8a2662e1e0dd5975f0869d8055905ae8d0a1d160460ca84f58bab0233064c7c9

Analysis

max time kernel
209s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/app-64.7z
Size

97.5MB
MD5

5c9a17ad1ca9d74b154e7a61580d6ebf
SHA1

092382b4d0250ae4ec97a71682d8d8a55e0a8e81
SHA256

cbf34575e246e6f8ecfdfe47f31735e420391c264ca9bd6235634a3a3d4f62ad
SHA512

a2d917160142e7b71ce31ad7ae1ff20c23664f5cbd6c8cae40d76dba122010bf4715fd55d7a26f64edb37e65692bf7ebd6895cf5a21a137159f88721ddba51b1
SSDEEP

1572864:ge4hrV6xfC/Ez3FFLqXsC0E0fZSZNbzPBuykz4eXym/5Ej/cI8eR5WmH63pIldU:ge4doxfTzTLx727bjAR4SvhwOmH63ke

Score

7^/10

execution spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FTB Electron App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FTB Electron App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FTB Electron App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FTB Electron App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FTB Electron App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FTB Electron App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	FTB Electron App.exe

Executes dropped EXE 11 IoCs

pid	Process
1064	FTB Electron App.exe
828	FTB Electron App.exe
1016	FTB Electron App.exe
3764	FTB Electron App.exe
404	FTB Electron App.exe
4060	FTB Electron App.exe
5040	FTB Electron App.exe
3156	FTB Electron App.exe
1636	FTB Electron App.exe
1724	FTB Electron App.exe
372	FTB Electron App.exe

Loads dropped DLL 16 IoCs

pid	Process
828	FTB Electron App.exe
3764	FTB Electron App.exe
1016	FTB Electron App.exe
404	FTB Electron App.exe
1016	FTB Electron App.exe
1016	FTB Electron App.exe
1016	FTB Electron App.exe
1016	FTB Electron App.exe
4060	FTB Electron App.exe
4060	FTB Electron App.exe
5040	FTB Electron App.exe
3156	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1724	FTB Electron App.exe
372	FTB Electron App.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3736	powershell.exe
4544	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FTB Electron App.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FTB Electron App.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FTB Electron App.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FTB Electron App.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	FTB Electron App.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	FTB Electron App.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	FTB Electron App.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\ftb\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\FTB Electron App.exe\" \"%1\""	FTB Electron App.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\ftb	FTB Electron App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\ftb\URL Protocol	FTB Electron App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\ftb\ = "URL:ftb"	FTB Electron App.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\ftb\shell\open\command	FTB Electron App.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\ftb\shell	FTB Electron App.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\ftb\shell\open	FTB Electron App.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1356	7zFM.exe
1356	7zFM.exe
4060	FTB Electron App.exe
4060	FTB Electron App.exe
4060	FTB Electron App.exe
4060	FTB Electron App.exe
3736	powershell.exe
4544	powershell.exe
3736	powershell.exe
4544	powershell.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe
1636	FTB Electron App.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1356	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1356	7zFM.exe
Token: 35	1356	7zFM.exe
Token: SeSecurityPrivilege	1356	7zFM.exe
Token: SeSecurityPrivilege	1356	7zFM.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeIncreaseQuotaPrivilege	4544	powershell.exe
Token: SeSecurityPrivilege	4544	powershell.exe
Token: SeTakeOwnershipPrivilege	4544	powershell.exe
Token: SeLoadDriverPrivilege	4544	powershell.exe
Token: SeSystemProfilePrivilege	4544	powershell.exe
Token: SeSystemtimePrivilege	4544	powershell.exe
Token: SeProfSingleProcessPrivilege	4544	powershell.exe
Token: SeIncBasePriorityPrivilege	4544	powershell.exe
Token: SeCreatePagefilePrivilege	4544	powershell.exe
Token: SeBackupPrivilege	4544	powershell.exe
Token: SeRestorePrivilege	4544	powershell.exe
Token: SeShutdownPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeSystemEnvironmentPrivilege	4544	powershell.exe
Token: SeRemoteShutdownPrivilege	4544	powershell.exe
Token: SeUndockPrivilege	4544	powershell.exe
Token: SeManageVolumePrivilege	4544	powershell.exe
Token: 33	4544	powershell.exe
Token: 34	4544	powershell.exe
Token: 35	4544	powershell.exe
Token: 36	4544	powershell.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe
Token: SeCreatePagefilePrivilege	828	FTB Electron App.exe
Token: SeShutdownPrivilege	828	FTB Electron App.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1356	7zFM.exe
1356	7zFM.exe
1356	7zFM.exe
828	FTB Electron App.exe
828	FTB Electron App.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1064	1356	7zFM.exe	88
PID 1356 wrote to memory of 1064	1356	7zFM.exe	88
PID 828 wrote to memory of 4692	828	FTB Electron App.exe	108
PID 828 wrote to memory of 4692	828	FTB Electron App.exe	108
PID 4692 wrote to memory of 1480	4692	cmd.exe	110
PID 4692 wrote to memory of 1480	4692	cmd.exe	110
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 1016	828	FTB Electron App.exe	111
PID 828 wrote to memory of 3764	828	FTB Electron App.exe	112
PID 828 wrote to memory of 3764	828	FTB Electron App.exe	112
PID 828 wrote to memory of 404	828	FTB Electron App.exe	113
PID 828 wrote to memory of 404	828	FTB Electron App.exe	113
PID 828 wrote to memory of 4060	828	FTB Electron App.exe	114
PID 828 wrote to memory of 4060	828	FTB Electron App.exe	114
PID 828 wrote to memory of 4544	828	FTB Electron App.exe	115
PID 828 wrote to memory of 4544	828	FTB Electron App.exe	115
PID 828 wrote to memory of 3736	828	FTB Electron App.exe	116
PID 828 wrote to memory of 3736	828	FTB Electron App.exe	116
PID 828 wrote to memory of 5040	828	FTB Electron App.exe	120
PID 828 wrote to memory of 5040	828	FTB Electron App.exe	120
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121
PID 828 wrote to memory of 3156	828	FTB Electron App.exe	121

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\app-64.7z"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\7zOC45D09F7\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC45D09F7\FTB Electron App.exe"
  2⤵
  - Executes dropped EXE
  PID:1064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:1480
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\FTB Electron App" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1780 --field-trial-handle=1784,i,16265758265071052985,8021839621494511169,262144 --enable-features=kWebSQLAccess --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1016
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\FTB Electron App" --standard-schemes=owepm,ftb --secure-schemes=ftb --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --mojo-platform-channel-handle=2044 --field-trial-handle=1784,i,16265758265071052985,8021839621494511169,262144 --enable-features=kWebSQLAccess --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3764
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FTB Electron App" --standard-schemes=owepm,ftb --secure-schemes=ftb --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --app-path="C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2320 --field-trial-handle=1784,i,16265758265071052985,8021839621494511169,262144 --enable-features=kWebSQLAccess --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:404
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=cs "--cs-app=FTB Electron App"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FTB Electron App" --standard-schemes=owepm,ftb --secure-schemes=ftb --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --app-path="C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app.asar" --no-sandbox --no-zygote --disable-blink-features=Auxclick --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3272 --field-trial-handle=1784,i,16265758265071052985,8021839621494511169,262144 --enable-features=kWebSQLAccess --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FTB Electron App" --standard-schemes=owepm,ftb --secure-schemes=ftb --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --app-path="C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2328 --field-trial-handle=1784,i,16265758265071052985,8021839621494511169,262144 --enable-features=kWebSQLAccess --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FTB Electron App" --standard-schemes=owepm,ftb --secure-schemes=ftb --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --app-path="C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3800 --field-trial-handle=1784,i,16265758265071052985,8021839621494511169,262144 --enable-features=kWebSQLAccess --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=bmihlhkdakeonecelhlalfihkhbmgfjjamkgggdl --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app.asar" --muid=84397ff7-8c62-a122-90c2-75a6ac426624 --phase=3 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FTB Electron App" --standard-schemes=owepm,ftb --secure-schemes=ftb --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --app-path="C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app.asar" --no-sandbox --no-zygote --disable-blink-features=Auxclick --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2628 --field-trial-handle=1784,i,16265758265071052985,8021839621494511169,262144 --enable-features=kWebSQLAccess --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe
  "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FTB Electron App.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FTB Electron App" --standard-schemes=owepm,ftb --secure-schemes=ftb --bypasscsp-schemes=owepm --fetch-schemes=owepm --streaming-schemes=owepm --app-path="C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app.asar" --no-sandbox --no-zygote --disable-blink-features=Auxclick --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2200 --field-trial-handle=1784,i,16265758265071052985,8021839621494511169,262144 --enable-features=kWebSQLAccess --disable-features=OutOfBlinkCors,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\.ftba\logs\ftb-app-electron.log

Filesize
1KB

MD5
ea20bdb702aaf4f2b6b8ee5bb3a8c793

SHA1
ccd063847a38db1f3416fa4d03e343eb935f6caf

SHA256
285557803eeac6c7fc079a204c7e52b51d48fc431bebd08581997fa2b1c33366

SHA512
ea5a0f74ccd7fe879c2f93a1095c6027f0b1b216cd18143450982e4314a01a82f1ab086969c8aa3086f211ba3ab241796c917756cd5ec90ae9c4d371c34cead9

Download Submit
C:\Users\Admin\AppData\Local\.ftba\logs\ftb-app-frontend.log

Filesize
1KB

MD5
8b0064288f9d02a7ef444a61d881c4fa

SHA1
2ab8c1855e100270e4b81040fb683887672a67e5

SHA256
0a9172c0420fa43bdbbd9dc9155521ac238a8e461029a655c408de5c6150f06c

SHA512
846ceee765d72743036e93c77aea767f5b8c2da0a50aed56f8230f2a93ed8f545a33eba76c014deb11909ec8572c51b89f6ed8ed9322603111f91ce0d5323831

Download Submit
C:\Users\Admin\AppData\Local\.ftba\logs\ftb-app-frontend.log

Filesize
2KB

MD5
a87bb2774f312659e70d71e40f2e1ce7

SHA1
107dea0d053b8b9edb7b8635745f7bc6304e833a

SHA256
0a46d75f1e41a95443e605487377b15d6223506c7840aab385919f407a462fe0

SHA512
c87241f0df272872903096112a9e3c714cd594519a1a87db93ae1640ce642b49ea102881b26f53b8e242557f5e32e3b3299d1324a525c08706cb71a65930e286

Download Submit
C:\Users\Admin\AppData\Local\.ftba\logs\ftb-app-frontend.log

Filesize
1KB

MD5
4661571e12a7e379d715e7324d91c180

SHA1
7030260ccf028e9da2afeee614bd3a82774fc20d

SHA256
850827772973cd5cb542ad25e0463ef6a51442844cef2c6cd9e6696a39088264

SHA512
8e103901bd54339ccc72f129eea13dee920851e5b56fb961a875fda6c56df10c698e53190cf0f9ba59ee88aed524aca2027d2224387224cb1ca2fbc5d2145513

Download Submit
C:\Users\Admin\AppData\Local\.ftba\logs\ftb-app-frontend.log

Filesize
2KB

MD5
132f3160a56940b7532165a0fa302385

SHA1
2f70d6949d386c3941b5e8efdf6b927351fc4834

SHA256
6d19e28954536161c11415b39e98dc7ff75fa3b57ce522c54bd1ff7098e688ca

SHA512
e0c930d961f23b8d46e707dbfaa706e511443f3696a382655f42729cbd5fa47f9b9233a3e5928264a563ebb15f9feefbb324bb4573fa9ec8d32914ca13ff6c52

Download Submit
C:\Users\Admin\AppData\Local\.ftba\logs\ftb-app-frontend.log

Filesize
2KB

MD5
43cfe1b567541b6a34a45eb6e1cdc50c

SHA1
49802e6a18ffaa6aa00dfcaa2fd0054fc5c4de53

SHA256
a8d07cb0ace90b13bde1affd70c5a9c686ed136510bc90af3687ff74859d9b8f

SHA512
fdfdb6193b53308fa5926b68ae028a43ad0caa96f8d47617938faa0020df5707a225941d912c9294421baa2673ece1039a1360aef669bb3b682afadcb36a2e4f

Download Submit
C:\Users\Admin\AppData\Local\.ftba\runtime\bin\java.exe

Filesize
45KB

MD5
25afa3f7841e280c72c48d17ed3cba0d

SHA1
f24a83d2a99327913ccdddb7d95f82830b512f61

SHA256
bcd252840b1ee111c2aebd4e995cf440622cd3024b0b37cb4b52b8a571193e98

SHA512
73b1af60bfb9786be9663fba76a80004a89f69295a6c8c6c551a41f181ffb4ff82bd7ab68c45240ee1f15449b4cec7b6fd2f669769755c88db599d6790edc693

Download Submit
C:\Users\Admin\AppData\Local\.ftba\runtime\jre\jdk-21.0.4+7-jre\conf\security\policy\unlimited\default_US_export.policy

Filesize
146B

MD5
1a08ffdf0bc871296c8d698fb22f542a

SHA1
f3f974d3f6245c50804dcc47173aa29d4d7f0e2c

SHA256
758b930a526fc670ab7537f8c26321527050a31f5f42149a2dda623c56a0a1a9

SHA512
4cfca5b10cd7addcff887c8f3621d2fbec1b5632436326377b0ce5af1ae3e8b68ac5a743ca6082fc79991b8eec703a6e1dfd5b896153407ad72327753222fdb3

Download Submit
C:\Users\Admin\AppData\Local\.ftba\runtime\jre\jdk-21.0.4+7-jre\legal\java.datatransfer\ADDITIONAL_LICENSE_INFO

Filesize
49B

MD5
19c9d1d2aad61ce9cb8fb7f20ef1ca98

SHA1
2db86ab706d9b73feeb51a904be03b63bee92baf

SHA256
ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9

SHA512
7ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b

Download Submit
C:\Users\Admin\AppData\Local\.ftba\runtime\jre\jdk-21.0.4+7-jre\legal\java.datatransfer\ASSEMBLY_EXCEPTION

Filesize
44B

MD5
7caf4cdbb99569deb047c20f1aad47c4

SHA1
24e7497426d27fe3c17774242883ccbed8f54b4d

SHA256
b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a

SHA512
a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619

Download Submit
C:\Users\Admin\AppData\Local\.ftba\runtime\jre\jdk-21.0.4+7-jre\legal\java.datatransfer\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrome_100_percent.pak

Filesize
163KB

MD5
4fc6564b727baa5fecf6bf3f6116cc64

SHA1
6ced7b16dc1abe862820dfe25f4fe7ead1d3f518

SHA256
b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb

SHA512
fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\chrome_200_percent.pak

Filesize
222KB

MD5
47668ac5038e68a565e0a9243df3c9e5

SHA1
38408f73501162d96757a72c63e41e78541c8e8e

SHA256
fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32

SHA512
5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\d3dcompiler_47.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ffmpeg.dll

Filesize
2.7MB

MD5
aff3c9075009063afa2e95bde1caf703

SHA1
1b5f25453620f27d6a747853e163da71346cbad9

SHA256
e7a997fcab16fb20295215b475fc8632d89ad8c3f1b2dc62919b6ba9d70fa4d0

SHA512
978d703d568796640f37f1341618c4ec8ce6757281016a62f3e1255ba79b6d6db71377b9c0c16cabebbc6ad820d6ff3a48ae9c1f5d29ebf1ed5b5e5290204940

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\icudtl.dat

Filesize
10.2MB

MD5
e0f1ad85c0933ecce2e003a2c59ae726

SHA1
a8539fc5a233558edfa264a34f7af6187c3f0d4f

SHA256
f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb

SHA512
714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\libEGL.dll

Filesize
467KB

MD5
d00462db5a0571df8c45d252421ea1de

SHA1
28649082cd362862ece03b282c9135dea72ee606

SHA256
490423b462d65eeeccd3c6d8c7ef5b14bc41efc8e56912d3f43700904268e7a9

SHA512
a67e32b5643010520b9e77f5d55c6028ae0c55b33ebe318ff69390cbee4039555465012a65722685bfb6243f24ecaa8e4dea3300b7805d4d23f07a4979146215

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\libGLESv2.dll

Filesize
7.4MB

MD5
f93e877a91c5ce36fcea8ec8a66175ed

SHA1
c0b90e7c7cfdcd71cb779c6b4adcff2305d6f058

SHA256
a1cab1bf7356535733b398693341fef638c1fb9fb55cef3d5863debc313ccc31

SHA512
1a62ef5d22838aeab852c3a02a831b481d76e8e7682bc8e6195d2e9ac37e572801fcf090106b261b1baa98afa3f0bedfb29741d9ac9365ffd17521219d773f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\locales\en-US.pak

Filesize
428KB

MD5
809b600d2ee9e32b0b9b586a74683e39

SHA1
99d670c66d1f4d17a636f6d4edc54ad82f551e53

SHA256
0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb

SHA512
9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\owutility.dll

Filesize
1.5MB

MD5
b62b4f3e21299973fa9445c8812cc9fa

SHA1
fc49873329005a2766ca62c3e3c6ed4e0e2a778e

SHA256
7a680bdc09b47cede23de05570b9cb0843c092ebfc49276e4b222a29095bc79a

SHA512
9d3e996e35efc9784b652595efc937d3aab697a004348db14b20a7f35f82f6a69e053b2bf507049c516ddfe809f05863db8cd131915f0bfa73c7930f42294e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources.pak

Filesize
5.1MB

MD5
61ef51118427f342a9f77ed97aadc6d5

SHA1
0d1e85c62918d108dbbe4cafc406854016a41744

SHA256
717900c9ba0703282fbc4696712792560c3b2e78e5cc6e467e4139cf10420c06

SHA512
d61efba7fa3a3f0e984c054a7755c01c3987a34dd430bc4f096255eb60ae5e4361519ad18e4a03b4a9f195ffe5d75b7e2ef936e740666e3d2709cc8010b3ed64

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app-update.yml

Filesize
98B

MD5
178fb63b988e8bd49c4b75bffae9055f

SHA1
3122325040bdbbcbbc82089dadc0269c49e44898

SHA256
9c5e09c86cf33193b5fcb7ccbefde4f5972d8deaaa08fa64d12cc26098325dcb

SHA512
7946011387afde4dc8d41641b5b3abd694bbb0a08bc6bc2c72a273146105a20d03e33979e8a62d1f1ad2f0795b2b2770e04d2bf38d7dd1e976c79f205e7025fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\app.asar

Filesize
7.0MB

MD5
de6195ee3b99cdea73bd80536e0c6eeb

SHA1
e3fdceb50febea50a1017fa7d6f898d3b4020ec6

SHA256
6f1e4c71de13868ecbc2586d7df4979afe397b5cd050716acec6fb7376f79c38

SHA512
c39b367e0c8f430036346892772097cd5781d35bf74d65bef075148cdbfc464c3eceb065d99fbfafb8fdab5cfe7a123537e3cbe97b6b42b97f31512b4ee0e391

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\java-licenses.json

Filesize
15KB

MD5
b8bdcda04e578cabbe803bbc1f1cf509

SHA1
5f82c46ec7db9999504e6a13886acf0980897560

SHA256
5de7b018026f2c73bfb9c8f6194775f23192023368210e6aeabc23aafe6ccb03

SHA512
7605baa7e107fb7e43c16bb422f39cec9ef0afd1c8e7fe4722f94dcb3f831866c7f1c309b462a3e90642286a9c9bd8fb9ac22b605e488f886fdaa2ef16131ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\licenses.json

Filesize
5KB

MD5
966c0aefaf5ca53f8574ccd898267d7e

SHA1
3aa26b1b66b95d26279fb707a8f4097400f906ec

SHA256
94ed7fb27a26274715f6b8e0c9652242a071eeacfca43ab00cf6695f115d53c6

SHA512
ea9cb77a3c86d0c325df9d64271af2801293413b9a7a302f43c5af94be9e301a15a3503f1fa71204424fdc5a2c38da003928346980e536eb4965c6b4bf576d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\resources\meta.json

Filesize
1KB

MD5
7b2a4bc6868854600fe57729e32100e6

SHA1
de4f53ea1cf982b9a58767a1a48b76957fe8a935

SHA256
02b21a5135a30d91ba01efabf935455462af4c3fba581cc15a740ce2daa1c729

SHA512
3e2e9dc3f586e596736dd14f543c526cc12db46973338bff2645f607057edd06d8e1631ebb44297be1dd307eade47046db7bc6f0abe90f3afc0336288f523c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\v8_context_snapshot.bin

Filesize
627KB

MD5
1e4da0bc6404552f9a80ccde89fdef2b

SHA1
838481b9e4f1d694c948c0082e9697a5ed443ee2

SHA256
2db4a98abe705ef9bc18e69d17f91bc3f4c0f5703f9f57b41acb877100718918

SHA512
054917652829af01977e278cd0201c715b3a1280d7e43035507e4fa61c1c00c4cd7ed521c762aebd2ea2388d33c3d4d4b16cee5072d41e960021b6f38745a417

Download Submit
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\vk_swiftshader.dll

Filesize
5.0MB

MD5
c4dc2e18ea30ee7b42c7f2dd0870cf1b

SHA1
f2b2ee1d387f71f170db3b03eb4405dd00fab6a9

SHA256
3bb8c47e523eb86237bed2c3f7c45cae970f4f109b166f325bffadbffedab3e9

SHA512
e761b8652d330bbab7873d7b038a3e00d6b5ae7deab47829aee90dcd622edbebec75829635921951c8c97c4f914574df7fa88f410af3179650ec83c9fc7f4d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4fzljnm2.ttm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\owutility.dll

Filesize
1.5MB

MD5
bc9427acc4c7158675f91afb125a420d

SHA1
118dd470c8cf201a91a81fa9e3115eb149aff022

SHA256
fdd31f69d318330496d600108f245c45b3bd57c7bdba2f0f0e9ede24be94767c

SHA512
9654cb20a8ec89e258da7aef4d4bfa9a9c4a136d929a1eec41c4bc188ecd2e2c72e6ae12f2cd35bc8f9fa9d1a9ff92f93299767a6a00c1d0022aad212d7a22c9

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Network\Cookies

Filesize
28KB

MD5
ccf182eba517015b532f6f9a17958a0b

SHA1
95b431a3b0831c063651726fa3e11dc94c5e81a9

SHA256
50689921dec5daa501017f897a08d1b39a9ca2a95cb8ef53b60fd1ee0bbbb9ed

SHA512
581f833282544f223374e7e3929ff9aa301329e9fa4318c627f474d6efa7adbc699c3de5f28b4e7f69a8cf40eb535e310178dab36937fb0e0dcb1ddeb414f9c8

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Network\Network Persistent State

Filesize
850B

MD5
136374ee8086136adfa64f2fdfe268ad

SHA1
49c120f76c49f51edd82558c80e79761aabc16ad

SHA256
4d5af628ab5b5fc2c00840c1c8e4e94cb304849a6238c53b247db6a80ab9e4ff

SHA512
615d25f89d1c699a488e82d2996f7bcd0b22d8109c58cbfdd00a1784dcaa99dba3c26b97f1eb6dba4e3031d3c43349b694aadfff02a3a735572faa87ca31d8fe

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Network\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Network\Network Persistent State

Filesize
850B

MD5
6fea5b3489075d8971d2e02ccb8a9288

SHA1
099daddd59e18940e5ed4caa5a63fd7abfe9a959

SHA256
a668d15fb929e0343f007c6709c844e21a747a96de9232782d6e0dea22a512cb

SHA512
e5b80718a2c4dad853c8545d7de71ff81785a1c2561d55adb8b2d2584c532919c62128bacf9432dccd430a4ad0c554db2489a8ff6bb586b68472cc5e7c63c829

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Network\TransportSecurity

Filesize
355B

MD5
24e57fc67509578976058d3d3fad242d

SHA1
01f47551daf0ffc7a1e26c32344c8a10207c8375

SHA256
65065a9c3f200eb51b456600a12a9e06e6f664e005cb4d2bf4d81d507cb5a59c

SHA512
20909960febaa32f4e8961d5787521db9f827c5c10ab2b61e823a5fe73eb6284280444a7595be3483b011a5b62b004a9699a0daa6c2a767b064a1faf1a1f3d1d

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Network\TransportSecurity~RFe5aa1a0.TMP

Filesize
355B

MD5
947dcbd6f453cb717dd51f62df2ff0b2

SHA1
5d214274ff519095c9ff153213c1f583aea5001d

SHA256
261374d7e7d40b93de0e9bc1b7113d8c904111bac996de8572ab84a5a6b37243

SHA512
2c067619dc3d464e0e0293934c82f35041807ed59d8cf3a082a2f45a047c030fac66c3a18c134b41defcb52b6e77fda265a113c4d136459897cf7ce61b13b584

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Partitions\__owepm__\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Partitions\__owepm__\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Partitions\__owepm__\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Partitions\__owepm__\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Partitions\__owepm__\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Partitions\__owepm__\Network\Network Persistent State

Filesize
582B

MD5
206345695e1faa3dddb7397a02abcf82

SHA1
f8d53cf8f1af7d6e236ed5a17d68746b792f7ca0

SHA256
919b592825163c14a1dcbc0f49dfe994ef3053b20ab672efe21c8e3e0853d8ab

SHA512
6b64645c85d4a7049f5e8c89301dbb5268871576976e7cc9565a0d802e6d568c11a1a9b1e3faefc12c2cd625ee23a832fdff721c7222417c6ef63467e8481129

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Preferences~RFe5989c8.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\FTB Electron App\b8a144d5-7c60-441c-8015-51810ac67285.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\bmihlhkdakeonecelhlalfihkhbmgfjjamkgggdl\logs\utility\utility.log

Filesize
2KB

MD5
f2de1187261546f2af8774cfbf3a785b

SHA1
6c39b0782c2675c0c77247a43a6f3ff5f0ae1964

SHA256
bb8710fb9de48bd05d4a306998d115c64ee8ef501b08a1d2f203b896df1086f7

SHA512
32367ef973ac0452b8d6e04a0c8ba51ba9f79fd39c0f4c61d0e2d8aa66ba985b389d77fe33a9334f4822c691aba3112fb3a162f2326c5365b4155755dd8ab087

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\bmihlhkdakeonecelhlalfihkhbmgfjjamkgggdl\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk

Filesize
695KB

MD5
6b3881189e3ce3d3f5fa45056580114a

SHA1
4c3b751cde3c7af1f14798956e202c16788c9447

SHA256
3a119d4ddbdfba9328041c73dd3ab894b5669f7e2ff698a8e4be93b6013f6f4d

SHA512
a5844fb4256d0af88fde5f0176cd22293a01250bb107275bad3b87d7431cdeac33784c75fb5475aaaec7fb3d1c37c8ff95e9120b9d51d1d38d49bae2215e267e

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\bmihlhkdakeonecelhlalfihkhbmgfjjamkgggdl\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\2.0.3\ow-electron-utility-plugin.node

Filesize
609KB

MD5
65d13c459f463cb50a50467d6cade186

SHA1
66752ed8509d4ceea88706107307684539cdc30d

SHA256
6dec6e2bf0384953490117d7e1f5b9875769b5acc6a10ff051d4eed02de07142

SHA512
6d8a781ed4bfee34123872762062ebd5f742458b4d7c96dcf4f7db8d509512dbf3321ec3c15805ed9d3288a6d05c481c5be113375598d98cc74d99be6b13884a

Download Submit
memory/3156-414-0x00007FFDFF3C0000-0x00007FFDFF3C1000-memory.dmp

Filesize
4KB

Download
memory/3156-413-0x00007FFDFD920000-0x00007FFDFD921000-memory.dmp

Filesize
4KB

Download
memory/3736-365-0x00000267FBE30000-0x00000267FBEA6000-memory.dmp

Filesize
472KB

Download
memory/3736-359-0x00000267FBD60000-0x00000267FBDA4000-memory.dmp

Filesize
272KB

Download
memory/3736-335-0x00000267FB860000-0x00000267FB882000-memory.dmp

Filesize
136KB

Download
memory/4544-390-0x00000192C1230000-0x00000192C125A000-memory.dmp

Filesize
168KB

Download
memory/4544-391-0x00000192C1230000-0x00000192C1254000-memory.dmp

Filesize
144KB

Download