hxxps://duohacker[.]net/

Analysis

max time kernel
204s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://duohacker.net/

Score

8^/10

credential_access defense_evasion discovery stealer

Malware Config

Signatures

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5996	DuoHacker.exe
6400	DuoHacker.exe
6920	DuoHacker.exe
7148	DuoHacker.exe
6828	DuoHacker.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DuoHacker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DuoHacker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DuoHacker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DuoHacker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DuoHacker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	DuoHacker.exe

Executes dropped EXE 11 IoCs

pid	Process
3100	DuoHacker.exe
5132	DuoHacker.exe
5448	DuoHacker.exe
5592	DuoHacker.exe
5996	DuoHacker.exe
6400	DuoHacker.exe
6920	DuoHacker.exe
7148	DuoHacker.exe
6828	DuoHacker.exe
6480	DuoHacker.exe
5828	DuoHacker.exe

Loads dropped DLL 21 IoCs

pid	Process
3100	DuoHacker.exe
3100	DuoHacker.exe
3100	DuoHacker.exe
3100	DuoHacker.exe
3100	DuoHacker.exe
3100	DuoHacker.exe
5132	DuoHacker.exe
5448	DuoHacker.exe
5448	DuoHacker.exe
5448	DuoHacker.exe
5448	DuoHacker.exe
5448	DuoHacker.exe
5592	DuoHacker.exe
5996	DuoHacker.exe
6400	DuoHacker.exe
6920	DuoHacker.exe
7148	DuoHacker.exe
6828	DuoHacker.exe
6480	DuoHacker.exe
6480	DuoHacker.exe
5828	DuoHacker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\DuoHacker.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DuoHacker.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	DuoHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DuoHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	DuoHacker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	DuoHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	DuoHacker.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\DuoHacker.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\duohacker-updater\installer.exe\:Zone.Identifier:$DATA	DuoHacker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3100	DuoHacker.exe
3100	DuoHacker.exe
6480	DuoHacker.exe
6480	DuoHacker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	firefox.exe
Token: SeDebugPrivilege	2772	firefox.exe
Token: SeSecurityPrivilege	3100	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe
Token: SeCreatePagefilePrivilege	5132	DuoHacker.exe
Token: SeShutdownPrivilege	5132	DuoHacker.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
5132	DuoHacker.exe
5132	DuoHacker.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
5132	DuoHacker.exe
5132	DuoHacker.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe
2772	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2764 wrote to memory of 2772	2764	firefox.exe	82
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1864	2772	firefox.exe	83
PID 2772 wrote to memory of 1728	2772	firefox.exe	84
PID 2772 wrote to memory of 1728	2772	firefox.exe	84
PID 2772 wrote to memory of 1728	2772	firefox.exe	84
PID 2772 wrote to memory of 1728	2772	firefox.exe	84
PID 2772 wrote to memory of 1728	2772	firefox.exe	84
PID 2772 wrote to memory of 1728	2772	firefox.exe	84
PID 2772 wrote to memory of 1728	2772	firefox.exe	84
PID 2772 wrote to memory of 1728	2772	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://duohacker.net/"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://duohacker.net/
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48a055dd-6dfe-4b88-bc6b-7865ebb4957d} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" gpu
    3⤵
    PID:1864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8811e854-2270-4a73-a7c9-2eba8dafc720} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" socket
    3⤵
    PID:1728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3284 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6fc5630-5b1c-4b5c-809b-56d9c396d8f1} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" tab
    3⤵
    PID:1568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd9b6419-5dfb-4363-a731-a75acfa4e9d3} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" tab
    3⤵
    PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4140 -prefMapHandle 4244 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b6f7ce9-c00b-4268-bec5-a698d71509e4} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" utility
    3⤵
    - Checks processor information in registry
    PID:100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e968b1fa-e4bb-42c9-b3e7-fa431f235539} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7113012-ecd9-450e-9473-cefad5d5365f} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" tab
    3⤵
    PID:1580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 5 -isForBrowser -prefsHandle 5816 -prefMapHandle 5820 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ebb4c82-53f4-433b-a89a-920e32834013} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" tab
    3⤵
    PID:2044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5988 -childID 6 -isForBrowser -prefsHandle 5996 -prefMapHandle 6000 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0f4a15f-1a73-41cf-b373-437fb41a3410} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" tab
    3⤵
    PID:3720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -parentBuildID 20240401114208 -prefsHandle 6252 -prefMapHandle 5680 -prefsLen 29278 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f744ea08-45b8-4bea-b392-7df5b5120971} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" rdd
    3⤵
    PID:1444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6384 -prefMapHandle 6372 -prefsLen 29278 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69398e98-90c8-4e48-9e35-a0541add27de} 2772 "\\.\pipe\gecko-crash-server-pipe.2772" utility
    3⤵
    - Checks processor information in registry
    PID:4728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2392

C:\Users\Admin\Downloads\DuoHacker.exe
"C:\Users\Admin\Downloads\DuoHacker.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
"C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5132
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5448
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --mojo-platform-channel-handle=2188 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5592
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --app-path="C:\Users\Admin\AppData\Local\Programs\DuoHacker\resources\app.asar" --enable-sandbox --first-renderer-process --remote-debugging-port=50349 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2816 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Uses browser remote debugging
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5996
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --app-path="C:\Users\Admin\AppData\Local\Programs\DuoHacker\resources\app.asar" --enable-sandbox --remote-debugging-port=50349 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3176 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Uses browser remote debugging
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6400
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --app-path="C:\Users\Admin\AppData\Local\Programs\DuoHacker\resources\app.asar" --enable-sandbox --remote-debugging-port=50349 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4040 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Uses browser remote debugging
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6920
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --app-path="C:\Users\Admin\AppData\Local\Programs\DuoHacker\resources\app.asar" --enable-sandbox --remote-debugging-port=50349 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Uses browser remote debugging
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7148
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --app-path="C:\Users\Admin\AppData\Local\Programs\DuoHacker\resources\app.asar" --enable-sandbox --remote-debugging-port=50349 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4360 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Uses browser remote debugging
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6828
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3708 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:6480
- C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe
  "C:\Users\Admin\AppData\Local\Programs\DuoHacker\DuoHacker.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\DuoHacker" --mojo-platform-channel-handle=748 --field-trial-handle=1832,i,8742540988832053675,10009440298768560747,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x500
1⤵
PID:5536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\activity-stream.discovery_stream.json

Filesize
32KB

MD5
fad510cbfed76f1f27141fa052e64111

SHA1
c3af6d07c38a00a41eab8361722af8187be8095c

SHA256
09c248de32b8242182fac29767a92a73537f20215c97f99d732088a61aeb7dcc

SHA512
092b9652325dedcbc10468a4df3bc5e301fd8ed3d180966c3757359cdfc06e98d62fc89c3e2150046577f09c6aaf4e79ccdf1ff0b69d65357cebff7a780674e3

Download Submit
C:\Users\Admin\AppData\Local\Programs\DuoHacker\chrome_100_percent.pak

Filesize
126KB

MD5
44a69827d4aa75426f3c577af2f8618e

SHA1
7bdd115425b05414b64dcdb7d980b92ecd3f15b3

SHA256
bca4401b578a6ac0fe793e8519fed82b5444972b7d6c176ec0369ed13beaad7b

SHA512
5c7bdf1f1deb72c79b860bf48f16c19cb19b4d861c0b6beb585512ad58b1bc4b64e24edfcd97233e5b91dcd0f63ed1c7b278d22ec062fd0dfe28fe49cae52049

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\LICENSES.chromium.html

Filesize
6.3MB

MD5
6e638956244aaded2c92b77f9d421a81

SHA1
f5269556b6fe04cfca5a1da21af718641708a666

SHA256
652457f1b5ec60a81c8aff095366bcc068402c21eb380ba8286366bc4e9a029e

SHA512
f0e173761a6acd13b6c1b5eb896c361487a770a54f1842ffaa80c8ff780b37a1e801169786776c4afa7d9c75cd968dbaddabff082de55cf75cc4f9d871d08bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\chrome_200_percent.pak

Filesize
175KB

MD5
9c379fc04a7bf1a853b14834f58c9f4b

SHA1
c105120fd00001c9ebdf2b3b981ecccb02f8eefb

SHA256
b2c25fb30fee5f04ccdb8bf3c937a667502d266e428425feeb5af964f6167d48

SHA512
f28844dba7780e5f5c9d77ac3d29069dfcd6698447d5723886e510eadd51d6285e06adbda06bf4a69f841afc161c764cb2e5b9ad2c92f0a87176709b4acd2c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\ffmpeg.dll

Filesize
2.6MB

MD5
2438f9abea41a6fe835c197f22eac825

SHA1
33d0e0091b3fa82d688d11af0f0f29b38d6ec16b

SHA256
7922878b04d21b883d28da17316f3b174f35335a2820d504f7ac91458d2e9cac

SHA512
d8bfb20be316ba19c06d13ea981839c034ddbfccfa23e55be431904f5fc88646f2c169a531085b29b8dd69c2257703dff3f28fa26cd7d2d6d692edf1aa221307

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\icudtl.dat

Filesize
10.0MB

MD5
25d87a2bb3581bc3597dfb9008516710

SHA1
e3f59f1de852cde2204256c7a8b1580483ab907a

SHA256
b75bd14a3d9a174ee44eca8c62b89c65d9836fcf62c28d103bfa300c02cef255

SHA512
59977fa5ec1dbda7cb6525c48655d6e8f3d7b00408e973efed1f2235d1d7fd88eae443fdd5e07d52f31ce83943aba050c31261baf2798c1b10aeae67981685ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\libEGL.dll

Filesize
464KB

MD5
bae33873ea0db05ea5555f53ebb19a9c

SHA1
070af32bcfebe55e66db75e1f7b3ce3cfe67c3e4

SHA256
fc2cc4deec921ffba6e1165d569d0df4209722524aaa21e78e5e1de2ca922ac0

SHA512
a7037350365ca3cd41115d332a9ea4daaa22206cb6b6670092af7e1da2f341d499f1961a31c01b2955bb28c0a178abe8dc942dec144db765dbb9129560e42d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\libGLESv2.dll

Filesize
7.0MB

MD5
cbd65f2853517cba2dbe6628223d9863

SHA1
2b5efd10aa1ef64fee1cd7ac0b21762b6f1b4e87

SHA256
8b6a54b72ec42f94072cad21911950014553e11fedc1573c11b3c233eadb0dbf

SHA512
75d8cccfe8921f9931b8f0e6a2a82f4162fc3d9be66f1556cf4857a48595f9820ae4b46e150d642ee27f327a31eb04445edc07e49e9333221a1ce77575224b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\af.pak

Filesize
327KB

MD5
f78831d4aec1d0e1735ad630f9e8f4ce

SHA1
4afc52c9d2e0fba6aff22596bf876621a7d88a27

SHA256
219d94355d0c460516f9baa83f4b8dcd3353ce13e7648f019810047ee8eecb41

SHA512
ffbf51a4ff656edd65575ae4d1f489281e3ef08e1e5bb05daac9786958d1af832520e6ed77ed197e0160e368fb56bf303f8779bcdcbe77d995364a433024d65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\am.pak

Filesize
531KB

MD5
8e8fbaad0de95893785875e20cfbe5f3

SHA1
f179e4db197a974e1e428f0bcb9cb1bc09df04f4

SHA256
f62791089b07bb9796292e5e3fd81eb1e68f3adba0fcc88fea4df744dbad6775

SHA512
93cfc2f82d3f83dd992ba758d067055cc26bae5c2e9b1ecd6974f4143c22da405bc6845d2d2a811ff043ff1cd55929ed04a6f929ae01ac211c781d4786a90246

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ar.pak

Filesize
573KB

MD5
cbeaafb259a3a0ad76739186e9b2bf75

SHA1
11b348534a84c9648eb86c9790bfb7703cde242f

SHA256
c28e612cae27402f2a75c9699268f1781b286748b0590d396e0a538e3aa67e49

SHA512
2c91f17343d947cd4eb4d8d339e5932a3331445b4e826915d54196c29ce548b7e98a9b5f9857146a9a956ce20d3e624fb04b7c44d3c1a2593e8b6e2cb12662b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\bg.pak

Filesize
608KB

MD5
96372403a9ded96f3a699262029a4580

SHA1
07069b20fe303f6eef1fb6c8c0a19266a0c705c9

SHA256
6c10b64d31e0dc2c4befc6703ac17343ca473b4350cfb3c6e01833f505b69590

SHA512
0df60fe13818f0c3c6838e77686c5de9fa03b97cbf0943f7a2a4ae2f3a0890d3d64b3a7652d8c81c23de876ac92e4c6b71d584fb106c3520c96ef76ba30250fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\bn.pak

Filesize
780KB

MD5
cb203032925be270222dc2c20fe771e2

SHA1
2f2f20bbbd07ee01cc996247bd9c2f40037dff80

SHA256
297d52b252df0912490ddf26fa58706895e70c2a0f3f09d0dc756706720095ef

SHA512
052be75c51051949c84216566b462733b61026ba74e212b000cbed7d93cb852e74ae83d64d2eaadc3093af4265b6783184cf8e0368a75e077d4b75daba40f9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ca.pak

Filesize
371KB

MD5
6d6f760b1fd64e4b83536a1ac4713e4f

SHA1
929a965b0ad9b8062c64ae940064260b13d05c2a

SHA256
9058aa0f327ff79b62e730d72a06351380b21dc9217f565a94acffa73abfe2ce

SHA512
ffb2fa6d6e809e4ff527d682a9eec422f2a123826529793b85ea0fdfb3f358d1e321f49ff707fe3777494e4043019ccf0e0f545670d4d29216a8aba56c7951f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\cs.pak

Filesize
377KB

MD5
3e2c49143f4718ddd9c1c74f8599fac2

SHA1
7cce45de66a3895c3493b998fef7bedf045b29e2

SHA256
08e40f5efc616cdc0588fb4b1a706d997c69d17ddaf97eb91a4aabafaa11cee6

SHA512
a849ca0d09e0d4c025d9de6c8008c13e13581961c321f53a552deeaa210db891914386fd51673615aec8b5d8d68a921a968db5d0fe447963892ceb0948861e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\da.pak

Filesize
342KB

MD5
6c24baadc460e788486e336ae505a224

SHA1
dd1aad964c24f46c69a81ea29a12a69bb0290767

SHA256
e20628baac73a284b2cd6514fb396d4e0a22f4f6fd193d5d7d45190a0944e4fd

SHA512
287bf70065ff99f20cfd150562b022762e2e61858cf0203d7272b5cd8ecee9c0567b8910913effc291162243833d445d13fc45f02b4b0f26d30611ad9c8d0376

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\de.pak

Filesize
367KB

MD5
4c83231e20122f26e0a81a91ba6146ab

SHA1
4597efc299df26a0e6db5db622921eb7b66c6b16

SHA256
2d4130e036290ff3cd938c664fe0bde8755fed9658ff84ba09c926829fec3c2f

SHA512
ca872465b222a145c90a314f44671a7efcd3e18ff072b1855a509a56e34854c4aa80ba1ab5ab5f9a3650e32a98d859bd80e52762ce2da57a40bde83092a80303

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\el.pak

Filesize
664KB

MD5
8f5a15560710db2af852512b7298b93e

SHA1
30a13ebef10108effbad8c24b680228660658415

SHA256
bc07e403272a4d65305fe24a827404d7b931d01cda547f8c07a840d19e591430

SHA512
e3cedc0eaa82b10a68a40aca8ec1379a6bb924766e1c5abd97e39c621dcbc195d6c1ff80921c2320f0f1c87d160bc2a6258108399876339e5104f98d90a861de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\en-GB.pak

Filesize
299KB

MD5
05ac84aa6987eb1f55021b6fba56d364

SHA1
58cb66bba3af0c6cc742488ccc342d33fc118660

SHA256
e1e357c853eed83fb6c4133f8f4df377a8eda4fe6f0e55395f21c5ab6e38faa8

SHA512
c615e1eb01412c5e2c0402242d442a6cf08965318d1c0d261ca5bc6df9acba5efa2c87ade20e1e4740d2239ea56d1ce4d3fc7a4c3eabe81b876ecb364b3e91b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\en-US.pak

Filesize
302KB

MD5
3fef69b20e6f9599e9c2369398e571c0

SHA1
92be2b65b62938e6426ab333c82d70d337666784

SHA256
a99bd31907bbdc12bdfbff7b9da6ddd850c273f3a6ece64ee8d1d9b6ef0c501c

SHA512
3057edfb719c07972fd230514ac5e02f88b04c72356fa4a5e5291677dcbab03297942d5ecdc62c8e58d0088aed4d6ea53806c01f0ea622942feb06584241ad2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\es-419.pak

Filesize
366KB

MD5
527210238ad4c2f1b079cfd8857b08e0

SHA1
b779d21fb05cf8e6e9446fac4634d71e48a18113

SHA256
fdf3a44e1fe4fe753c196921f700014c81280464f99e15b8a6137804ec14ca19

SHA512
fef1cc7fab7816fc1e3ac5507f875ad592dde63509b7d738c96a010ff1a2e32ec1c9d1188023c5b92eea63fde72aa6bf990e9b89cd05788baa46e5e3b5198d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\es.pak

Filesize
367KB

MD5
96bdc30c826aca4fc7e5e6adfd889b75

SHA1
aa71721b78ab54a99b97b580c4f6d1610b198df7

SHA256
cc423403f5bab00309993241125577d5e64a1a4130a44979b4c8d3e07428953b

SHA512
30e3df376fe06d60388afc13a421ab335a75bf05651f2ce83c8eb80653f29180bb89154149136e3c5009de62bb62ba451a4aaff65f1de9cddb6fe3dec8e90706

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\et.pak

Filesize
330KB

MD5
054865950b3b9e8312a7f9490268eaca

SHA1
28b0176112eddb7af58386b4f8aed4a49b9a2661

SHA256
3599e7138a24a31839da877cc9718b9c0c9522437ea93a6222a119080f108d14

SHA512
bfc72f19ad1a52c0da82409accb33a27b2844ed29010207268c7d695ad7562a8867a87b70ac50142909b50b81a5c84d6f6a43968353ae7a72bc042aea8cbb59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\fa.pak

Filesize
535KB

MD5
b3adacc0f472d65371b8c8ead3595d4c

SHA1
2d4773fd77b2690598158769a788389ee80dae1c

SHA256
ff72cec00f81f0caa8947c78df2402bd7b643b27281bf0890b8eeee4c4f7de25

SHA512
fa01da4d811c8de89832262a8b1d227ecc5ff42b37e53a817feab2bd0bf91c9dd41097677ef20ecc269ee1ad792b23ecdd52ae3d3f65c8ca1336a22d82cd63f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\fi.pak

Filesize
338KB

MD5
aac0554a39bb1ae91e2ed4246e04c30e

SHA1
031785024765eda1534fd9504eccbe1b471ae618

SHA256
df8cefa4831fc2fdf817dd6d49a6373edee4f51f23cf990c690e72ce348f69bb

SHA512
a6afc9464047c75157dcb8ece086c1c5bf4dccb48d33da24e35c43110f300cfea503c4cca093f3d4bcc7a0fdcb306138da5be288ef646881b625751e40d93689

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\fil.pak

Filesize
379KB

MD5
f989a7215cac1e3fb4759e5fba9aef67

SHA1
5ecf35f160e1f8242b3bca163673e24cf6d77403

SHA256
448bc8eae353c188ffaa4c2466956598ad807f0f0aae7f12e1bc59584e1aac2d

SHA512
b872beb5b1c2702f4eae616f633318b4575f573c06a3f1f0f1e1ab83585a52caf2f3c788c0c3a0d499c381fb7f06a3ea355b8686ded2ed1e392662f2746db01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\fr.pak

Filesize
395KB

MD5
1a7333b3598f8dd05ec29a561053374c

SHA1
01fbc828e0b0ed5d06d4bd9f4195303759ad2feb

SHA256
c3980e2755c0fb13c09210d560fab480a907be5512c896f83033526c83bd0ba8

SHA512
f45c077787bc1795db34d6c0901a86022eef04cb92a556b246a0eb9dabe0dd618ee6ef65549c851da887e56c9d4f889619a5c319d6c816dc29fd15ca92a3e46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\gu.pak

Filesize
755KB

MD5
7b476c423ce29e61b0b21d7b6a2a56b2

SHA1
5558dcec5b2580345b0797f1f2ea41952417335a

SHA256
047da4dfadcfc6bec8f4dc7d250b1757caf31a23bcfa2ea3e1f3b1cdbe9a3995

SHA512
a494ab32e45cf74e2b7e0424b4e3740470c5c6cfac8f6cc980a681eb8c21cab76255391b6884134593dc7b1029ffd861f74b47130533232881c137c41ef92cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\he.pak

Filesize
468KB

MD5
738493fe36742789beb1eeb506a34772

SHA1
de88f04e8f97f8219eeca24901ecc02d12f2d9ef

SHA256
d57a910976a19e424390a5deb2216d9d3023e8d84d4c96d4bc1fa5bc22e494ba

SHA512
4d5dfdd6fa88ddb552a40e3d9982f2796ac36a80438abd69167155dcd3dc61fd7dcec94e77233ce384ee6725486fbd1f554e3f6e342f37d76845ea1dd308e2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\hi.pak

Filesize
787KB

MD5
2d626a4e3b9026f16f5d73e7c5a209ae

SHA1
8f9b3c05606d282a7dd15879603611ae48d9461e

SHA256
19b0b5d9d77aaff3ff83b6cf33b7f141181c143bc9ce3a3acb4aa0b42e7e48e0

SHA512
ea0097c931d8f86895ac70d1f911a8b31b7959fd43aa13a437655d5483ce49a71307a0f8f1ab63a9e17c357c9d50c96fdaa6ef8a3530e0e99bd2642c9824f1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\hr.pak

Filesize
365KB

MD5
04fdc1dac2cae614b0f566310dc83bd0

SHA1
74e460e19a5e9c8b6181fa37cb9085f93bbc6233

SHA256
bada5828fc0d80c842d1409b54e8da516ae737ca30d86658b3fad5c8ace4722e

SHA512
a07bebd16f00b0b46059a7b80454664757687a59903bc36cb837cfb55e69bf7f683157372f74ff8355ad50c3b747c9674ee942aac95a9804c39acb3841721d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\hu.pak

Filesize
395KB

MD5
410d8966721ff8817eb3a57f95a4b885

SHA1
f0fbe70c772bd635b0c4a927420e15b96dae05a5

SHA256
688312f38488c7256370b1517b84963a3ff886b31692cc504fe169db241a43f0

SHA512
d0aa167ee919589ff3b80640e8db4c6d11f9159e4a246082f0a564482789011c260f124b9a7102649d998c6a89cbff58cffab5a40e33769b990e64d6cc703378

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\id.pak

Filesize
324KB

MD5
dfa205151d8fd00101f2748705d6f307

SHA1
87f00af9668460e733bb1f5f8c37bf3ce3784a6d

SHA256
cf29b1d2c889842d2899cd615e5baf059df3bee2d899e5d196ac38e298a47524

SHA512
767df5dfb0023a799acb56360bb4d56ffa99b9d718deb1bd2f1dc1c942fb324e7c9faec99232df5ace31308b519e169bea631306739cb63c925939079bc1339f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\it.pak

Filesize
360KB

MD5
d6a9ffabe491fc403a74b7560c85a3e0

SHA1
52efb6af41e7831d5c7d7daf53c14858b66ce1c4

SHA256
7f3710678d8582be97638fcdcb98c9ecd372fd9982a1ac21a40c8af93dfea76b

SHA512
f8dd0f154fa50691cc731ebb894245bcf30f5991602efef58fd26e2b2f686d47bb6d5a6c799c3393b48dc34741440766ea0e514f020fc0cf40362c1b0b9a8342

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ja.pak

Filesize
440KB

MD5
7fc361c2d7becb728ca7ab6e64d09c7f

SHA1
0053d0ebca0c4c0187bb956cff335af88a9185e5

SHA256
f5849cefc882872ac31e790816e3695260378e4989c4609c66bcdd54a89cae19

SHA512
987934807ac6da563915457fdaeec57aabb04aac102575018b3a8fecd4f3951a13e691b2e9690bd0ad1b7cb7f061164e0fe6bbd5a6c389a2b438f6c8c126047e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\kn.pak

Filesize
872KB

MD5
8a3427385226ab72e8421d84225f7adf

SHA1
701a85bc6bca0ed33dbe1aa3a617ce26576c7421

SHA256
c315e791770cea204c7e49ef5b68fa46fe42864a33e77fa5a1d42f87ba85124f

SHA512
310719fb102c1f892d354f1478bba06e856bd45da08416be970a0a76e44c7d81aaa9ddd878234b2348b625e0d18cfe7c966379115f35d51f4ee78a986c1243b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ko.pak

Filesize
369KB

MD5
3340fd0a5e8f97f122e1d6e9a2052ca6

SHA1
9c8504b78633b6d6e445723b351a08392916c7d0

SHA256
3ee7d79af9ec226bebfdd9d79907f1bc97d528d2009dbd0db23d74ad655e0256

SHA512
07eb8dab24ea8545cdaf38e35bc23a71a33bf87a1c0ac78ac564c103c6ae53357de2d4fd635b22995cefdc9d8e8241c66d78dd44d68a9f2f251be77c0afa7704

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\lt.pak

Filesize
395KB

MD5
c037c0d80be2c913c20e3fe96d9cdaff

SHA1
8dfd2a42fb2e0041d6ac9b90c78b3cad0283c757

SHA256
e7c133a8dc438870f97112587f5f223f5fcae4f1510874b95b72cc281fa150fd

SHA512
0a90dd7d39759e1e63205a827ed6611dc6e54b37c668795123de7f35c446ee41174675a0d813974dba7353c0a1cc4320049d4fd1368cdfccb9cf9afa47fcb4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\lv.pak

Filesize
394KB

MD5
3053d480a88a2796fcd59573b9104bb9

SHA1
664a1f3d1f29b35e3cf7f855ec1592bbef2a43d7

SHA256
aec37ab5c79a66ef713bdbd2547e8e22dbad7ac226dd1470466c7f58a1500a25

SHA512
5fb5283e6d5af3738b2d9a53e85e2245c6e8e03548d9aae19b0b6ffc64630cd689f60d3cd19d943e43c8b1e4692ed60c4f5db21cc21d57cc629780d24dd0689f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ml.pak

Filesize
915KB

MD5
fc33673850c17a865cae7695fd3eb5b5

SHA1
72f3241ea35554c881e1849ba53b8f64b04502c1

SHA256
6295eb0b0d05d26b3fdaa19ad390ba30f267b7af7a60a214db558dcdbdb436c4

SHA512
6845293c0cd4ee1aa94972da1d58fd7085da5dd664d4031005200ae38fc4ab20f2c5cf44fe07ff80e003ef072f7f1cb23a452d6ce47124aa1efb3d26ae86b279

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\mr.pak

Filesize
743KB

MD5
d1f1c482775f60a868ca094108e3ac3c

SHA1
ba4396e5b585735e8505263ed42884876bdb564f

SHA256
f63460da44e2f71c237b2555eda621c8c211c13ae68927c27ad121f03daa0599

SHA512
2686c406b29750ee39b83247e4a4e6a0ce3325c1284ea11fc986696b43c672eeb0c5259c4834e4419c131941b9d1d35e53b05606168c766d27a614f49e223dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ms.pak

Filesize
339KB

MD5
52c793391de0e946616d31f7d5b90761

SHA1
50e014d9715df658221edea402609d7b09c9fb10

SHA256
ad044cb5cc56f8cba19ea3319081c194661f072d6b1193509e3690769bbfc2d3

SHA512
d5db7fb23779bf1b258f949ce6af5115adf3bd93760041ef70f1e2f599ef3be6a7a1ec871b18858a1eaca906b98b0a04348a427d5ecd26bc99d8e6d986843478

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\nb.pak

Filesize
332KB

MD5
be28cf3c50da9f1c3b7a85ba898072af

SHA1
d23db9be2cb40dcb9b6480a15cc21527c593e343

SHA256
4b5e5026d815c7c4ccc1ae6d58f0b5f1c83a2ece91f7ec028c05961171ad30bd

SHA512
5446f8c7ddbd8b2678d1abb921e6635f6d0c51229df20f9b9c5bda7fa84ea7965914efaa6e7fcfd030b574cbdb40cee0114394173ee152edcf4cbe4bdec6a032

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\nl.pak

Filesize
344KB

MD5
e442b2f2406c6e47a4e4d0e7743de448

SHA1
d2445a2c804ba181cafa343944aa8af1ec3da773

SHA256
dd7f66e04f78861d8f7d3986f707f06740bb35b839076ab8d3799944370b4544

SHA512
11b065eb66495a52d2bbd343b655e91b7e98cf51ab50e816c90a272022460cb2b297623c41a6f078c8362fe7e09032920c6f38663309ce920887c5d4058a47fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\pl.pak

Filesize
381KB

MD5
a742d06d1423b4ac4c9c38ac327887b6

SHA1
55d4b1e92a5911b4df37c8cebd0ee24d3a9d3ac1

SHA256
0f555aaa36f2908b842a4698dffd739b5381b12dde686303341d47fc475f9867

SHA512
18f40b161c6741e483f3206bcbf6d0d18969be985cea774055003b31cafc45b7e1580965fd3d2b32de17020eb866df3dcd2290c652ca4d0719b73af6073f3e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\pt-BR.pak

Filesize
360KB

MD5
e4b1fb0229dc7a913012cb5313123c3c

SHA1
6c137b91712593040c6e02bedb82d90d85cc2b84

SHA256
7b171f2a6d46295147a8d10e475048bac4346c6a5162b32a0336334baccad520

SHA512
7224d310713d94f56aafbdb80a4a7ddab5e19dd18a7880f93770b86204e323072aa8e879d2f7e1fea25a6506836e8ca9ed73068e76f4ff9b74c0ecfb807c37cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\pt-PT.pak

Filesize
363KB

MD5
d412b4a6bc7097cecaa56742263ba3e0

SHA1
8978b9820d8f193c933697d01b1882ecd348a60c

SHA256
5ca8d063080a3ee10baad94fe25f5dce33d17a269d02572f5e8c5654c7c0a28c

SHA512
ade2b6405957a8f1fdf03aeef50b568cca61e89c0880582d596586e36c1ed05a1f1c9baf1cdfd691ea6134d9165d83995b6b0a718d50ed9aab735bdd21344d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ro.pak

Filesize
372KB

MD5
efd3112d1eac487bb3dd2839385eed39

SHA1
d7a45ffdc10d24425c8b1590ef1239de34737a2b

SHA256
c50f824e63806e5782b693f7d474c48684b9e5174e93463a9bc2876c94990879

SHA512
f604f37f59c17e7a231ecc55121620138ba3c458f532889cd4b70a6046f0aa3ca0d53e0f342977d5ae0c1edf23706806ed429f72442ff90603b896125243e406

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ru.pak

Filesize
606KB

MD5
284fb3c4c19e22a9945d4f39709c0664

SHA1
247319c0d6beab4b5543ff650e4a4fa35e85354c

SHA256
6bf94fa22251f8931efc3978a8eddd0e4b3c945a8d30347178aa1402e70b375a

SHA512
0fc12bcae5d4cbfefc40dc761b27bf066a1329927d03c78983eb7fda037a54cafc3541d9273c8878c570c1a990f87bb0a489cc3c47bce530e0b1f11b0ce2ecff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\sk.pak

Filesize
383KB

MD5
989d000fbe286c0fd4bfb35305b52f48

SHA1
5a30a2cc1abe9977b1ffc4c4712452e6d55bc7df

SHA256
dbd82a2a08f8e9ba9581b2672bc49e0fa5c89f073b58f152225f9e2815228ddf

SHA512
ed57c66237d5226d4d5cb63e98248c0df9d381ef86b6d4ef339523f430c54aab14f84121e05e9fedaf273323ec04b8a539c0aeb791245858890126de2ce38283

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\sl.pak

Filesize
369KB

MD5
18414de97f92ebbeaf44f3679ed0fb2d

SHA1
edad45b03ca8a73f068ed586d52af9a583088735

SHA256
b5226b278f174cbf533ce248bfa01b69929f1d6633b92e9e010e0035ac69caf4

SHA512
4ae6e0a86da119d495a084f107f6a7769f14e3bfae2458860bd2bc5c43b1f3b8331e7104ae280b08d28154e23aff02e1ae3d44ce41b2c70b64c5db864ed63df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\sr.pak

Filesize
572KB

MD5
9e3951f7fea4dac374f5a33d8ede32eb

SHA1
ff36601cc3420ef637a809e1c3287479100d1337

SHA256
4a9d3e9c9cd593830a7b1c8649926c819bfbe0f40c158d4582ad45d4236d05a8

SHA512
510a396691091fbfe2e1ac068c54ad7e224b0a613976cf4705be74aca38bf4e7c8e329966eaa092f3d5d781ffa7192082e3f6e488a68286222a7b8c9922bf112

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\sv.pak

Filesize
334KB

MD5
c5437bb175fed93e85c5e7caf76ff352

SHA1
0d74f7df049ea73a47fe93b75c98e356b9bdd4b7

SHA256
3f0acf6f6319636c3e72cdc392b7b80ab0cfd8ae1a5a8e319624e4b46bcd3c42

SHA512
00af14e7d89a12f4f39fb45a3f9c136e20c06752f98fdedbad426ac9a5b820260a329059659cd82fd089ab1d94c1f51ab4202fb6b142b27538d0139e67877239

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\sw.pak

Filesize
351KB

MD5
e37fc1c3dce484bd0ce496f548f14a43

SHA1
02b088a11363b0a4c0527053669af32737f1403b

SHA256
dea6947693fceb6457801d912ea7c716add3c0cfb4c34782a9cfa4c4e06b9402

SHA512
c5c39d54f4eb6b0659903ce9b5c8804a750a254bf88cc7c6e729e7813ecbbcc88df882af9294b5b795ef5b8afe8f1a60fcb46b3929a9b2cdf41c84188e5852b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ta.pak

Filesize
899KB

MD5
909acba1351ea1753fee2aa006b75de9

SHA1
5203920c2ebdd37527c3df2fdf2748f6f9675428

SHA256
77548aa804c4fd61942d2953990680e4d3780a42d3583a65fff899751915f2a0

SHA512
92dea042052d780ec0abda9a88360a8f8c4a63e5b3b8ef9b23ea759d8aed18408d0b65f9968075dd88d09a474c5f124585ef609ecfe81d9ec647f8720203cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\te.pak

Filesize
836KB

MD5
61479f367868263d3797a1a4d1ee556e

SHA1
7886cbd1eab7a04a3a8b594a48ba74362b7f3785

SHA256
c03f968f167476f7a073b6e6723b51332206416354190e3156d12ac6998e8889

SHA512
21a689be75b0a015a0f0e4b6ff8050211273c61377a89964136f43599acb1ab82baaff7a0a44ba95d3eff886163bfbc6bd8cdf10fa10591c32c83203123b416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\th.pak

Filesize
704KB

MD5
85f59bf2f1167e34ab2b666608805420

SHA1
f0d8e8fc644c15c52c5f9d3419f88e6072799736

SHA256
4fe2b7b6886e3ce068be0b7a0a71d45756eb797eda1e7d4fad52ab8a370e8336

SHA512
86d6061895c996ad1caa3f3871c014b656e7ba7bb91f05c72a591cb5877c3db61965bc1a5094dcf7c4127d11f8106622355464704fd0695372627d8400a16ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\tr.pak

Filesize
357KB

MD5
ff425815f6377ecdba0b044b0ee73c41

SHA1
2c4bddec47d19f1bd8c0fb68e80807b9dc012c9e

SHA256
eed468f71e218be2f49e79cc7dcb97e140a5d9176a13586196f03dbeab0d8c77

SHA512
49561f6c02b6a4f38d136d4601eaf3da70140ff3de5fe44a92bdb772a6520545d8cb1c7480aaf0ff098dbdb284ae702da53257cdbd493420e9fc1a1f4ca5d4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\uk.pak

Filesize
605KB

MD5
9d029670cbcc964eca2a70e9a877419b

SHA1
f826f0bdd83e43503cff82bad5dc403404f0aff2

SHA256
ffc9894126035e91c96e9912e4d6c5b0964caa130aa47f280ce0db10cc6e45c5

SHA512
56b5727ddc8a96af953e2285b53501164bceba4da1df140e37c133e49b11ad8886a06ccb738757a9f6d653f029e04caf5467ed91b8858033a0427bf269e2daa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\ur.pak

Filesize
532KB

MD5
6310a289e55b1022f12b4f3cc29fe831

SHA1
150d81ec8db4d9aec6c0e83e5577dcb7f1956b38

SHA256
06a0c18d978b54dd163c7f77b7ee0f2ecf3607c5dc14032326f21b4a1f304d81

SHA512
acb538fce25486e6a01401aa0e9204a6f519cd1dfbca48663d6142e1fb6280bab271dfd2b4c5ddc858de6920805e539b791c48eddcad124d0aae298d479dcf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\vi.pak

Filesize
424KB

MD5
d81a7c3e9ba88077a352b216cb03ff33

SHA1
4caf53fa39a474a5ca1400d0671d5b0aadbd08c2

SHA256
04efa5f9bb7e8fcc7062c10b92b79db29a147f2a27ddd09863d73c078463c581

SHA512
c49d57ba45176db66b0ac43ce9c9539434b8e66a5583e081b713264c257f159900f16ab111f4a51e92dbbd3d1fe9af74dacc3feec2d5fba51d4dec4c429e60e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\zh-CN.pak

Filesize
308KB

MD5
a24b6fdc5c86e265f79f4e26d2d16b24

SHA1
3edf0016afe18622feae03ce7f126e78339355ad

SHA256
ab6b435de352aca2c2353a26da7ca6bdb1fe3b8c9ab9b590311e53d33e5a8cff

SHA512
473570d0390829e46a05e0aae6acfa70d98381ea24f4863570789004a60a4a1f4fcc9c3235b2fc9a0e42fd6f2a2dc1c779e2a52bbbae7f9a3337d878443710c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\locales\zh-TW.pak

Filesize
305KB

MD5
14f3f547a54713f91251b38459a096b5

SHA1
02ac592a2eb4a7c6631dad5aae83726ef9c33ec0

SHA256
280ba35171dfb6a54efb13fc4ddedc13a0283a9a6eebff4c15275767beb4ba77

SHA512
0ad8c6a6eb0dcbcbbf6f9e114c93bc2cf6004dfa9ad7b68dba31c2a9856c0a56acb66507f65b1823434b1ad362c1ac812b72c254e5329a2858e888a761f45ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\resources.pak

Filesize
5.2MB

MD5
9d878b1d256eb3f25d6ac803adf0b4d4

SHA1
17d69922b63e329392dc0b2db1c17abbe58ef113

SHA256
4e10d654ef27624370b879ab551d7423dcc12a0523e18c183d40d97650d7ebf7

SHA512
529e46567b955c9d369df9ac4095c0dbc00be73249caa23aace044808eea900ef670de1b0384a2eace2d63c6711a5bf1905629b9664bccbf85d97179e953f61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\resources\app-update.yml

Filesize
107B

MD5
fde81a28161384c35aba5f62b1f55f62

SHA1
108baf0829ecfc24e581843e5cda4acdf5fa6a77

SHA256
d7b21a2ac7f64d412f2b579dfc8196f25f68350523fed988e03425b659a8d57c

SHA512
f535b10d070935072d458dc63d9af6da913c95b209de64074b1c0b735e149c4f635c52c6a29e83865203c5fd605e9595aef6dd5ef625aa0fe059443e6046fd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\resources\app.asar

Filesize
6.4MB

MD5
c8e7f4137fe09cf8b0fdc21fbb2838f4

SHA1
5b09e6942c05a9eab7b6c9a81886ea23abe22df7

SHA256
de451b65bdc4ce458117bb07d7594c189713da2b34721a3f16b7ab6ca9cb4e6c

SHA512
9746c6ffa4d2b318f1ac5a787fe748a34f5d5bd91c60b8fb86801fd96bef885ad426be6d87d3205a26429f76929676011c75a8e2c336584b0de848218ec93e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\snapshot_blob.bin

Filesize
409KB

MD5
7fca1510183ba736f72d7f2ca0febb55

SHA1
8f05a77029bc372b31162892415cd969299c164e

SHA256
8eee6adbbb335ddb3716d2e509aa8459d2f39cea020e67c22dfb85b8598fa375

SHA512
32f1d6868a491110d4420aa15eb1fd56018207821a2e16ff3bde15ec4078b149fbe75e909d7c1b587a672b65d4e994d7fdf90b175d788857b9e086fe61d75c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\v8_context_snapshot.bin

Filesize
710KB

MD5
09b26aecfebe483e73c5c0566542b7a0

SHA1
7ae13f668381f2ecb70197c226cb5cacb87ea935

SHA256
16973309aff802c143ed31bf8b5f9e66766da082e03e8cc47004f99bb25b6ead

SHA512
32485d9ee70ddab62f6e5545a29f9e465966caac95f211941a4c471ecfd1cc046181a4d0030940f290c1bde3af722be8b60c9da8acd56858a43ccfee1e3c9418

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\vk_swiftshader.dll

Filesize
4.8MB

MD5
7d637d9f1015835d99639fd6950f548e

SHA1
9591104b23f46b0723deed596bcd16e2f31b3ac9

SHA256
44d2d6927607355dddd923bed2025edcf368fe9daabedcee2b6894e0c34f6825

SHA512
c218221c8900d7a45d97736764a0864f060c26b76562ddb65bc2dd0452291cbd89c24191dc80ee71451f26826c0b5f1d0002e016740b127ce31f1ebfef31d3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\7z-out\vulkan-1.dll

Filesize
858KB

MD5
e3b0249d0209585230ed299bb7a154a1

SHA1
1fc4d66ed099314be664eb80fad3834328697638

SHA256
a4df19cda9cba76e6ef085b7bc693c4237178b29be77a40172d534b6f17bd691

SHA512
cbe6fdd299112d0141bc73a334fdc5273f70c906176ab37791c1fee1d177c38cb7b9b5b01f04039b5a96afa75cb5d645fbcee4724a291d0921a9f12fded2c449

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5B1C.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Cache\Cache_Data\f_00000c

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
bd0a17dcb4517d7dabd44dde730d53e0

SHA1
75b87520ef5656b178b8edde29af34f6cdbc6b4d

SHA256
41079b9dd31ffc92b5e23541d6aee3938eb2324b52c8bd89f02bf8514bc30f84

SHA512
c0439861d386652dfdb670fb7a3ba05460ef6b1a32e6047352ff9f9fa3210f11e8dcdb06c88ebbf974bc224e1fd72472f8fcb3b2bdd26e5194b2e629212668c9

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
03ede2339de3f83c4787b9baf338ab25

SHA1
60aeab5ec15c1265a37702fed37988be5385a9a0

SHA256
2128f45edb1f584eff67b93bc85ed4c34b3c4d669ae9bd58c4effd9c25740e88

SHA512
7de49ab03ab29fba4f1ef0e1dc309f7dba14da04c1ee27ff6adf1a50a11c95931bdbc714bb6d1aa7bb12aaee9d387e2bc1f9ee59a76dc24079d8c93c7631f0c5

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
df31af62625b3fa6949b991aedaae5d1

SHA1
ac628fa4074fb083457f82b8baea96287f87c00b

SHA256
1e1cbf3b6152b6931afd74a0f761a76f4523ce536e349e2c62959160dabfa805

SHA512
a379b1af2462f39aa61b23323c2bb320fd5e58a2cd7f79c57fb817f84da37b46afdb98d17c0608df4eac0cd7381e0dae74ded123f532971235641d6906aa10b0

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\IndexedDB\https_www.duolingo.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Network\Network Persistent State

Filesize
3KB

MD5
d213ebeb8480825bb513b6cc23d5c070

SHA1
d1bd12b11d00be5d703261fdd4990a8beb08b446

SHA256
46522272846017f93bdd69e807ccfbb169bc4ef17c04c676147bf88548599ab8

SHA512
d07c776d09ba974ec44e5d892d30407ad458a8f9c93b020ef183cc6346d9f4bde7f1104ac2ece0c9372ce6a7275208b5074d7c6c12b10130f45564c459d6766e

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Network\Network Persistent State~RFe599188.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Network\TransportSecurity

Filesize
1KB

MD5
40bf3e44767bde4b3de0d8ebb1fa0905

SHA1
40d00138bccde2e51f385bcbfe31a150142c6739

SHA256
70d082ad1c23c7f1f1a4ac572f9aba8fc9e183462902df92a9707a43a9bcc433

SHA512
24174bacc53e8134dc360d6862449cc3453dae6f0fb89c1fcfdb4b26c28fdff21b18de7978255ad384a6f7a44d69b62a18505e714cdc32c250bf40d6da54e908

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Network\TransportSecurity

Filesize
1KB

MD5
addd326a5fb5003fb94a1eb20a6e5a4a

SHA1
595e8e13094e4bdcf7c1faa2627e1aef05c345a9

SHA256
45028b9c05f57822ab02a0580fc803f8c3ad66c1eeb8a60a4e5cfae9558182fc

SHA512
2982f9ab039259a09f678063e8aaa49e98f580689f2082b91c18c56857c6c8189154eb7dbfcb0b54eb3176abc01dcd54a69dc637e92c86ef4a3d9ae540012c66

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Network\TransportSecurity~RFe5905c3.TMP

Filesize
539B

MD5
913490f83b0795c21ae7199ba61072fd

SHA1
b2b39c2b86bf85fb759c065a94a9c74e0e27efbf

SHA256
73c69a4390a6627dbeddba264f12b35c88bdc03774731d49b68d2c257d1b19e8

SHA512
cfb7dfbbecafc2fe92aca4c4c6e05bb0181fc371e23420cb40043877ba78cc42617ed386621898a5be3d2e5469af2b71efff8262e35400e43555883583a1dbeb

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt

Filesize
74B

MD5
73a465dadf426a1816e6124332dbbe2a

SHA1
9016ee293d948b12d364e9eeccf7eec06a1aa032

SHA256
60ebfbe19e0b00485e81b7fa15d8988ac37bc2cdfd734311d3ee4b24f562a8bd

SHA512
e55d2a34a093562bf8cf9d051dcb7b1bdf459a86cdfde578ece91f76ec18f7fd1007db5c93dcd9864fb97dd7d5d7581ec6bbfb0d0e867e04290bf434935725f6

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt~RFe5884fa.TMP

Filesize
138B

MD5
b46515605f48855615b7ef7275da882c

SHA1
f425cc06d1f8318015d88434a48dd22a5e8d16e8

SHA256
fce36ff03555f6b07bc101c6f240828dfd7e7821311cb6771fa00afe721cbb24

SHA512
1865afb2c48af4306fdd76e6c9cd2f5d0fda897702b9f8ef45cc62706ee31759fb529a570df18cd853371efa72b36b19723ddb0e6a367ccb15b6d587f1986259

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Service Worker\CacheStorage\96987ac9a26da52eafee5918e416296f955231fe\5f87b63e-196a-4a46-8bd1-83775eb3e762\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
8ac8755a00bcbe37edf65c9ca4a83ca1

SHA1
c28ec59b0b76865eddb03beba2593b4e310c7747

SHA256
49285a2956d651a5ee448b05022406f252def671fc3539fd42ae7ff86db4ab11

SHA512
568f2e43e686c8375bae218804509905b005ca1f36e1dc378af6d1b9b5cfd0674f5912381fc7a84c216cf3475504b31b453ea4b9b8e861d476221ee57eda64e5

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Service Worker\ScriptCache\index-dir\the-real-index~RFe593677.TMP

Filesize
48B

MD5
7bfd81177d2b00afe08554ceda61ea16

SHA1
5a0efcf218783232043888d6d9613441df0191d9

SHA256
bcdc4e922619f1aadb6555108543aab5064c26b006a8b84f798d27fc5a06cddb

SHA512
6072d348409a817ce86cda9daf8ea755a4461b09a5b24c3c5eae87863ec7c854a35bfc9ddbb6fc6a5dcb898707c3534c6b624fef85c48a20f9693b57d35045d6

Download Submit
C:\Users\Admin\AppData\Roaming\DuoHacker\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
6KB

MD5
d46bb414b640deb8caee8daa60a49f7b

SHA1
e4bbd3c858224ae22afc220a2cc2deffb62ccd13

SHA256
54085e4df6b6141d0a1a39c7851be9af3cccc4d37fa904826e1c171211a2e8a0

SHA512
f5919e299d2f8605cec7e83bee5feae3b7be8f7649b02100d3a83c69bab5c50391303ede0cef535e7a3d34d500b1e55b783f720b30cc2e0b5fcfc30a7914db59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
6KB

MD5
c5b7cd8bbdcfe055260d5ef6b5d3e942

SHA1
8ff4d4c0404ea13c324cbbe5d11d1f18673d312e

SHA256
3e2d1b53da5f21af70a1fa6725f1f300c69d5df82237a5e9e3d587bbe05e0cd8

SHA512
0904ce0dd5fb7df7d3e882bad7b992ac12b1939aa8f6827859cfb1cf554ada5eb2e7c1682f76b80bd4c7859859c14da4cf9faafb982f8f4694eea89d781d7a64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\AlternateServices.bin

Filesize
20KB

MD5
16868990facad2d29b83b0e5cb2d2781

SHA1
6f4e51755eccd58ca3879cb7a15702f81a42631b

SHA256
273c869ce439dfaa230226e344bdb04fb76a217f2ba15d5ab5df20b3acff2690

SHA512
527c7d53f9713f8ae36ed2f934cc3a4d0104c2f4ef36687ca08b23b8c77f2592bfd55bb1294d5d1da818b232cc7a69c6a2b5c526becf7862b0c2eb788321b9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
a16780fc348f49ae8276a27646473ebd

SHA1
8c29d6a248b28e9cd11160f5c2b99f0251209f02

SHA256
ab68255ad8e2440abf2eadba217dd228d9cb6684798b41d24fe35683a465e712

SHA512
a809f91bb44ea4e43f7d3c4560d2a8a7d5e3eeb59cc8f8b59bff1b87daaccb2c8b9769af305359b189a35880fbbaaf4a82663d90b35da79d2cfa2d3fe30f1b05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a0d0ef16565bb62644bc84b2fb8e1327

SHA1
b2998837d6aec9efcdb776ebd58090a417a3e41a

SHA256
9d817e6c24c0e099525c99416cbd400afaccdd319ccb9171cc891217dfaa3b29

SHA512
acb726e63212df704cb14832788450239ffc0c27288f4c201d170c86633beaaa9a0677e4e93687201e45e6e07e3e7e0e6ba9be4169f6173ff89ebadc25a11ac2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
46c35a0b1ef1e01d92d556df7bc54cdd

SHA1
16382cb19ced9c76f6b1a1050e6dcd2c1b7bbf2e

SHA256
3c350a9a3965bdeec974b11bc26c64b483d6310cf9592d0a07900f2a30820bdc

SHA512
973ad796ff62cc7ed3423f96128b17537c27a19a70166cf23e774f76c024a2efb4a444236db60c3f3c00cd7ec870df5e240263b8f403ee2ea853ffb4478a16aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\13280897-4466-438e-b3b6-a82f3f311dfa

Filesize
26KB

MD5
876b6e72747b3123c16ce8764cfe0cd6

SHA1
041dca427e2f1fec6cc16b637bdb92033da22739

SHA256
b6164b1429aa49811ecab3c33fbf6d081e5233f1cc7fd5a0c88feed3570350cd

SHA512
ad27656f96d356e115fbe0db792f360617167423189764688365c907acb0d43de0f5c091e48aaf9ce2b53287c89968e53b7170ea96da78bbc64afa98bfaf0555

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\36146339-1e08-4533-b58a-3388d49d66ba

Filesize
671B

MD5
9e3cd9a342640104b53e5eb1567bdad8

SHA1
1e13b928110685c771d3e84d83a530f8f9598606

SHA256
e7830c5db3a3b3f13f255725e8f3aa6f1c6474461041b5b541be812e47821762

SHA512
5003cfd512b7b4f995673c99d0eb29115f93e26748fd4603421773e6a9265c2636c4039da80bf90a183f09b5658dca75d67a7a2f5bed25a5deb02b47232b1bbb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\datareporting\glean\pending_pings\9252c532-48cb-4b3d-a25e-a960e58b06ac

Filesize
982B

MD5
cf17cd9ec2c1040f59abdf89a7030ad8

SHA1
83d08f417da30c2066f4fd3118c5ca9389e35bdb

SHA256
4fc4d070728bf1664a55d263606288d30b25d2f8f8520e72657eec26067a0922

SHA512
3eb2abef5bbc60fee8b276bc8231b1fb3f22ba2a2d7a70d9dfbc24b422898a39afe7bec5308f61bc0810e2cd90a1787141439795fa8a32d03b54688b92d16de8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

Filesize
11KB

MD5
bf0a2fa3e1fb8f7a106fd03d5238b12f

SHA1
355823bd371832efc345fbfe8078fb2b5e6a9dc8

SHA256
3bc21023bf9bad51fc60e6ac6b6af217106d4067be73d36eebd7104eb7e340aa

SHA512
9bf0d2be0c80140a8869ac45340089fc18ccc04aff19ee0f2db51fbc9b681f7dabc704b81ca04046b7fdf6f20336d82a2f88dfa7638324a8cefad8c1518037b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs-1.js

Filesize
11KB

MD5
705c118f18da7bacb838decc26b70d61

SHA1
fcc8d79bd3526c16c7a8f3b71e4d29a716d35762

SHA256
89af80af320a7928d8a4db59a1c45cdf84217d203a2642f4defd3ff279f44f00

SHA512
721eb5bbabe90d30ec2c993fc7412e01661dbd3f22f20b52298e56b49cfadaeac5b614ffaa055c8bc45f1f37cf65394aa57b316bb7085b69c994c8f3ae542528

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
11KB

MD5
c13e343f90bb4c83f637ebeb485ebee8

SHA1
957acd4daf08d5aa4c2496461060b44901cdfe43

SHA256
2760e4dd1712f5339fc21133c4e3d914fff678dc91efd3352cd57dfd95cf3bc8

SHA512
16e8797ab9347b4cd72ce38ed502975012ed5c0278c7230822e632e01ffacfaba87ae12ec84060c67870e22c18d37602801a7f4c61e7809037f9c852ec42a28c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
7583adb58fdbd714b37500b6f2e903d8

SHA1
af5638d7b56a69ad3e3a9f36ae1bd6e24641fe6f

SHA256
4ee182fd35b7326e3df0eef546cfcf0b92973c84e0c22c0d23113a8f147c98c9

SHA512
98550896775336b40999b6ca744c52cfdb4cdc33ace3ca9f1e6b81f4b7f57f804615792b0baa243d88497b86a169a3f12c461d132dd0c68ee8723458e087f7f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
368KB

MD5
0858c817b1070f1e765c8dee383217fe

SHA1
9d1359e988aaa08e5d0b1cc87cc0ad096fd5670e

SHA256
e5157506ce78208b60d78755e8fd5cede3673e4601e54033664dca3965b9f563

SHA512
fe874a9379bc8f922fcaf877c7410f51bdccba2bef6cdfa1b65d06d35bf5d89c21a4527cb9b26dd65d07779021128c63c699f2b2e424add08b22ef25807dc815

Download Submit
memory/5448-1141-0x00007FFD37B50000-0x00007FFD37B51000-memory.dmp

Filesize
4KB

Download
memory/5448-1428-0x000001C39EAF0000-0x000001C39EC50000-memory.dmp

Filesize
1.4MB

Download
memory/5448-1427-0x000001C39C460000-0x000001C39C52D000-memory.dmp

Filesize
820KB

Download
memory/5996-1431-0x00000206C3DA0000-0x00000206C3E6D000-memory.dmp

Filesize
820KB

Download
memory/5996-1432-0x00000206C4480000-0x00000206C452C000-memory.dmp

Filesize
688KB

Download
memory/5996-1363-0x00007FFD36E10000-0x00007FFD36E11000-memory.dmp

Filesize
4KB

Download
memory/5996-1364-0x00007FFD37330000-0x00007FFD37331000-memory.dmp

Filesize
4KB

Download
memory/6400-1438-0x00000223E4800000-0x00000223E48AC000-memory.dmp

Filesize
688KB

Download
memory/6400-1437-0x00000223E41B0000-0x00000223E427D000-memory.dmp

Filesize
820KB

Download
memory/6920-1595-0x000001B8DCCF0000-0x000001B8DCD9C000-memory.dmp

Filesize
688KB

Download
memory/6920-1647-0x000001B8DCCF0000-0x000001B8DCD9C000-memory.dmp

Filesize
688KB

Download
memory/6920-1594-0x000001B8DC6E0000-0x000001B8DC7AD000-memory.dmp

Filesize
820KB

Download
memory/7148-1605-0x0000022CD0D60000-0x0000022CD0E2D000-memory.dmp

Filesize
820KB

Download
memory/7148-1606-0x0000022CD1400000-0x0000022CD14AC000-memory.dmp

Filesize
688KB

Download
memory/7148-1664-0x0000022CD1400000-0x0000022CD14AC000-memory.dmp

Filesize
688KB

Download