1dc4ecb493c5e6319426306929fe0e667c7c5de0326ef29893c7cbb54ee3a370

Analysis

max time kernel
150s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Method/Method/MailDumper v1.2.3.exe
Size

14.0MB
MD5

203069c34e0ca0aa5f9989f017183c7d
SHA1

56c8d23005e226fade5bb89e65fcb6cb54f61d55
SHA256

0bc9a0422c1cd4b679b5d827340d902e10916c8612c202ba899faa8becd94fc8
SHA512

f6752eea901b1d45a3595fafc1fd246ae976ee3cf2b4a290c290afd60a5ae02f6092374dcf292710139987beec68d70fb9bf531be262657bc5088da8d19ed5b8
SSDEEP

393216:bSatY8L2Vmd6melh2pOc/e+7G99YPzAr5jEGuKsV:bSai8yVmdKQpOunzseG6

Score

8^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
7032	powershell.exe
536	powershell.exe
4244	powershell.exe
3464	powershell.exe
1340	powershell.exe
1884	powershell.exe
2184	powershell.exe
3604	powershell.exe
4044	powershell.exe
3664	powershell.exe
2196	powershell.exe
5116	powershell.exe
5196	powershell.exe
4208	powershell.exe
2380	powershell.exe
1460	powershell.exe
3520	powershell.exe
540	powershell.exe
1604	powershell.exe
1700	powershell.exe
5208	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
7864	netsh.exe

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
7948	chrome.exe
3216	msedge.exe
6580	msedge.exe
7608	msedge.exe
4780	chrome.exe
4072	firefox.exe
7464	chrome.exe
7456	chrome.exe
5048	msedge.exe
3924	firefox.exe

Loads dropped DLL 42 IoCs

pid	Process
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe
32	MailDumper v1.2.3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\picNhxFeuZIkQfd.ps1\""	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
25	raw.githubusercontent.com
19	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com
24	raw.githubusercontent.com
26	raw.githubusercontent.com
16	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
136	api.ipify.org
138	api.ipify.org
145	api.ipify.org

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
5896	tasklist.exe
2184	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
32	MailDumper v1.2.3.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6032	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5520	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5828	ipconfig.exe
848	ipconfig.exe
7100	ipconfig.exe
1552	ipconfig.exe
5672	ipconfig.exe
7580	ipconfig.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6348	systeminfo.exe
5468	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133775501919358367"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	powershell.exe
536	powershell.exe
2184	powershell.exe
2184	powershell.exe
2380	powershell.exe
2380	powershell.exe
4244	powershell.exe
4244	powershell.exe
1884	powershell.exe
1884	powershell.exe
5152	msedge.exe
5152	msedge.exe
4208	powershell.exe
4208	powershell.exe
1604	powershell.exe
1604	powershell.exe
3664	powershell.exe
3664	powershell.exe
3464	powershell.exe
3464	powershell.exe
540	powershell.exe
540	powershell.exe
1460	powershell.exe
1460	powershell.exe
4044	powershell.exe
4044	powershell.exe
4244	powershell.exe
4244	powershell.exe
2196	powershell.exe
2196	powershell.exe
3604	powershell.exe
3604	powershell.exe
5196	powershell.exe
5196	powershell.exe
1700	powershell.exe
1700	powershell.exe
5208	powershell.exe
3520	powershell.exe
5208	powershell.exe
3520	powershell.exe
5116	powershell.exe
5116	powershell.exe
3604	powershell.exe
2380	powershell.exe
2380	powershell.exe
536	powershell.exe
536	powershell.exe
2184	powershell.exe
2184	powershell.exe
4780	chrome.exe
4780	chrome.exe
4208	powershell.exe
4208	powershell.exe
1884	powershell.exe
1884	powershell.exe
3664	powershell.exe
3664	powershell.exe
540	powershell.exe
540	powershell.exe
3464	powershell.exe
3464	powershell.exe
4044	powershell.exe
4044	powershell.exe
1604	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5520	WMIC.exe
Token: SeSecurityPrivilege	5520	WMIC.exe
Token: SeTakeOwnershipPrivilege	5520	WMIC.exe
Token: SeLoadDriverPrivilege	5520	WMIC.exe
Token: SeSystemProfilePrivilege	5520	WMIC.exe
Token: SeSystemtimePrivilege	5520	WMIC.exe
Token: SeProfSingleProcessPrivilege	5520	WMIC.exe
Token: SeIncBasePriorityPrivilege	5520	WMIC.exe
Token: SeCreatePagefilePrivilege	5520	WMIC.exe
Token: SeBackupPrivilege	5520	WMIC.exe
Token: SeRestorePrivilege	5520	WMIC.exe
Token: SeShutdownPrivilege	5520	WMIC.exe
Token: SeDebugPrivilege	5520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5520	WMIC.exe
Token: SeRemoteShutdownPrivilege	5520	WMIC.exe
Token: SeUndockPrivilege	5520	WMIC.exe
Token: SeManageVolumePrivilege	5520	WMIC.exe
Token: 33	5520	WMIC.exe
Token: 34	5520	WMIC.exe
Token: 35	5520	WMIC.exe
Token: 36	5520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5520	WMIC.exe
Token: SeSecurityPrivilege	5520	WMIC.exe
Token: SeTakeOwnershipPrivilege	5520	WMIC.exe
Token: SeLoadDriverPrivilege	5520	WMIC.exe
Token: SeSystemProfilePrivilege	5520	WMIC.exe
Token: SeSystemtimePrivilege	5520	WMIC.exe
Token: SeProfSingleProcessPrivilege	5520	WMIC.exe
Token: SeIncBasePriorityPrivilege	5520	WMIC.exe
Token: SeCreatePagefilePrivilege	5520	WMIC.exe
Token: SeBackupPrivilege	5520	WMIC.exe
Token: SeRestorePrivilege	5520	WMIC.exe
Token: SeShutdownPrivilege	5520	WMIC.exe
Token: SeDebugPrivilege	5520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5520	WMIC.exe
Token: SeRemoteShutdownPrivilege	5520	WMIC.exe
Token: SeUndockPrivilege	5520	WMIC.exe
Token: SeManageVolumePrivilege	5520	WMIC.exe
Token: 33	5520	WMIC.exe
Token: 34	5520	WMIC.exe
Token: 35	5520	WMIC.exe
Token: 36	5520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5604	WMIC.exe
Token: SeSecurityPrivilege	5604	WMIC.exe
Token: SeTakeOwnershipPrivilege	5604	WMIC.exe
Token: SeLoadDriverPrivilege	5604	WMIC.exe
Token: SeSystemProfilePrivilege	5604	WMIC.exe
Token: SeSystemtimePrivilege	5604	WMIC.exe
Token: SeProfSingleProcessPrivilege	5604	WMIC.exe
Token: SeIncBasePriorityPrivilege	5604	WMIC.exe
Token: SeCreatePagefilePrivilege	5604	WMIC.exe
Token: SeBackupPrivilege	5604	WMIC.exe
Token: SeRestorePrivilege	5604	WMIC.exe
Token: SeShutdownPrivilege	5604	WMIC.exe
Token: SeDebugPrivilege	5604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5604	WMIC.exe
Token: SeRemoteShutdownPrivilege	5604	WMIC.exe
Token: SeUndockPrivilege	5604	WMIC.exe
Token: SeManageVolumePrivilege	5604	WMIC.exe
Token: 33	5604	WMIC.exe
Token: 34	5604	WMIC.exe
Token: 35	5604	WMIC.exe
Token: 36	5604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5604	WMIC.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4780	chrome.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4072	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 32	924	MailDumper v1.2.3.exe	81
PID 924 wrote to memory of 32	924	MailDumper v1.2.3.exe	81
PID 32 wrote to memory of 676	32	MailDumper v1.2.3.exe	82
PID 32 wrote to memory of 676	32	MailDumper v1.2.3.exe	82
PID 32 wrote to memory of 5468	32	MailDumper v1.2.3.exe	85
PID 32 wrote to memory of 5468	32	MailDumper v1.2.3.exe	85
PID 5468 wrote to memory of 5520	5468	cmd.exe	87
PID 5468 wrote to memory of 5520	5468	cmd.exe	87
PID 32 wrote to memory of 5552	32	MailDumper v1.2.3.exe	88
PID 32 wrote to memory of 5552	32	MailDumper v1.2.3.exe	88
PID 5552 wrote to memory of 5604	5552	cmd.exe	90
PID 5552 wrote to memory of 5604	5552	cmd.exe	90
PID 32 wrote to memory of 5636	32	MailDumper v1.2.3.exe	91
PID 32 wrote to memory of 5636	32	MailDumper v1.2.3.exe	91
PID 5636 wrote to memory of 5688	5636	cmd.exe	93
PID 5636 wrote to memory of 5688	5636	cmd.exe	93
PID 32 wrote to memory of 5776	32	MailDumper v1.2.3.exe	95
PID 32 wrote to memory of 5776	32	MailDumper v1.2.3.exe	95
PID 5776 wrote to memory of 5828	5776	cmd.exe	97
PID 5776 wrote to memory of 5828	5776	cmd.exe	97
PID 32 wrote to memory of 5844	32	MailDumper v1.2.3.exe	98
PID 32 wrote to memory of 5844	32	MailDumper v1.2.3.exe	98
PID 5844 wrote to memory of 5896	5844	cmd.exe	100
PID 5844 wrote to memory of 5896	5844	cmd.exe	100
PID 32 wrote to memory of 5928	32	MailDumper v1.2.3.exe	101
PID 32 wrote to memory of 5928	32	MailDumper v1.2.3.exe	101
PID 32 wrote to memory of 5980	32	MailDumper v1.2.3.exe	103
PID 32 wrote to memory of 5980	32	MailDumper v1.2.3.exe	103
PID 5980 wrote to memory of 6032	5980	cmd.exe	105
PID 5980 wrote to memory of 6032	5980	cmd.exe	105
PID 32 wrote to memory of 6060	32	MailDumper v1.2.3.exe	106
PID 32 wrote to memory of 6060	32	MailDumper v1.2.3.exe	106
PID 32 wrote to memory of 6072	32	MailDumper v1.2.3.exe	107
PID 32 wrote to memory of 6072	32	MailDumper v1.2.3.exe	107
PID 32 wrote to memory of 6084	32	MailDumper v1.2.3.exe	108
PID 32 wrote to memory of 6084	32	MailDumper v1.2.3.exe	108
PID 32 wrote to memory of 6096	32	MailDumper v1.2.3.exe	109
PID 32 wrote to memory of 6096	32	MailDumper v1.2.3.exe	109
PID 32 wrote to memory of 764	32	MailDumper v1.2.3.exe	115
PID 32 wrote to memory of 764	32	MailDumper v1.2.3.exe	115
PID 32 wrote to memory of 6124	32	MailDumper v1.2.3.exe	112
PID 32 wrote to memory of 6124	32	MailDumper v1.2.3.exe	112
PID 32 wrote to memory of 2876	32	MailDumper v1.2.3.exe	116
PID 32 wrote to memory of 2876	32	MailDumper v1.2.3.exe	116
PID 32 wrote to memory of 1688	32	MailDumper v1.2.3.exe	119
PID 32 wrote to memory of 1688	32	MailDumper v1.2.3.exe	119
PID 32 wrote to memory of 1228	32	MailDumper v1.2.3.exe	121
PID 32 wrote to memory of 1228	32	MailDumper v1.2.3.exe	121
PID 32 wrote to memory of 212	32	MailDumper v1.2.3.exe	122
PID 32 wrote to memory of 212	32	MailDumper v1.2.3.exe	122
PID 32 wrote to memory of 636	32	MailDumper v1.2.3.exe	125
PID 32 wrote to memory of 636	32	MailDumper v1.2.3.exe	125
PID 32 wrote to memory of 4696	32	MailDumper v1.2.3.exe	126
PID 32 wrote to memory of 4696	32	MailDumper v1.2.3.exe	126
PID 32 wrote to memory of 4440	32	MailDumper v1.2.3.exe	128
PID 32 wrote to memory of 4440	32	MailDumper v1.2.3.exe	128
PID 32 wrote to memory of 4648	32	MailDumper v1.2.3.exe	131
PID 32 wrote to memory of 4648	32	MailDumper v1.2.3.exe	131
PID 32 wrote to memory of 932	32	MailDumper v1.2.3.exe	133
PID 32 wrote to memory of 932	32	MailDumper v1.2.3.exe	133
PID 32 wrote to memory of 3712	32	MailDumper v1.2.3.exe	135
PID 32 wrote to memory of 3712	32	MailDumper v1.2.3.exe	135
PID 6084 wrote to memory of 540	6084	cmd.exe	136
PID 6084 wrote to memory of 540	6084	cmd.exe	136

C:\Users\Admin\AppData\Local\Temp\Method\Method\MailDumper v1.2.3.exe
"C:\Users\Admin\AppData\Local\Temp\Method\Method\MailDumper v1.2.3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:924
- C:\Users\Admin\AppData\Local\Temp\Method\Method\MailDumper v1.2.3.exe
  "C:\Users\Admin\AppData\Local\Temp\Method\Method\MailDumper v1.2.3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_videocontroller get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_videocontroller get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5636
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ipconfig"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5776
  - - C:\Windows\system32\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:5828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5844
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "sc query"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5980
  - - C:\Windows\system32\sc.exe
      sc query
      4⤵
      Launches sc.exe
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionExtension .exe"
    3⤵
    PID:6060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionExtension .exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionExtension .tmp"
    3⤵
    PID:6072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionExtension .tmp
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -EnableControlledFolderAccess Disabled"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -EnableControlledFolderAccess Disabled
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -PUAProtection disable"
    3⤵
    PID:6096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -PUAProtection disable
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionExtension .py"
    3⤵
    PID:6124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionExtension .py
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableBlockAtFirstSeen $true"
    3⤵
    PID:764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableIOAVProtection $true"
    3⤵
    PID:2876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisablePrivacyMode $true"
    3⤵
    PID:1688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
    3⤵
    PID:1228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableArchiveScanning $true"
    3⤵
    PID:212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -DisableArchiveScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableIntrusionPreventionSystem $true"
    3⤵
    PID:636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -DisableIntrusionPreventionSystem $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -DisableScriptScanning $true"
    3⤵
    PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -DisableScriptScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    PID:4440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -MAPSReporting 0"
    3⤵
    PID:4648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -MAPSReporting 0
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -HighThreatDefaultAction 6 -Force"
    3⤵
    PID:932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -LowThreatDefaultAction 6"
    3⤵
    PID:3712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -SevereThreatDefaultAction 6"
    3⤵
    PID:4888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -ScanScheduleDay 8"
    3⤵
    PID:2168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Set-MpPreference -ScanScheduleDay 8
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -command netsh advfirewall set allprofiles state off"
    3⤵
    PID:844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command netsh advfirewall set allprofiles state off
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3520
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8072 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4780
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8cf46cc40,0x7ff8cf46cc4c,0x7ff8cf46cc58
      4⤵
      PID:2616
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:2828
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2160,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      PID:4660
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2244,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:8
      4⤵
      PID:5316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3540,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3552 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:7456
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3560,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3592 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:7464
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8072 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:7948
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4344,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
      4⤵
      PID:6636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4736,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
      4⤵
      PID:6420
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4560,i,6188106972278234036,2827422180367379548,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
      4⤵
      PID:844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=8069 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
    3⤵
    - Uses browser remote debugging
    PID:5048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8cf5c46f8,0x7ff8cf5c4708,0x7ff8cf5c4718
      4⤵
      PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1000,11517119113313396472,15961538880159031868,131072 --disable-features=PaintHolding --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1032 /prefetch:2
      4⤵
      PID:1644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1000,11517119113313396472,15961538880159031868,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1856 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8069 --allow-pre-commit-input --field-trial-handle=1000,11517119113313396472,15961538880159031868,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1940 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:6580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --restore-last-session --remote-debugging-port=8864 --remote-allow-origins=* --headless=new --user-data-dir=C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles
    3⤵
    - Uses browser remote debugging
    PID:3924
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --restore-last-session --remote-debugging-port=8864 --remote-allow-origins=* --headless=new --user-data-dir=C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles
      4⤵
      Uses browser remote debugging
      Checks processor information in registry
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4072
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc82703a-b3e7-4eda-adf0-b4e3aa01d3b9} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" gpu
        5⤵
        
        PID:3280
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2480 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c40c3a6e-24d7-4bd4-a3d7-76968bf6f852} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" socket
        5⤵
        
        PID:6044
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 2960 -prefsLen 28292 -prefMapSize 244658 -jsInitHandle 876 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7563a63-8ce5-43b7-99b5-dd6db15363a4} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
        5⤵
        
        PID:6484
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -childID 2 -isForBrowser -prefsHandle 3048 -prefMapHandle 3032 -prefsLen 34809 -prefMapSize 244658 -jsInitHandle 876 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3117cd24-0d74-4f5b-aa39-4cc63e9b9c09} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
        5⤵
        
        PID:6800
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1560 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3804 -prefMapHandle 1392 -prefsLen 34809 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d34b05d-14df-4b09-af74-56d084b763fc} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" utility
        5⤵
        Checks processor information in registry
        
        PID:6900
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5228 -prefsLen 32598 -prefMapSize 244658 -jsInitHandle 876 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66070266-937a-440f-a146-4f1c7e853433} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
        5⤵
        
        PID:6380
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5160 -childID 4 -isForBrowser -prefsHandle 5384 -prefMapHandle 5392 -prefsLen 32598 -prefMapSize 244658 -jsInitHandle 876 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd37ffef-73d4-4a82-b74c-2182ecba4648} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
        5⤵
        
        PID:6156
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -childID 5 -isForBrowser -prefsHandle 5156 -prefMapHandle 5180 -prefsLen 32598 -prefMapSize 244658 -jsInitHandle 876 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {342cc8c3-0188-4ee3-942e-c6841b93dff6} 4072 "\\.\pipe\gecko-crash-server-pipe.4072" tab
        5⤵
        
        PID:6332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=8015 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"
    3⤵
    - Uses browser remote debugging
    PID:3216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8cf5c46f8,0x7ff8cf5c4708,0x7ff8cf5c4718
      4⤵
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1392,4073482892684926481,12800842116939330309,131072 --disable-features=PaintHolding --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1508 /prefetch:2
      4⤵
      PID:7520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1392,4073482892684926481,12800842116939330309,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1876 /prefetch:3
      4⤵
      PID:7768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8015 --allow-pre-commit-input --field-trial-handle=1392,4073482892684926481,12800842116939330309,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2044 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:7608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command " Add-MpPreference -ExclusionExtension '.ps1', '.tmp', '.py' Add-MpPreference -ExclusionPath \"$env:TEMP\", \"$env:APPDATA\" "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ipconfig"
    3⤵
    PID:6088
  - - C:\Windows\system32\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ipconfig /all"
    3⤵
    PID:1332
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:7100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1700
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:6348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4236
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ipconfig /all"
    3⤵
    PID:6780
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ipconfig"
    3⤵
    PID:5816
  - - C:\Windows\system32\ipconfig.exe
      ipconfig
      4⤵
      Gathers network information
      PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ipconfig /all"
    3⤵
    PID:6108
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:7580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:6128
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:ProgramData\edge\Updater\Get-Clipboard.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    PID:7032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0kiooc45\0kiooc45.cmdline"
      4⤵
      PID:6252
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES964F.tmp" "c:\Users\Admin\AppData\Local\Temp\0kiooc45\CSC8B07E0E39266474C9A839158ABB88A4.TMP"
        5⤵
        
        PID:5924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5516

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:7616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1581a26ac34ff5be4068047fc57c1d43

SHA1
e84e3699acc12f9735ee4961099ca32393e349c2

SHA256
66ade5746dc15aa7d832c118a4ce249c449ec98606ba0cc786850c86b39242d8

SHA512
e4caeb2c52f692c4db2b7ee1a6033973f5f4756e9d5ca107a5e107f992ebd0008d2b986a14546c0e91b7a0e0bf37292d195b0225e5c0233f428cda66b9c1f64d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
fd6654f960e9b2b3adfc4aed11dc5e8e

SHA1
4e3a86694e2a16c9ee2b65e4254d91b29b40c426

SHA256
86b07efbf309c660b96def99dd332f3902fb7a11f017ebf8bdd1ec2ef2b795e8

SHA512
bccb9b9a5615d45d76956b5db3e5163f4d1b1824502b65ff082f0644c94dcd24fb5ec17055504557aa6731b39778a1b81ab4c5e34d0152f243c350ab15761c53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54b1b459c87e10e1a648a8c9fb846918

SHA1
4c4d6598a8444e525381abc1f88fa41b784b1a9e

SHA256
72440f325ed682b80a9777092d4ffa10e36e79c85be7f43a0ff6a308a8c2b685

SHA512
ce6d0762b5cf13977ad7a36110701ba957f06c0ecfaeb0c32e434c9aa19a02c8130940bde873fffb6d808e10a2318135b4636f2069dc06fa23d41b82a09fa5b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3dd817e4d1c5232dbfbce6072e5dc7d4

SHA1
5d3b5b7de7642e2d6c971a3253775359557c3aef

SHA256
f4253077332330670cb4fc477d7e05ec13021314281d275648279e2cc79799da

SHA512
d26034a0e9eb8b8e9edbd1893f4eeb7c5d485b27a1b2c7730b4b5b26b40f5a4255343f65701c15707803bb51c8b1c384e6bdbb4f43caddf4a61ab927410b41eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
4f2c8f5ebd5d3d139f9d5a0afd224879

SHA1
bdb6183c5812fbe4fff67faa27dcfcaa3182519d

SHA256
571e5111fa5e39a340bbcf0e267a59156a433102767bdd57c0c987907856441f

SHA512
e6087ba12219788a369239c8e1396b048ff37f4b562f4703413800389aa0d779d0eb509951cde54cfd9af84d6fd145bbc5f6cd15c5fbcfeff23e4f53c5f67b77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
a69104508860587ab3e02aa59515a483

SHA1
d2b0703e17fc9b95e5f0419dfb9de6fcd431d939

SHA256
d93e8c78834509002dbf4577660210a6f8b7b14d5cdf6bd14f1919c332550a25

SHA512
c6f0dae2a55cc04553f17cdd304a09c2e6cef150d5f0a75b47c57906c2c4e68f8fa39e7971b6aad4b8325d183d3c9baa9be48620cba954942e300c2370dc371e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
724eb1dd486fd9d8e9bbcba31609647a

SHA1
cb49983c854dec766d3add1e36d6692f43ab5683

SHA256
dfb4438451e1a21eb6e6cf8ee754ce14b2a103875bdce8e4b541eae69acdfacd

SHA512
1d7f0dcc71d61bd398e39befb9b7bc7f3d187762a989bf88c5e8b5aaef4204bee2f0fcaaded1391e7380b91f4e4d02ba4e802213f49d49082652567841d633af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
95906461db22ff983c556b67a2e84b37

SHA1
e2cc426365bfec3e93ff13bfd90c93389ac280fe

SHA256
04056de6fce5bfef397ee81857286d2d7b8aac25ca6bf138b8af70865588613e

SHA512
800568a8371c7d25f96caa8779f943fa1f5e349e6ee8a37d1e241e16ce8d26814ef36b3fe36c1f4967223765ca9e1a1eb7e5495fa8839b6de4ac83df3d1e7442

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984

Filesize
13KB

MD5
11f697decf1899e36108029300028a3d

SHA1
c3ca56c793232d175b95a32b9862cb5b85b8b110

SHA256
c58a0663b9d23a1ef357ce0968c73220bd079d4206ebbba243adc0193f6fa333

SHA512
0299d07196093754b16af2c2b8ad814b030463f06ee6709ffa954a8db99594e292ba79033683e88d1d8be5fd9a6e0851d7a86df38948ec28a1e1c9d1105e3064

Download Submit
C:\Users\Admin\AppData\Local\Temp\Credentials.zip

Filesize
494B

MD5
a73dd28a536b8f5b29afdb4c012b338d

SHA1
71089f1205b66dcc7738bbfd3825f452bd9f290b

SHA256
822024df48a78c8877121ac78cceacd792c99e87ddad4f392e50ce18763bc287

SHA512
e48fe24a6241d00733f62cc6a335763b23e007a82accbc6f8380529e81a917c7bf91ce09e3a5ea42cee84508f29857e4e8951099f1839d357b53640a540a6a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
73dd025bfa3cfb38e5daad0ed9914679

SHA1
65d141331e8629293146d3398a2f76c52301d682

SHA256
c89f3c0b89cfee35583d6c470d378da0af455ebd9549be341b4179d342353641

SHA512
20569f672f3f2e6439afd714f179a590328a1f9c40c6bc0dc6fcad7581bc620a877282baf7ec7f16aaa79724ba2165f71d79aa5919c8d23214bbd39611c23aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
e87aac7f2a9bf57d6796e5302626ee2f

SHA1
4b633501e76e96c8859436445f38240f877fc6c6

SHA256
97bf9e392d6ad9e1ec94237407887ea3d1dec2d23978891a8174c03af606fd34

SHA512
108663f0700d9e30e259a62c1ae35b23f5f2abd0eff00523aae171d1db803da99488c7395afd3ad54a242f0cb2c66a60e6904d3e3f75bb1193621fd65df4ad5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\Cryptodome\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
f3f30d72d6d7f4ba94b3c1a9364f1831

SHA1
46705c3a35c84bf15cf434e2607bddd18991e138

SHA256
7820395c44eab26de0312dfc5d08a9a27398f0caa80d8f9a88dee804880996ff

SHA512
01c5ea300a7458efe1b209c56a826df0bf3d6ff4dd512f169d6aee9d540600510c3249866bfb991975ca5e41c77107123e480eda4d55eccb88ed22399ee57912

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
93da52e6ce73e0c1fc14f7b24dcf4b45

SHA1
0961cfb91bbcee3462954996c422e1a9302a690b

SHA256
ddd427c76f29edd559425b31eee54eb5b1bdd567219ba5023254efde6591faa0

SHA512
49202a13d260473d3281bf7ca375ac1766189b6936c4aa03f524081cc573ee98d236aa9c736ba674ade876b7e29ae9891af50f1a72c49850bb21186f84a3c3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
0628dc6d83f4a9dddb0552bd0cc9b54c

SHA1
c73f990b84a126a05f1d32d509b6361dca80bc93

SHA256
f136b963b5ceb60b0f58127a925d68f04c1c8a946970e10c4abc3c45a1942bc7

SHA512
78d005a2fec5d1c67fc2b64936161026f9a0b1756862baf51eaf14edee7739f915d059814c8d6f66797f84a28071c46b567f3392daf4ff7fcdfa94220c965c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\Cryptodome\Hash\_BLAKE2s.pyd

Filesize
13KB

MD5
4d8230d64493ce217853b4d3b6768674

SHA1
c845366e7c02a2402ba00b9b6735e1fad3f2f1ef

SHA256
06885dc99a7621ba3be3b28cb4bcf972549e23acf62a710f6d6c580aaba1f25a

SHA512
c32d5987a0b1ded7211545cb7d3d7482657ca7d74a9083d37a33f65bbe2e7e075cb52efaeea00f1840ab8f0baf7df1466a4f4e880abf9650a709814bcee2f945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\Cryptodome\Util\_strxor.pyd

Filesize
10KB

MD5
3369f9bb8b0ee93e5ad5b201956dc60f

SHA1
a5b75cbd6ce905a179e49888e798cd6ae9e9194d

SHA256
5940e97e687a854e446dc859284a90c64cf6d87912c37172b8823a8c3a7b73df

SHA512
c4e71d683be64a8e6ab533fa4c1c3040b96d0be812ea74c99d2d2b5d52470c24b45d55366a7acb9d8cda759a618cbaf0d0a7ecfef4c0954df89fdb768d9893e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_cffi_backend.cp310-win_amd64.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_hashlib.pyd

Filesize
60KB

MD5
49ce7a28e1c0eb65a9a583a6ba44fa3b

SHA1
dcfbee380e7d6c88128a807f381a831b6a752f10

SHA256
1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430

SHA512
cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_pytransform.dll

Filesize
1.1MB

MD5
e4761848102a6902b8e38f3116a91a41

SHA1
c262973e26bd9d8549d4a9abf4b7ae0ca4db75f0

SHA256
9d03619721c887413315bd674dae694fbd70ef575eb0138f461a34e2dd98a5fd

SHA512
a148640aa6f4b4ef3ae37922d8a11f4def9ecfd595438b9a36b1be0810bfb36abf0e01bee0aa79712af0d70cddce928c0df5057c0418c4ed0d733c6193761e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_queue.pyd

Filesize
29KB

MD5
23f4becf6a1df36aee468bb0949ac2bc

SHA1
a0e027d79a281981f97343f2d0e7322b9fe9b441

SHA256
09c5faf270fd63bde6c45cc53b05160262c7ca47d4c37825ed3e15d479daee66

SHA512
3ee5b3b7583be1408c0e1e1c885512445a7e47a69ff874508e8f0a00a66a40a0e828ce33e6f30ddc3ac518d69e4bb96c8b36011fb4ededf9a9630ef98a14893b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\base_library.zip

Filesize
812KB

MD5
6cff73092664831ca9277c6797993c47

SHA1
62d17f2bf5785149df53b5adbaecc3579a24cfbe

SHA256
a8be7ce0f18a2e14dadb3fe6cc41ec2962dce172f4cb4df4535ff0ec47aee79d

SHA512
457211a957656b845ae6e5a34e567c7e33dbb67f6aed9a9c15937f3b39922a2a4bdc70378269c1908fc141eb34adaa70a0b133ba42bf6498f9e41ce372f3f3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
10KB

MD5
f4f7f634791f26fc62973350d5f89d9a

SHA1
6be643bd21c74ed055b5a1b939b1f64b055d4673

SHA256
45a043c4b7c6556f2acfc827f2ff379365088c3479e8ee80c7f0a2ceb858dcc6

SHA512
4325807865a76427d05039a2922f853287d420bcebda81f63a95bf58502e7da0489060c4b6f6ffd65aa294e1e1c1f64560add5f024355922103c88b2cf1fd79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
119KB

MD5
47ee4516407b6de6593a4996c3ae35e0

SHA1
293224606b31e45b10fb67e997420844ae3fe904

SHA256
f646c3b72b5e7c085a66b4844b5ad7a9a4511d61b2d74153479b32c7ae0b1a4c

SHA512
efa245c6db2aee2d9db7f99e33339420e54f371a17af0cf7694daf51d45aebfbac91fc52ddb7c53e9fc73b43c67d8d0a2caa15104318e392c8987a0dad647b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\pyexpat.pyd

Filesize
193KB

MD5
6bc89ebc4014a8db39e468f54aaafa5e

SHA1
68d04e760365f18b20f50a78c60ccfde52f7fcd8

SHA256
dbe6e7be3a7418811bd5987b0766d8d660190d867cd42f8ed79e70d868e8aa43

SHA512
b7a6a383eb131deb83eee7cc134307f8545fb7d043130777a8a9a37311b64342e5a774898edd73d80230ab871c4d0aa0b776187fa4edec0ccde5b9486dbaa626

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\pythoncom310.dll

Filesize
543KB

MD5
b7acfad9f0f36e7cf8bfb0dd58360ffe

SHA1
8fa816d403f126f3326cb6c73b83032bb0590107

SHA256
461328c988d4c53f84579fc0880c4a9382e14b0c8b830403100a2fa3df0fd9a9

SHA512
4fed8a9162a9a2ebc113ea44d461fb498f9f586730218d9c1cddcd7c8c803cad6dea0f563b8d7533321ecb25f6153ca7c5777c314e7cb76d159e39e74c72d1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\pywintypes310.dll

Filesize
139KB

MD5
f200ca466bf3b8b56a272460e0ee4abc

SHA1
ca18e04f143424b06e0df8d00d995c2873aa268d

SHA256
a6700ca2bee84c1a051ba4b22c0cde5a6a5d3e35d4764656cfdc64639c2f6b77

SHA512
29bf2425b665af9d2f9fd7795bf2ab012aa96faed9a1a023c86afa0d2036cc6014b48116940fad93b7de1e8f4f93eb709cc9319439d7609b79fd8b92669b377d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\unicodedata.pyd

Filesize
1.1MB

MD5
102bbbb1f33ce7c007aac08fe0a1a97e

SHA1
9a8601bea3e7d4c2fa6394611611cda4fc76e219

SHA256
2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758

SHA512
a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9242\win32api.cp310-win_amd64.pyd

Filesize
131KB

MD5
ec7c48ea92d9ff0c32c6d87ee8358bd0

SHA1
a67a417fdb36c84871d0e61bfb1015cb30c9898a

SHA256
a0f3cc0e98bea5a598e0d4367272e4c65bf446f21932dc2a051546b098d6ce62

SHA512
c06e3c0260b918509947a89518d55f0cb03cb19fc28d9e7ed9e3f837d71df31154f0093929446a93a7c7da1293ffd0cc69547e2540f15e3055fe1d12d837f935

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bdpjrwp3.j30.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\prysmax_games.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\AlternateServices.bin

Filesize
8KB

MD5
4d514f3714dde217a0980085ef5bf31f

SHA1
7665519c97bce8c25864c8fa11f278b0b50001b0

SHA256
f81846537e7157287008b7bc022b80449e53eaa2e585250ec1d6bdd61a7b9091

SHA512
7aaff1c0d202fd16404618a74c61c6c84a69607b73081c67ae069cf02dff7e06cc66a5f770b52dc47468df99411547bb2be25b56c3cdc82877cce3badd23866b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b1b31c03c80772792c1e4830b0ec26b4

SHA1
8159d82ea698a84e955f71296882c01540c541ea

SHA256
661e04e9537e969128112cea3f5001c33040d4619f7a9eb06ecb07986b70a167

SHA512
484c4e833b63896df1b8993cd75ad9219cce73186f68f73052173c0abde130f9efdbd28f158d1248de5b2516529f483bdd434fd08a52a721e28abe3f5882286c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
990dd41b743385d160f41a9dcd9e5a77

SHA1
0d83490bb14f0278feb87403d1eccd01d98cf19c

SHA256
c83e7823f9f27e8bfcb39b80d7231ef647280d67c1d0853008acffeb5ab9e29e

SHA512
e8a94d2b7ba34894553f60224eeb0d7cae316682817f9bf6a33275f30d131bfaccd5d05cebc3e84cabc1421bdce3c92893dde226f40acf6892e879ac51a56284

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
8d6312c193814247b453b9197d9672cc

SHA1
36e9ed4136b1e307dd09a621d51ae9ac530230ed

SHA256
4866c49ff1cd7ba6dfd5ffccfbb416c1bd403f0aaa73c8179c89b379b5730096

SHA512
d1fece50cfb12d2ab1db1fd8551d455f5e6a32eaef763da2a9d2f06deb467202d39fb712f1b6c29406294fc931b4648ac3cc2c275f7c9dd4064b934f7f838875

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\2a7b40a9-d525-4079-8ad0-1850b8c44ef5

Filesize
982B

MD5
2c70b7e05324258e4c335b2a6fa9e5d3

SHA1
3fb0c5d1755a30795da61708dff81f518be3687f

SHA256
027c31247fe1c67a1a80f2718e408f4271e58d985c761800c190cf39ae9bacdb

SHA512
15a6fbae4379e6ad660e9081a153ef7275292261388e10f795bb7809b24d601d1aaa87cf97e3b96ea3faaab45148473c3c027ad0f7f1f20a9010d9f14bf93492

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\a3012637-3b07-4aff-94d3-574bf1ab343e

Filesize
671B

MD5
2c5f30c1e7c01af8442e280ef6a8c269

SHA1
3c71f19dad2568268c1e23f8638fda19a8a1e429

SHA256
1d03f9e032477faee2c2701990e568268f33b2fe3ea556030a90cc53d2404cd1

SHA512
df327d6410f79c09d8268116a5d367f9f30a01ceafdc742404f70ed12737a7649e5fadea19d2a588c2d53cf84c020ee8fa52f39e1e5996ad281b631169b50ec3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\ab097b79-1f8a-4dbd-bd57-8d570c1f28ba

Filesize
28KB

MD5
17bced50598a958e64add773fbb1e971

SHA1
4666cf659b7ba3f45467a192c49cbe76e71ce746

SHA256
461886d6142712f9c9255b208a0189a4332b3964616683d44edac87a535fde53

SHA512
a78d4d8f5b7b4bda4401bc45d419a457db2bbd084662d18f53f16d4c76fd6fbb1fcb92f2f3f8e1e817163023d57dc5c8383cfbad2675419a0c8015b0621e2f7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
15KB

MD5
aa369c02847413773bd3c41014ff3c66

SHA1
29c234f62cfb0769ed29d2bfec895b0ec0b11582

SHA256
d6cd97febc671195162899238eddc8465bfe210c0935cd35fe4e0ae73ceb2cfa

SHA512
fd4ace253f5980c5f64bcc700c3ac035fecd830385521a7875bfc81241048e29722b9741828f5c6a88669ce6d7ef735d738e66b443f833b47e903f82a76f161e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
15KB

MD5
1e546835564ba272ba931816121fb2f0

SHA1
5a5721de057cd04e1e1a11de1ba5bb07bd6e2f29

SHA256
2243cb8fad2c21a3aba70d1828e6d6683fc8c136bfe0df20b903556beedb9f33

SHA512
9b6dc4149ef71dcf54e1b61e69d9b3dfa5ffe9ffffc032b04403c6fd4c5eee7a49cc57d885d99441a4408b59504b591354c69d0875804561857f2c18b77845b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
16KB

MD5
85c4cb25549998e7e6bc541f5e65e244

SHA1
3ee15e4b53aa34b77745d7f6fff5b899e0f1bfeb

SHA256
81caeb2a3da8a75f43cc85d660b44ecf0b8c94bc9ba07a929f5f44df694f54a3

SHA512
b3d3b53e588e334801cd580c798c80b1bcbd6afa28d8bf51a4d328ef96c876e8171fd4ffadcfe589ff5e93186c1ee7341a1d6efa0a18e996b8828782516d91ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
16KB

MD5
6793a21948f2ee81ae81b427dad01686

SHA1
0b7588b29424d872c855f015466f691537de44b4

SHA256
a0dc0e9fd23340ffa8fad0e2d6d6244f28dfdeda8883c5c1521d65d576f3de09

SHA512
52e23fbc5c7b2c88a4c2f4322956c04a06ca7c73c31f5f16059e137db33a8fe56f3e85289f47ee0bdaec95790af48dd585a6843fefb7648960684daab9701b12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
dc53f0c1cd2ee57c86602d981244bdbe

SHA1
9917deb60785302e730fd1680ef06e5cf215d0be

SHA256
9a0a8e06d98bf57b3efecacfc80aaa9982ec69486aed06f4039c1065023fee7e

SHA512
4eb02474ee12b8ed2c0a0114b94c60084edc7d8318bddf7b650d0a52ca12e70239f66a4dd8ce3c03a4260383374af417d53003c777f0eaa5c3c625e0926954e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
cfd6250737652c93acc2a9ec6b442d93

SHA1
611ec09e94fa7730af67ed61a5426bcc749ce1be

SHA256
d00c266e640b3787b5592f1eec89135086966b2b174415afe5ffe838e8410c2c

SHA512
74622a897ff61c33d424d3a6e7179900f994ef8988f4bd4ebea14f3cc5cc8f1b24015f30954eb00c578a41e55a1d7cebf96022b017d379d7a53e19092e074d06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
512KB

MD5
f6e42b8e6235499ee1855faed3550059

SHA1
1cadf9c09307a301c64df89367f5c58a27540e0a

SHA256
54b873ccb81e38419196f8f8e4fe222c002b132bfa9d1b3177a4c2f22d65d16c

SHA512
9acd37552457d611676b119eb8d8b5e0cc74b672eae0aef6d253e173044d4c8cd30f6f5f0dceebcff4d03d879ff6b3b88ba804a7bc462a0527cecf8de99d02b5

Download Submit
memory/32-179-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-155-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-124-0x00000208B10C0000-0x00000208B10C1000-memory.dmp

Filesize
4KB

Download
memory/32-127-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-129-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-131-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-133-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-135-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-137-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-139-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-141-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-143-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-145-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-147-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-149-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-151-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-153-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-125-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-157-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-159-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-161-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-163-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-165-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-167-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-169-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-171-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-173-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-175-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-177-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-181-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-183-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-185-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/32-187-0x00000208B10D0000-0x00000208B10D1000-memory.dmp

Filesize
4KB

Download
memory/536-1433-0x0000029761380000-0x00000297613A2000-memory.dmp

Filesize
136KB

Download
memory/7032-2427-0x0000026BD15B0000-0x0000026BD15B8000-memory.dmp

Filesize
32KB

Download