f8277aa8f4417a65060d1c517752

SHA1
15ba002ba73d02bc489ef611fa17b0cf975e2cd5

SHA256
fbc4a45b6e498847a74c81c82e127e18d565bd96bb9b44fc6774d21361f187e2

SHA512
1fbbbbffa8c5f12c420a680a7fbb3cd78e9b04ae816ab2b4ae0efeddd0edfac8d05c29321ecc3a4b003ee0590525b77f765c51d2ce4bf7dc2832bf2bbb3e5e0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin

Filesize
21KB

MD5
e11c9dc7eda16e87b1f8c2fdfbb2e024

SHA1
6f309fd07811dba7d3fdf9b2ee0ecba5b7d6195d

SHA256
0813b33d8c8fdb45b67084f46083f422c4725e652f09006304830f943cf16d22

SHA512
afa3c8449494bb159e66cb57cf6cb22856da9dbfcd45d8e2451b1d28d5cdc370e356b40c90b2843adf4d0729e14eeda233f0ae30a0b7c7fd0261bbe1c216d7dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin

Filesize
17KB

MD5
09de3560c5e5d2f112892482ecad6df0

SHA1
c777ed45a1dd9ca80226d8b4dc62ab8901509f13

SHA256
7e741268ffe8b5963a9f2e6cdf09640bf33685fd0ce9e19f722cd3ee9f7cd712

SHA512
5f9798c712d4e0aaaf094cb19b6c7ec1f66cbc53aecafccd013d3293e0faa880eaa2faecaf71e2b0b82f6b0c07110f941dad941fabe769fb4e8aaa56c1160cf6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4b468b7e222bcdad1ae4effd9ed3b2af

SHA1
68c34c023a269d7c7a3a29f4f0793c97b73d989f

SHA256
cf47980e17cfed26f7212d13ba5a8ba7502c670b398b9196eca5e5e57f5728c1

SHA512
6718f40f4d65af5052e3f84302fa217582a26a3b171abd000cc6d00e76573f997511dcf71baa4278d1ee4b0ea9e46ef84b6885ffca2528dc7336d16c03c49ece

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
52KB

MD5
5bed4caa83975d14d204e3f6ec40ddc6

SHA1
7d862c1de028bf193a3c106a5a550d6607458824

SHA256
59a83c7fc58474134edf7b213ee25bcebc42cd61e97fe97724028bd41d8cf2bf

SHA512
429f8d118081d2e4e4a28eb5d57add8101ae7224c693f8420bed9437c32785aad46f1aa3b4f0c6961c5422919a9a66cc450f5080e371b00bc12141145421dcc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
52KB

MD5
1aacd4a65b72f38785f0adba6e7ea281

SHA1
d7429db24f1205981bf0687766bdfaaa7319a248

SHA256
fbbb00596c10f5b6dae974ae945e6e7d337245a6fc744c4da29bdd92f5a7a925

SHA512
7dac8fd814522cf44a8d9b820bb1d35b2eac2a2870e87e08dec8ccdb319daa228525265b08621f572c0e9475a5b5b1dc6d039ca8b6ca2b20ee5ccd05f0b6a902

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\4e054184-1c96-4ced-b8b6-d7337caabb1c

Filesize
3KB

MD5
9b90a487061e436b0e378d9b5c910316

SHA1
88b53e05e3920e904b81c081f4e1d5450c5a6dad

SHA256
56e35dab74a55f0354b12410a4bfb014fd9d805f771cd23775014458cc2e56e3

SHA512
8c3fe6129335750ded7c134ca51476f6175ac91138dc051007773cbf0fbd76ca6a0779187389a3a8ad685475d1a9bdd99b46b664287137a9ca3757405241a93e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\8d611508-66ae-4bfd-b96b-1ab5d26b2785

Filesize
26KB

MD5
5ecfc268f0496267445ddd750cd36f09

SHA1
fc3f2d6c176b23fb9162b720e12c9bd3cfa198af

SHA256
87114df99e922c22dd618becb6f6653ecf0a039ef633c7af4d590212557ccdc2

SHA512
518fb91973a3b2c3c95094a15d04800de4e622e0229685c16fe604a95d8aa3e7011672cabbc52166b70833e4ecb67770c0955f5f669679759c49e75533ba756d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\8f7bba5a-1db3-4d06-be70-0eb2f47458ca

Filesize
671B

MD5
158762018ab52a63479db05611d47e32

SHA1
08c1f848e6bab9f3c975e5e8f24b9fdafeb0cd7b

SHA256
c2a1182058474724226d9a55d4272c0ce480910cc7bab0d7f785ec6c2164c5a2

SHA512
9b71c9e034835bb302377398a26452050f86b4d514c5db84620c952f2d755c34b0758f66a8f1f4b5ef63b4828d3baff1229143346333e3d66d5b8da35127959e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\a3368ed5-11eb-498b-b5b6-44612b43d606

Filesize
982B

MD5
0fa443d27871406a2a75a025aa0a80a7

SHA1
1d6ce89ea953d38ab5a279b1121779180d47ca9f

SHA256
40cdce621f956d72cd296397f298a564b26e1d20b240e4b26ffffbcc24cb8a66

SHA512
6a3d679b2c27d8f6f4e1c33935006bfe8a018e5d5169af02a9695803614b067659e3577dd9030b787a836091fe70dc96a7e3c4ef4de7d6899627e2a143b5f997

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\b68b9222-9da0-49c4-9de5-ffeaee978a83

Filesize
847B

MD5
89212c9d8746dc338ddb42f44a59bb9e

SHA1
cf03c36653510114cbc99b5c95bb857413734acf

SHA256
d357e94606a17b11d89513e3910bc9785c5966495d0abf7ca899b81c93a01538

SHA512
982a06b39fc45170032473fac5811cd288f51514e02b25e001a861f99b88f7169bf83b56c96b7435d168c76e69504e4149b110c701ed644197bd658d12916b03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\downloads.json

Filesize
1KB

MD5
a4a73c400ddb66349b3a37d1de78981b

SHA1
31f1c19508e670a55cdd2af34a361502fa7ad8f7

SHA256
0a81dfb12a59fdfb49c899d37bddf3a1ce9e087b2fa74035c747c0375f4d491e

SHA512
058491e43724858ee6169d3bd187372f96ff397c6574b13186e4d4911c3bd97e8a5b94af4955f18b752c8469bf4decefed869ee3cae3f21ebba494c1cc848e68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

Filesize
11KB

MD5
e7e39bff962138bc873abc3c0ddf0d5b

SHA1
95578da75337bdce23efdea443f86018b06785c7

SHA256
35ed47d541b531687d6e225c68c55241ce44fb0aa75b0cb9d19a36da0192927c

SHA512
4a5ea4877f38ab4e3bee702ff49e5b6f4a3b91385b72a72c7bd93cee8c8f8cf0bb5395b01a803a3dedc62017d8abf1bfb7aae7d5ea8e6ed6e54cea2f3e27aff3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\prefs-1.js

Filesize
11KB

MD5
5acebfdff21085027a5f4fa3e4642963

SHA1
cda25be2953d141270d1999c4c9a3aed1e62d9f1

SHA256
46a82313291c3131d1616541e5a2ae784415a5f1aec28c8db42e99332b9c38f9

SHA512
302c43e5f5475fad82b6e2996e3bf307b6f8e0b2b62d11a5d75ddb21bf9de9ab59d19a388d32c292f45392a9f56f1879e630cf56edac39177fe19a2ca04668f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
afa9a11e246f10b9b85e966fc3218ba6

SHA1
d576b45223f4ee2987ced9a57cc146b6aed8bb09

SHA256
076f7811997196c774955505c4db6d984793a36b4e52c4bef3b12a8ff640be95

SHA512
74c99afe37f45caae02a5d31d61ba4f15e086d2ef78f222c30799a0e9f4c9b92fb05392b3682d1e8d05bb0a268f0753f84b7a8eccdc33ad961cebd9ab8ae5fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
ac02a64267184400a1c586fd9a99b418

SHA1
1c88a179b6261bfb40f5633d93da606859a5db53

SHA256
ae0b677f92137698079e17199313dba3b66993cc67b4c97bf4a519456cfadc57

SHA512
832f34b23b6213f0b9e7db45c8597211e0c387c7fe516a3992a73404bd2a0cfa7111fcef590101cfb8dd88e907cb9cecb98c7fa9af5a5bf8499246ce3779551b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
2470c4c3d79a6c16b10df12f5cf3793d

SHA1
df65fe13802dfd8a45190f02f27cfd9c26b65c8d

SHA256
9b098618fd32b120cd33425c7e2727a34640ffa9deea22500cca2b93bb14cf29

SHA512
2c3c8a44ce14c925d7dfb7c9ed2798b02ab02d93788d82483b03ec0ed17a752deb1fa44f8dd93346be26f6e8b308fdb5f4f4b0130fdd59d7551c5f1153dbad95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
fde845688b2c658a024acd33f5e6498b

SHA1
97aa03d52aca4c9d3dcd454d8cd1e513bf29bbba

SHA256
457aaf590df53c0debb2fe7699783a814f58b1fb9711c9270dcf0591d0b1666e

SHA512
c2a9ddab449a8c14d3f2264989bdbbd8b73c058f5dba88e5327bd17ee0d2656ba5c6fd9e7a2939d7e19eddc71f69dd463a0ff3d3141d21096daa9615498689c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
0097fd652920324cbfd4517cad11f8c8

SHA1
25e1a562633b99661c15b46ab21c77d41b729ffc

SHA256
3eb207b45ad1d7a0e4893eee14c588632ec8d849f195a551e7bf1f473039de3b

SHA512
b1df24caedbb15b60cc17ac2b02b92a73ad2b98e8f1cbadb392c932718f8a4eb494cbc6d2948c3871b2d09843901e0f27c58898310390488cad05e4e373b133c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
509ae3112956fe7af1b2b4347f056b5c

SHA1
58dac7a78d25aa61033cad7d266039d15521a300

SHA256
596d256404fdede52e14e9b5978182458e6df8711ce993609c429e5774203bb4

SHA512
c420879e188f2c3dbb5d262fdf245ac1d252795b99437a1ede68aafb208556a88119fb0c6b137665f72318f80e5b03ef52d4c03d0f2f27038d6ad946399d523d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
74c6d106148f86e2d75443ea27d1f5cc

SHA1
d606376d7bbd56f85911a5ea82fb31c0e030b0c2

SHA256
43dc5a5ba4869d0bc53a97018969985baf57e5c4e4583957a9e6a8ac349d3f42

SHA512
78dd3a28e3ad0415ae952461055a2d8696b1a5d93bdadd7fb8df7860573421418a6378cdc9a8b01bd385432f4e5375b2e3dbbc93c6c8575862cf3f9ac3a996d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
5fe016ac39a74d0221db4e2fac0ff43b

SHA1
bab5b2c7a46109889e42abdc82d14eaa1eef08f2

SHA256
e9bf09f564a9eab4b2a7673367b5b5bc3c0f971db2288190b59aeffdbec69a93

SHA512
1b886da8aa1c493f33328114fdc55cf26227bc9fb99fe66fadc58c3782547d154985b48100b4187f170402a273831b8497f2886d3234ce906a95d2ec0aab65d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
0bab39bed528fa533fa51eb071abb55e

SHA1
2a1fa14f5f0d87acc7b592b7084f074f9241f830

SHA256
8ed136d9a567c753811b2f5f7f3d06f09250c54ceab8d5b364cc36f3c0d8b171

SHA512
9397acb4522dd68e0c1165ac3ea7e99b2f8e8d8105f063d22a97892354d926161d69dc8dcafac3b0204daa831ed6ee04fbf90380cd66eada4c04eb3e9947be10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
562dc16462b7fab06f43698031ed4825

SHA1
84cb000d4b4c5a0ecbbc3613052111893752a046

SHA256
b50fcf919749e0d87c364279e17551e63fdc1989d0fccc4c1d415207f6db656e

SHA512
3cb3c2b1768019dbc833851114d6f23c907f4a195b53c1b1d854633f89704363cb2822458b8f7412bfc92d8f3ba3bb7c2a4670857c7b6461e73dd7ddbce309ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
7174463653b2f18bae6df6adab67fd81

SHA1
91f0233680727c8499ca0bb105eb3459e3a34f7b

SHA256
bedfbb41fc3979f32e33258ae6399a4241cea92b998b2699c5b6268cf0280cfe

SHA512
231ab446ff1e00ae17b931aaaa10baaa572a93a4584c0abface1f84bac498842e2f5ce5170eb8ae13d810b2b7e047259faaad20a4b2ab03d06cd75a0dd0658bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
d48f30ee3fb48d430c6f1ed751482d08

SHA1
eb0ced984d8d46fd28c1ac82ac32859f396ac9b5

SHA256
8c1bcb454064e82a2e890b625f3233fe40c5fe540c6abdef7abee2d85a55fb04

SHA512
f3a3f1b046d6ab53b4d39a20ac743e1081a8303f4389d55883224e16ecbd195307113980599f453b09a91b254f73081225637161ac5a01998de82959b0d3607b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
a7641ea11478bdfed68d0371ef6ce495

SHA1
d3b2d7241e6b75e4327dfac1e8c4e415a739b6cb

SHA256
74633bd88642aaffcc6d0616c2c9c8a98f74f5c9a39b7f976fcc6567014c655e

SHA512
34684ca41ac924293a6432ef5d9529928211e4764bbfc1ddc94b5478ebf884382349fa6b7f2f0f04eb05376c4514d61e1d8fd8aa0f3cbc5d64340e0611480c90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
15KB

MD5
ce7e0db5b132a5e2ecca965b24a2a2df

SHA1
27a973f917c6e2922bb16eedc080abaea85a82fb

SHA256
a649717bdc7606fd9fe340be120324d50f8b9da30913a84f47d368cbe9669744

SHA512
40af3990d8348fdfa6eebeb5c977991aeb288b913e10e5d6fd91e415c9c2470bcf15f7e6b4c997a192a558bbccda442b9e7b7640707b922ef92cdb887ef1f099

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
afdf78e79350efc2ce20dc8bdb852970

SHA1
fb24a492c746950420edc87375369e47f957314b

SHA256
5a420d5c4e394db8878b9eb7562dddc6d3aae30094a599c3799fe22691bb961f

SHA512
efae1ee10a5a362eba75a15428e77c1e213d28e398362cfba9bac9c2107e38f71b74cac71b036697eb78842ea5d8ca35f8d825a021a87b6cbc7eb08b7bb30623

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
3b083757a1b9824408db9bb82b51dd0a

SHA1
e963d9ab932b096d5b5147eb441809c67a1cddf5

SHA256
e5752b32f3878ae9bcd86cdf78cde7279d48d7af8f9ae455f204597a275bc73b

SHA512
9dbed0c3a56859177d8b4f896bccaeaac2aee2f50a7d15f72ca1616505ab3a6ab99e045324792f30b0ff6f65ea3ca66bd5bcc8a7316f7f32a61cca94f442647e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
9faf5579fb11527c043385845ba2726f

SHA1
e758bf434b2cc754732ee9762fd2af4fb66d71fd

SHA256
69ec4d6a01cbb309e837bf8d2af8dd9e07b9fee1ded626727d534077a162e624

SHA512
0e4d8632602f1f3bf5fbf2660c43036c3a6a083b06ab291b6011a009162dd385b525faf05acda985363f7666adc80f240ccb08262e0214a36684d11ce8a327ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4

Filesize
19KB

MD5
41e748136d7214f3fb3466bd05ca9cde

SHA1
d8003bde97ed89a5cdc8e28dfbe3c05d7a42ad0a

SHA256
902354c3b3669bb7beb41d020cabf939410a4d7b59d290859d7aca0100c96f1d

SHA512
8dfd0b905eece2bbc972205714ff70d8d6fa30e7ccef12744ef21f27659db724f51e68c241889ed0c11bb6b6f03e3a036a48428378e28302cb32827ccb3e5d51

Download Submit
C:\Users\Admin\Downloads\NitroGenerator.G0RQBMVo.rar.part

Filesize
786KB

MD5
8ace7a6b0cb3fd6ce87ff3ee4288afb9

SHA1
cd9a7d3ef5da4c9d66f15a5951f618ffefbd43df

SHA256
f782800865358fb1ea5f54e0c3a9f94bbad86d613896335a6fccac058e1bcb9a

SHA512
66293630a65e53bcb37622946b470913aa84f5202d85fdabfbd288d950bd08bcdfb796d9f8b41c628894f25e7e929e37ff5ddc5e2f4181329a37f291df70a625

Download Submit
C:\Users\Admin\Downloads\ReYANG-Windows.sLRm7m4h.zip.part

Filesize
10.0MB

MD5
30405460107ad1e05628d374883c6965

SHA1
2fb8a669616dea7bfc20c2f2197f205e4f781e2b

SHA256
c261edd592cdf1ede5724f33a43d021dee6e3c710a30ca423aacf94836757cfc

SHA512
41b598a7c2fc7dd847855d18a6cc38ba5d024811915bac36a0bc12e25bec8106fad853993837168d762b527782ca8364af37a7ee5c0af0066e66ef660e606adf

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.0C3urrIB.exe.part

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier

Filesize
130B

MD5
2920729da1ffdf0a8af2d7170153f6d2

SHA1
2b5269271b4494e24abf9217204b13be59be4660

SHA256
cd2b4f422661fa94aa10a6cc8ec747573f554ce7c5f94a0767ab9985288d1fe6

SHA512
158c3aeb7f35b338eb61864c74d91d0acee3598f5c579606155a33ac320e784f7b54346e4ae5b594477b4eced967410a969af5d07fb32fbb0e5abbc393381d9c

Download Submit
memory/1524-2531-0x000001AD98B50000-0x000001AD98B72000-memory.dmp

Filesize
136KB

Download