Overview

overview

10

Static

static

3

cedd75f3a7...e1.exe

windows7-x64

10

cedd75f3a7...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 19:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cedd75f3a781795bab964212a7e781e1.exe

  • Size

    1.8MB

  • MD5

    cedd75f3a781795bab964212a7e781e1

  • SHA1

    450c262b1814c36b51cdb5868d96d02d5bbb60eb

  • SHA256

    3a7fac7bd67e9b5e65ba91e95a49df1ca38d64be20f24342efb7cd29e22b4aec

  • SHA512

    d45ed595aec66e0bd88d9b533d943a207bbe76ee4922aa50e05ba4d101ec624348f858feb0aff4a957a5d5085bc8f72c2ff98d1950f3e783f35e64c6686154fc

  • SSDEEP

    24576:I2Itn71MxiC2DB4o+0l6vGuAJcWEN0m2tXw9wRFAXsc+c0AV9R0M+BH657UqShRg:KLh4k6OuA2NNNB2PiF0j0nMRfF

Score
10/10
amadeycryptbotlummastealc9c9aa5fed3aastokcredential_accessdiscoveryevasionexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Family

lumma

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

cryptbot

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 20 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Uses browser remote debugging 2 TTPs 8 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 40 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 37 IoCs
  • Identifies Wine through registry keys 2 TTPs 20 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 64 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1180
      • C:\Users\Admin\AppData\Local\Temp\cedd75f3a781795bab964212a7e781e1.exe
        "C:\Users\Admin\AppData\Local\Temp\cedd75f3a781795bab964212a7e781e1.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Users\Admin\AppData\Local\Temp\4196QTKXW13E9FZH7JVJQF3BDLPY5.exe
          "C:\Users\Admin\AppData\Local\Temp\4196QTKXW13E9FZH7JVJQF3BDLPY5.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2836
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 692
            4⤵
            • Loads dropped DLL
            • Program crash
            PID:828
        • C:\Users\Admin\AppData\Local\Temp\OYIPP49A7OL4QAOZIAQ2CWDYSY0ASE.exe
          "C:\Users\Admin\AppData\Local\Temp\OYIPP49A7OL4QAOZIAQ2CWDYSY0ASE.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
            4⤵
            • Uses browser remote debugging
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2208
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef76c9758,0x7fef76c9768,0x7fef76c9778
              5⤵
                PID:2388
              • C:\Windows\system32\ctfmon.exe
                ctfmon.exe
                5⤵
                  PID:408
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1100,i,4621200978378565391,2450831086124789017,131072 /prefetch:2
                  5⤵
                    PID:692
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1100,i,4621200978378565391,2450831086124789017,131072 /prefetch:8
                    5⤵
                      PID:956
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1100,i,4621200978378565391,2450831086124789017,131072 /prefetch:8
                      5⤵
                        PID:1304
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2020 --field-trial-handle=1100,i,4621200978378565391,2450831086124789017,131072 /prefetch:1
                        5⤵
                        • Uses browser remote debugging
                        PID:2444
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2444 --field-trial-handle=1100,i,4621200978378565391,2450831086124789017,131072 /prefetch:1
                        5⤵
                        • Uses browser remote debugging
                        PID:2088
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2452 --field-trial-handle=1100,i,4621200978378565391,2450831086124789017,131072 /prefetch:1
                        5⤵
                        • Uses browser remote debugging
                        PID:2560
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1292 --field-trial-handle=1100,i,4621200978378565391,2450831086124789017,131072 /prefetch:2
                        5⤵
                          PID:2860
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
                        4⤵
                        • Uses browser remote debugging
                        • Enumerates system info in registry
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        PID:1988
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70a9758,0x7fef70a9768,0x7fef70a9778
                          5⤵
                            PID:540
                          • C:\Windows\system32\ctfmon.exe
                            ctfmon.exe
                            5⤵
                              PID:1888
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1280,i,9847768393140717667,2646185713609839511,131072 /prefetch:2
                              5⤵
                                PID:1520
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 --field-trial-handle=1280,i,9847768393140717667,2646185713609839511,131072 /prefetch:8
                                5⤵
                                  PID:2548
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1544 --field-trial-handle=1280,i,9847768393140717667,2646185713609839511,131072 /prefetch:8
                                  5⤵
                                    PID:2952
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2164 --field-trial-handle=1280,i,9847768393140717667,2646185713609839511,131072 /prefetch:1
                                    5⤵
                                    • Uses browser remote debugging
                                    PID:1976
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2560 --field-trial-handle=1280,i,9847768393140717667,2646185713609839511,131072 /prefetch:1
                                    5⤵
                                    • Uses browser remote debugging
                                    PID:2068
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2568 --field-trial-handle=1280,i,9847768393140717667,2646185713609839511,131072 /prefetch:1
                                    5⤵
                                    • Uses browser remote debugging
                                    PID:2892
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1296 --field-trial-handle=1280,i,9847768393140717667,2646185713609839511,131072 /prefetch:2
                                    5⤵
                                      PID:2156
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 --field-trial-handle=1280,i,9847768393140717667,2646185713609839511,131072 /prefetch:8
                                      5⤵
                                        PID:644
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\CAAEBKEGHJ.exe"
                                      4⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:2588
                                      • C:\Users\Admin\Documents\CAAEBKEGHJ.exe
                                        "C:\Users\Admin\Documents\CAAEBKEGHJ.exe"
                                        5⤵
                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                        • Checks BIOS information in registry
                                        • Executes dropped EXE
                                        • Identifies Wine through registry keys
                                        • Loads dropped DLL
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of FindShellTrayWindow
                                        PID:2816
                                        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
                                          6⤵
                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Identifies Wine through registry keys
                                          • Loads dropped DLL
                                          • Adds Run key to start application
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2332
                                          • C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2736
                                            • C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe
                                              "C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"
                                              8⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2968
                                          • C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            PID:2084
                                          • C:\Users\Admin\AppData\Local\Temp\1016974001\f4d0d43e30.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1016974001\f4d0d43e30.exe"
                                            7⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Loads dropped DLL
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • Drops file in Windows directory
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of FindShellTrayWindow
                                            PID:2648
                                            • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
                                              "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
                                              8⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Loads dropped DLL
                                              • Adds Run key to start application
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1524
                                              • C:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe"
                                                9⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                PID:2420
                                                • C:\Users\Admin\AppData\Local\Temp\onefile_2420_133790254013892000\trunk.exe
                                                  C:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe
                                                  10⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:2160
                                              • C:\Users\Admin\AppData\Local\Temp\1007272001\23535b832d.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1007272001\23535b832d.exe"
                                                9⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1400
                                              • C:\Users\Admin\AppData\Local\Temp\1007273001\54e67528aa.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1007273001\54e67528aa.exe"
                                                9⤵
                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1736
                                              • C:\Users\Admin\AppData\Local\Temp\1007274001\5526afe930.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1007274001\5526afe930.exe"
                                                9⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:2604
                                              • C:\Users\Admin\AppData\Local\Temp\1007275001\e2b8e18946.exe
                                                "C:\Users\Admin\AppData\Local\Temp\1007275001\e2b8e18946.exe"
                                                9⤵
                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                • Checks BIOS information in registry
                                                • Executes dropped EXE
                                                • Identifies Wine through registry keys
                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1992
                                          • C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe"
                                            7⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2204
                                          • C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2056
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Add-MpPreference -ExclusionPath "C:\jlpnkxawgp"
                                              8⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2104
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
                                              8⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:780
                                          • C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"
                                            7⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2616
                                          • C:\Users\Admin\AppData\Local\Temp\1017063001\54e67528aa.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1017063001\54e67528aa.exe"
                                            7⤵
                                            • Enumerates VirtualBox registry keys
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • System Location Discovery: System Language Discovery
                                            PID:2520
                                          • C:\Users\Admin\AppData\Local\Temp\1017064001\4e045532a4.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1017064001\4e045532a4.exe"
                                            7⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Loads dropped DLL
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:1624
                                            • C:\Users\Admin\AppData\Local\Temp\53OJIQ6WPTLRRVGBQ.exe
                                              "C:\Users\Admin\AppData\Local\Temp\53OJIQ6WPTLRRVGBQ.exe"
                                              8⤵
                                              • Modifies Windows Defender Real-time Protection settings
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Windows security modification
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3368
                                            • C:\Users\Admin\AppData\Local\Temp\HKVEAYPH5IQNDV43K1ICWN.exe
                                              "C:\Users\Admin\AppData\Local\Temp\HKVEAYPH5IQNDV43K1ICWN.exe"
                                              8⤵
                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                              • Checks BIOS information in registry
                                              • Executes dropped EXE
                                              • Identifies Wine through registry keys
                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1616
                                          • C:\Users\Admin\AppData\Local\Temp\1017065001\f3c2c9bd3b.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1017065001\f3c2c9bd3b.exe"
                                            7⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:1736
                                          • C:\Users\Admin\AppData\Local\Temp\1017066001\a2620276bc.exe
                                            "C:\Users\Admin\AppData\Local\Temp\1017066001\a2620276bc.exe"
                                            7⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            PID:2524
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM firefox.exe /T
                                              8⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2780
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM chrome.exe /T
                                              8⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:896
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM msedge.exe /T
                                              8⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2796
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM opera.exe /T
                                              8⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:540
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /F /IM brave.exe /T
                                              8⤵
                                              • System Location Discovery: System Language Discovery
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3000
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                              8⤵
                                                PID:2956
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                  9⤵
                                                  • Checks processor information in registry
                                                  • Modifies registry class
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:676
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="676.0.1482299137\1908126699" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1168 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15dc2939-fc80-4122-b5a6-2a5b28b85a65} 676 "\\.\pipe\gecko-crash-server-pipe.676" 1372 104dbe58 gpu
                                                    10⤵
                                                      PID:1084
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="676.1.1514039859\795698097" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea6194fb-7172-4402-87e6-4b019c6a7b8b} 676 "\\.\pipe\gecko-crash-server-pipe.676" 1536 3fce158 socket
                                                      10⤵
                                                        PID:2160
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="676.2.817609000\1236279275" -childID 1 -isForBrowser -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9af0a69-1632-45f3-af3e-68c5802bce16} 676 "\\.\pipe\gecko-crash-server-pipe.676" 2168 170c0858 tab
                                                        10⤵
                                                          PID:2736
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="676.3.1920658888\191674443" -childID 2 -isForBrowser -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82ab0e88-c23d-4512-8e80-18fe99c81604} 676 "\\.\pipe\gecko-crash-server-pipe.676" 2480 1bfa9858 tab
                                                          10⤵
                                                            PID:840
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="676.4.634308971\1770311659" -childID 3 -isForBrowser -prefsHandle 3624 -prefMapHandle 3572 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {744dfab9-d744-4b67-8f8e-41e23cb0c6c3} 676 "\\.\pipe\gecko-crash-server-pipe.676" 3800 1f46e758 tab
                                                            10⤵
                                                              PID:3540
                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="676.5.1348229065\104451629" -childID 4 -isForBrowser -prefsHandle 3912 -prefMapHandle 3916 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b4335fb-3d02-4d76-86e7-d31dcfeba2ec} 676 "\\.\pipe\gecko-crash-server-pipe.676" 3900 1f46ea58 tab
                                                              10⤵
                                                                PID:3548
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="676.6.1532539065\360122152" -childID 5 -isForBrowser -prefsHandle 4076 -prefMapHandle 4080 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 588 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3ab9713-f5ce-40bd-8d5b-4fbb18fe8a72} 676 "\\.\pipe\gecko-crash-server-pipe.676" 4064 1f46f358 tab
                                                                10⤵
                                                                  PID:3576
                                                          • C:\Users\Admin\AppData\Local\Temp\1017067001\6ba9109859.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1017067001\6ba9109859.exe"
                                                            7⤵
                                                            • Modifies Windows Defender Real-time Protection settings
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Windows security modification
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4088
                                                          • C:\Users\Admin\AppData\Local\Temp\1017068001\849a67a42f.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1017068001\849a67a42f.exe"
                                                            7⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            PID:3960
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
                                                              8⤵
                                                              • Loads dropped DLL
                                                              PID:2004
                                                              • C:\Windows\system32\mode.com
                                                                mode 65,10
                                                                9⤵
                                                                  PID:1176
                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                  7z.exe e file.zip -p24291711423417250691697322505 -oextracted
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2400
                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                  7z.exe e extracted/file_7.zip -oextracted
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1108
                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                  7z.exe e extracted/file_6.zip -oextracted
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:920
                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                  7z.exe e extracted/file_5.zip -oextracted
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2988
                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                  7z.exe e extracted/file_4.zip -oextracted
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1824
                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                  7z.exe e extracted/file_3.zip -oextracted
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2792
                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                  7z.exe e extracted/file_2.zip -oextracted
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3416
                                                                • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                  7z.exe e extracted/file_1.zip -oextracted
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3436
                                                                • C:\Windows\system32\attrib.exe
                                                                  attrib +H "in.exe"
                                                                  9⤵
                                                                  • Views/modifies file attributes
                                                                  PID:2824
                                                                • C:\Users\Admin\AppData\Local\Temp\main\in.exe
                                                                  "in.exe"
                                                                  9⤵
                                                                  • Executes dropped EXE
                                                                  PID:3224
                                                                  • C:\Windows\system32\attrib.exe
                                                                    attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                    10⤵
                                                                    • Views/modifies file attributes
                                                                    PID:3248
                                                                  • C:\Windows\system32\attrib.exe
                                                                    attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                    10⤵
                                                                    • Views/modifies file attributes
                                                                    PID:3264
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                                                                    10⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3300
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell ping 127.0.0.1; del in.exe
                                                                    10⤵
                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                    PID:3284
                                                                    • C:\Windows\system32\PING.EXE
                                                                      "C:\Windows\system32\PING.EXE" 127.0.0.1
                                                                      11⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:1836
                                                            • C:\Users\Admin\AppData\Local\Temp\1017069001\e2791f8a36.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\1017069001\e2791f8a36.exe"
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • System Location Discovery: System Language Discovery
                                                              PID:3236
                                                            • C:\Users\Admin\AppData\Local\Temp\1017070001\1c126672f8.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\1017070001\1c126672f8.exe"
                                                              7⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1988
                                                  • C:\Windows\SysWOW64\dialer.exe
                                                    "C:\Windows\system32\dialer.exe"
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    PID:2160
                                                • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                  1⤵
                                                    PID:1768
                                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                    1⤵
                                                      PID:2768

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Reconnaissance

                                                    Resource Development

                                                    Initial Access

                                                    Execution

                                                    Command and Scripting Interpreter

                                                    1
                                                    T1059

                                                    PowerShell

                                                    1
                                                    T1059.001

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Persistence

                                                    Boot or Logon Autostart Execution

                                                    1
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Create or Modify System Process

                                                    1
                                                    T1543

                                                    Windows Service

                                                    1
                                                    T1543.003

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Privilege Escalation

                                                    Boot or Logon Autostart Execution

                                                    1
                                                    T1547

                                                    Registry Run Keys / Startup Folder

                                                    1
                                                    T1547.001

                                                    Create or Modify System Process

                                                    1
                                                    T1543

                                                    Windows Service

                                                    1
                                                    T1543.003

                                                    Scheduled Task/Job

                                                    1
                                                    T1053

                                                    Scheduled Task

                                                    1
                                                    T1053.005

                                                    Defense Evasion

                                                    Hide Artifacts

                                                    1
                                                    T1564

                                                    Hidden Files and Directories

                                                    1
                                                    T1564.001

                                                    Impair Defenses

                                                    2
                                                    T1562

                                                    Disable or Modify Tools

                                                    2
                                                    T1562.001

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Modify Registry

                                                    3
                                                    T1112

                                                    Virtualization/Sandbox Evasion

                                                    3
                                                    T1497

                                                    Credential Access

                                                    Credentials from Password Stores

                                                    1
                                                    T1555

                                                    Credentials from Web Browsers

                                                    1
                                                    T1555.003

                                                    Modify Authentication Process

                                                    1
                                                    T1556

                                                    Steal Web Session Cookie

                                                    1
                                                    T1539

                                                    Unsecured Credentials

                                                    5
                                                    T1552

                                                    Credentials In Files

                                                    5
                                                    T1552.001

                                                    Discovery

                                                    Browser Information Discovery

                                                    1
                                                    T1217

                                                    Query Registry

                                                    8
                                                    T1012

                                                    Remote System Discovery

                                                    1
                                                    T1018

                                                    System Information Discovery

                                                    4
                                                    T1082

                                                    System Location Discovery

                                                    1
                                                    T1614

                                                    System Language Discovery

                                                    1
                                                    T1614.001

                                                    System Network Configuration Discovery

                                                    1
                                                    T1016

                                                    Internet Connection Discovery

                                                    1
                                                    T1016.001

                                                    Virtualization/Sandbox Evasion

                                                    3
                                                    T1497

                                                    Lateral Movement

                                                    Collection

                                                    Data from Local System

                                                    4
                                                    T1005

                                                    Command and Control

                                                    Exfiltration

                                                    Impact

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
                                                      Filesize

                                                      40B

                                                      MD5

                                                      66b458a927cbc7e3db44b9288dd125cd

                                                      SHA1

                                                      bca37f9291fdfaf706ea2e91f86936caec472710

                                                      SHA256

                                                      481bc064a399c309d671b4d25371c9afba388960624d1173221eac16752dea81

                                                      SHA512

                                                      897fade0ea8f816830aee0e8008868af42619005384e0a89da654ad16102cd5e7a607440bd99f9578cf951390d39f07020054cca74231cdc42a3cffa363d9869

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp
                                                      Filesize

                                                      16B

                                                      MD5

                                                      979c29c2917bed63ccf520ece1d18cda

                                                      SHA1

                                                      65cd81cdce0be04c74222b54d0881d3fdfe4736c

                                                      SHA256

                                                      b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

                                                      SHA512

                                                      e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
                                                      Filesize

                                                      16B

                                                      MD5

                                                      aefd77f47fb84fae5ea194496b44c67a

                                                      SHA1

                                                      dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                                      SHA256

                                                      4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                                      SHA512

                                                      b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
                                                      Filesize

                                                      16B

                                                      MD5

                                                      18e723571b00fb1694a3bad6c78e4054

                                                      SHA1

                                                      afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                                      SHA256

                                                      8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                                      SHA512

                                                      43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp
                                                      Filesize

                                                      16B

                                                      MD5

                                                      60e3f691077715586b918375dd23c6b0

                                                      SHA1

                                                      476d3eab15649c40c6aebfb6ac2366db50283d1b

                                                      SHA256

                                                      e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

                                                      SHA512

                                                      d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index-dir\the-real-index
                                                      Filesize

                                                      48B

                                                      MD5

                                                      4f64214f632c3ea461f798f08e4b0ea0

                                                      SHA1

                                                      67c21f17e38b436647b1090570563bd61103fadc

                                                      SHA256

                                                      5e125f0c83966887c3a03183932a04fbcf7152d832b7d8911a473c141bea4a40

                                                      SHA512

                                                      3cb186091bb9e3c2f89a42183197786d85acf30bad32e26e2f98514b5698abd5425c43468efed03821a4f8b8bcf2386c972d386777a46926c3237ab8ae861b0c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index
                                                      Filesize

                                                      24B

                                                      MD5

                                                      54cb446f628b2ea4a5bce5769910512e

                                                      SHA1

                                                      c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

                                                      SHA256

                                                      fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

                                                      SHA512

                                                      8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index-dir\the-real-index
                                                      Filesize

                                                      48B

                                                      MD5

                                                      79e0ec7bfdfb5ec125b306d06f9ad5c3

                                                      SHA1

                                                      d6d6f80287ece6b98ecace418de03fefcb992e56

                                                      SHA256

                                                      3228949ee8f2dda213b076c35215d914c41738464b856f6fb090616e66763dd3

                                                      SHA512

                                                      91baff2975162b9427d68ed6614d81cf1daf55769be081965c8991f30335061b7e0ca80e69646f9cbd417dfb56f04ee9ac3900fd7b3d4db40e7bfcab7702ba3f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Favicons
                                                      Filesize

                                                      20KB

                                                      MD5

                                                      3eea0768ded221c9a6a17752a09c969b

                                                      SHA1

                                                      d17d8086ed76ec503f06ddd0ac03d915aec5cdc7

                                                      SHA256

                                                      6923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512

                                                      SHA512

                                                      fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\History
                                                      Filesize

                                                      148KB

                                                      MD5

                                                      90a1d4b55edf36fa8b4cc6974ed7d4c4

                                                      SHA1

                                                      aba1b8d0e05421e7df5982899f626211c3c4b5c1

                                                      SHA256

                                                      7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

                                                      SHA512

                                                      ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\LOG
                                                      Filesize

                                                      204B

                                                      MD5

                                                      7b9b240bbcf98fa0569f14dde7a7e814

                                                      SHA1

                                                      850fa9ecf0d2b076914bcb9cd3eb9534748e0bf6

                                                      SHA256

                                                      fbe08cff98688d876865358820253a0bd0a10704fb0ef9b3bd15a0c3b6f29cdb

                                                      SHA512

                                                      d045fdccbdb4a0ca69cd722ebe89fe16e99c48586e6c4c0ba5da8f4dab53d871025aabc6971c508b9764037bcfb6b18b44269a53ec641bc4076c0dd9a6d623c3

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000002.dbtmp
                                                      Filesize

                                                      16B

                                                      MD5

                                                      206702161f94c5cd39fadd03f4014d98

                                                      SHA1

                                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                      SHA256

                                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                      SHA512

                                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\000003.log
                                                      Filesize

                                                      46B

                                                      MD5

                                                      90881c9c26f29fca29815a08ba858544

                                                      SHA1

                                                      06fee974987b91d82c2839a4bb12991fa99e1bdd

                                                      SHA256

                                                      a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

                                                      SHA512

                                                      15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\LOG
                                                      Filesize

                                                      192B

                                                      MD5

                                                      dc4bdec4df2ad93bfd22b499025ffde6

                                                      SHA1

                                                      56e9cac20b373f0ba26fc7173621ecfce13d9e4a

                                                      SHA256

                                                      49d7ae15a7c1945703014efa75ed3ed6521ec81ff7a67c1078e29fc8500cfc55

                                                      SHA512

                                                      9122e9f3217c2072938e477afd1f5c56fd9c1bc4d6350761c47d38b1e035ebb589a0e604581388ecce0573286507c14bf80a7acc23bb47448766b8b7ab066d67

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Visited Links
                                                      Filesize

                                                      128KB

                                                      MD5

                                                      78d29b1f69d654a9de67465c7a4b392e

                                                      SHA1

                                                      4b6448874d3375ef795fb8d739d405a7249e832a

                                                      SHA256

                                                      7df2d8f9ee061e8f490b9c8e5bfec1560e84b5a31fa30ecaf7d0dc43de0ebefe

                                                      SHA512

                                                      a1e2cc351edf1c65d36b9fe98258e68dfde775456676dd0ee7db5ee50ed4ae7b8afa7b084291d3065de1aa0bc47539f7aaa7af7749d69fb130e909593ae858c7

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Web Data
                                                      Filesize

                                                      92KB

                                                      MD5

                                                      cd9012f9650d183ad81c37c91623f036

                                                      SHA1

                                                      8b8b811031569d627a4c9961e799bd04f5c08c5d

                                                      SHA256

                                                      5f76128dabdf448c9bd9e83c0b6ad3ec16ed9b3dc75daa2320039b0898628cbd

                                                      SHA512

                                                      ba590c2b6b55c5b9cff368d668426c370641c72de21be6f2e781b2bc28a77cf7c49d7fc0e993d61246c8ec50a8e4eab867b7f283c42e7300358d8fd7cefb65d4

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\shared_proto_db\metadata\000004.dbtmp
                                                      Filesize

                                                      16B

                                                      MD5

                                                      6752a1d65b201c13b62ea44016eb221f

                                                      SHA1

                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                      SHA256

                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                      SHA512

                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
                                                      Filesize

                                                      14B

                                                      MD5

                                                      9eae63c7a967fc314dd311d9f46a45b7

                                                      SHA1

                                                      caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

                                                      SHA256

                                                      4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

                                                      SHA512

                                                      bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
                                                      Filesize

                                                      264KB

                                                      MD5

                                                      f50f89a0a91564d0b8a211f8921aa7de

                                                      SHA1

                                                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                      SHA256

                                                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                      SHA512

                                                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Affiliation Database
                                                      Filesize

                                                      32KB

                                                      MD5

                                                      69e3a8ecda716584cbd765e6a3ab429e

                                                      SHA1

                                                      f0897f3fa98f6e4863b84f007092ab843a645803

                                                      SHA256

                                                      e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487

                                                      SHA512

                                                      bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index
                                                      Filesize

                                                      48B

                                                      MD5

                                                      52f690fa72319a810e310543df5cc078

                                                      SHA1

                                                      57ee5f9c82a70b787758cc06e497981d5caf8b7a

                                                      SHA256

                                                      3c7f3882bc4ccfb1ebbadbdb0f9bac57ecdbd30abe0ee060967cb549ede8553f

                                                      SHA512

                                                      27ee5cbd2d3f19fcfd10c420274b0eba640523012dc683fc670ecb6202adf2588e01ba0d5f3c527f685c210578e002932e22acc26d45e260a7f9f8fb2bf4f44e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\wasm\index-dir\the-real-index
                                                      Filesize

                                                      48B

                                                      MD5

                                                      e6639d17b28f08532c5f615bc6394b82

                                                      SHA1

                                                      66c939199b2e7ee73a6ce6cafaae107b413d5bdd

                                                      SHA256

                                                      09cbae9cfac604f2415b6cb68424d1a399dd74142ad8915688cb638f38b75e26

                                                      SHA512

                                                      0d773ca7a082728e79261a0808ad0765201dfa98f816fc4b27cfd59701b72b7c18f508c3f83b30ffb1e8b4a88bf7d3a00fff0a0f741e6552eba06ca5a914a1be

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\000003.log
                                                      Filesize

                                                      76B

                                                      MD5

                                                      cc4a8cff19abf3dd35d63cff1503aa5f

                                                      SHA1

                                                      52af41b0d9c78afcc8e308db846c2b52a636be38

                                                      SHA256

                                                      cc5dacf370f324b77b50dddf5d995fd3c7b7a587cb2f55ac9f24c929d0cd531a

                                                      SHA512

                                                      0e9559cda992aa2174a7465745884f73b96755008384d21a0685941acf099c89c8203b13551de72a87b8e23cdaae3fa513bc700b38e1bf3b9026955d97920320

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\LOG
                                                      Filesize

                                                      193B

                                                      MD5

                                                      c56e83939d766fcc9e49a0b2f5f93ed3

                                                      SHA1

                                                      cea5376273d0c04d293f0a392da76cb46785ad13

                                                      SHA256

                                                      86f32f4f219c71a474eb4a835a973699457dc7a3ca3f6d695571c91d7a079f72

                                                      SHA512

                                                      001a1332aa931251f56a1757159e4a9d4c557525961efa52809ddd6fad5b82c52267bf82857e46befda9049fb1a2c9e4dda3878e58ac52446488e2ef5eec11a1

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\MANIFEST-000002
                                                      Filesize

                                                      50B

                                                      MD5

                                                      22bf0e81636b1b45051b138f48b3d148

                                                      SHA1

                                                      56755d203579ab356e5620ce7e85519ad69d614a

                                                      SHA256

                                                      e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

                                                      SHA512

                                                      a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Login Data For Account
                                                      Filesize

                                                      46KB

                                                      MD5

                                                      02d2c46697e3714e49f46b680b9a6b83

                                                      SHA1

                                                      84f98b56d49f01e9b6b76a4e21accf64fd319140

                                                      SHA256

                                                      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                                                      SHA512

                                                      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000003.log
                                                      Filesize

                                                      40B

                                                      MD5

                                                      148079685e25097536785f4536af014b

                                                      SHA1

                                                      c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

                                                      SHA256

                                                      f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

                                                      SHA512

                                                      c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\LOG
                                                      Filesize

                                                      205B

                                                      MD5

                                                      83da8f715e7edbdb821dd2ef5ab55441

                                                      SHA1

                                                      c92b139123d699e910b5b73cc9bec93dcab75d37

                                                      SHA256

                                                      efa8b2d889e8810127614138d42e703e0adc9a5a8a19e20a0a3b09185b2a35e7

                                                      SHA512

                                                      f5c1c3ef5e39a74eeaa9aa065ef68c2816c8ea3966b8c85722e8930e1bb1c96d97ee652aed64bff307105367a2bd567a13ff511daea06e2be53064f4f16f86ec

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\MANIFEST-000001
                                                      Filesize

                                                      41B

                                                      MD5

                                                      5af87dfd673ba2115e2fcf5cfdb727ab

                                                      SHA1

                                                      d5b5bbf396dc291274584ef71f444f420b6056f1

                                                      SHA256

                                                      f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                      SHA512

                                                      de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\CURRENT~RFf77195a.TMP
                                                      Filesize

                                                      16B

                                                      MD5

                                                      46295cac801e5d4857d09837238a6394

                                                      SHA1

                                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                      SHA256

                                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                      SHA512

                                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\LOG
                                                      Filesize

                                                      193B

                                                      MD5

                                                      33f91ec727d01751dbeb9ff0559779d9

                                                      SHA1

                                                      17cbc345b1eebe6c77328e18ae6372abc1a3e834

                                                      SHA256

                                                      09f375fca193d9cd8ebe3065c31e927100c8e17746fee859d2133a6e43e517b6

                                                      SHA512

                                                      e76b6634cb38922fdd6a5ee81b2aba426a369f88eb7eb73c03a085bec2167245c92aed64026da77beaf2cbf5ce103116ffa7377a9c56dcd230ea28ed1dc16d56

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Visited Links
                                                      Filesize

                                                      128KB

                                                      MD5

                                                      4b6eee791075cb9204a240030f68a381

                                                      SHA1

                                                      17c0ffbc5902714d43ffece06d994db0cc2bd160

                                                      SHA256

                                                      e4a67c49171e389e5bfa166cfdb921c33b6d4ad7bea7037569a6bc0e3b5bfe3d

                                                      SHA512

                                                      fa72c30f29e7d05b1d805a810afed51563e86dd5c7f20f0a7061ff3fff0e5cf0f0745fea7247d40bcd485d824defd3dc9d12e87991447fe4d16e9f0e5119e201

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Web Data
                                                      Filesize

                                                      92KB

                                                      MD5

                                                      bf83a189aaf8977c91e337fe044f63a9

                                                      SHA1

                                                      fb3d8ed7ac8dd52a03754d3aecab3403f2539dc1

                                                      SHA256

                                                      45b04f527833f44ce8c8105e6e7d01db3088ab74b18ad92c32a794d9d52a6b0b

                                                      SHA512

                                                      30d0373c1b1cbf465417218b33e0afd41518b25e78360e92fda6e4e3a5d9b1fac453287f6a6e6258b7c2af7196a09ebe165a5f4fb9108cf9e994f8223b499bd8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations
                                                      Filesize

                                                      86B

                                                      MD5

                                                      f732dbed9289177d15e236d0f8f2ddd3

                                                      SHA1

                                                      53f822af51b014bc3d4b575865d9c3ef0e4debde

                                                      SHA256

                                                      2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

                                                      SHA512

                                                      b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
                                                      Filesize

                                                      2B

                                                      MD5

                                                      99914b932bd37a50b983c5e7c90ae93b

                                                      SHA1

                                                      bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                      SHA256

                                                      44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                      SHA512

                                                      27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp
                                                      Filesize

                                                      23KB

                                                      MD5

                                                      bedc5cbfb35cc06c74fdb0182b3cf264

                                                      SHA1

                                                      ea2552b660f6f4a4ffe1f1c3e340da3a87ee8dd5

                                                      SHA256

                                                      dc16ff42de493010247b826b9aac16739e99f4e2879670ce3fd26256b2123f24

                                                      SHA512

                                                      fb9c5eb4ed0eb96c4a6de4515c6deaa62ebed6e477ae4acfd730d97818214f23d0674bd99a127833d5072b9c65047f4c50191c5a70b5b05a2756394d43b39390

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                      Filesize

                                                      15KB

                                                      MD5

                                                      96c542dec016d9ec1ecc4dddfcbaac66

                                                      SHA1

                                                      6199f7648bb744efa58acf7b96fee85d938389e4

                                                      SHA256

                                                      7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                      SHA512

                                                      cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe
                                                      Filesize

                                                      10.2MB

                                                      MD5

                                                      d3b39a6b63c3822be6f8af9b3813bbad

                                                      SHA1

                                                      00b020e5a1c05442612f2cec7950c2814b59b1b6

                                                      SHA256

                                                      786f1331a0618485b31ba763911b14fcec691bf9897bee8f42680076092b7a2f

                                                      SHA512

                                                      a5c7504b29798fdabf610cf65716ec1d7745956f470d86de12a52b3c8731f858764fdf78647e50b3111622e7e65f05f82cd258b98c1a0f45ef7fdc088647d4ff

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1007273001\54e67528aa.exe
                                                      Filesize

                                                      1.9MB

                                                      MD5

                                                      e43a8b85e3e4f3ab02a94b84c2d5893f

                                                      SHA1

                                                      9c2bc2000b8858516d717441c89dd987d5a19ddf

                                                      SHA256

                                                      d027b34627eb19d6b5a432117148d21990678da6b218c595623a07492158e69e

                                                      SHA512

                                                      136fc58786f1e70775ddfdc01e6659f4d8295a5b8d78154012f8aadc167cb9047d00cd1030f6da455e92d012ee86acf4e0071e502002502ddeee1758a4e0e1a2

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe
                                                      Filesize

                                                      3.1MB

                                                      MD5

                                                      f9b9f98592292b5cbf59c7a60e9ebaee

                                                      SHA1

                                                      59cc872fd0a11b259cc5b70893f35e9b5a7c8cbb

                                                      SHA256

                                                      5688e9e0becc622c573af2a1af4ee0676ef3907e38a9258a7801b46b7ad64665

                                                      SHA512

                                                      f27e4a96173aeb064f47d44ff445b1e15f6d4f39a4ad711c019bb29692caea56eb910970d22bc13ac5c57a256d71e77b12aa60c8405335a239781c57cb0eaf8e

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe
                                                      Filesize

                                                      17.6MB

                                                      MD5

                                                      3c224e3fc892719dc1e302378e533579

                                                      SHA1

                                                      0a65062e1426a95bfeca355398b6fdc4912fb6b1

                                                      SHA256

                                                      64cc7f7906fe1ebf0b6977892abd9aa36f5e525cb241964c3986ee9e1a18312d

                                                      SHA512

                                                      554a26e9654eccce831e4adcee49d5e2507956935e562b134a86f332d867debfcd1f64fdb88fccb2e1eee810975d565dbc6ea1376516817ee38765e4bd733a49

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1016974001\f4d0d43e30.exe
                                                      Filesize

                                                      2.9MB

                                                      MD5

                                                      98c28cbc0f77f431bd470b389c8d5d84

                                                      SHA1

                                                      5043a0e8eabeab839570cdc732aa63f98964884d

                                                      SHA256

                                                      c9bad96eda6069fda384604035910ecbb035a5f397ff1f20f890de308eaa7b08

                                                      SHA512

                                                      c41e9eba47cc74c44f01582fd74f935969aabb3dab5d8ab34e0e117b2085d66f5b3ea9b4a05b85ee5f3575443d00385a8eed68c32ca68697020d0e00a66afed7

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe
                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      ff279f4e5b1c6fbda804d2437c2dbdc8

                                                      SHA1

                                                      2feb3762c877a5ae3ca60eeebc37003ad0844245

                                                      SHA256

                                                      e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378

                                                      SHA512

                                                      c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe
                                                      Filesize

                                                      21KB

                                                      MD5

                                                      14becdf1e2402e9aa6c2be0e6167041e

                                                      SHA1

                                                      72cbbae6878f5e06060a0038b25ede93b445f0df

                                                      SHA256

                                                      7a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a

                                                      SHA512

                                                      16b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe
                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      25fb9c54265bbacc7a055174479f0b70

                                                      SHA1

                                                      4af069a2ec874703a7e29023d23a1ada491b584e

                                                      SHA256

                                                      552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c

                                                      SHA512

                                                      7dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1017063001\54e67528aa.exe
                                                      Filesize

                                                      4.2MB

                                                      MD5

                                                      70434d35e134be744784cc4acf6e8179

                                                      SHA1

                                                      bfd584fe0f50e158ef7df13350f00ddd1797a5c5

                                                      SHA256

                                                      db554c37c8a4b97901452b495ea43e0c4bced715f393adec6993451eb244109d

                                                      SHA512

                                                      eecdb906b01edeafc6c88ab38ba2ddcf38ef6a1140d59a1c52321da580440c036f05a5ce0a930dd379eb8a4376a577ecd3f8946f49d1f77b0fe22953f91c6f7b

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1017064001\4e045532a4.exe
                                                      Filesize

                                                      1.8MB

                                                      MD5

                                                      d0bb2fa7815ae25e59827dd3e8a710ba

                                                      SHA1

                                                      013aa5756aa4fea565a5e4f576af688dc65d7435

                                                      SHA256

                                                      e9d6b68a7005d52a9caa77bd238493442a002b09eeb6c52542a587631a92de88

                                                      SHA512

                                                      c7cffa0c187073df5361f0e1654a0fa6ba2da05d9c503c28c4ac5a8437b65830ac23eeb2507f834995c307c770d0ee2f8295c653abbb21dbc980b1f8aacc85b4

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1017066001\a2620276bc.exe
                                                      Filesize

                                                      947KB

                                                      MD5

                                                      30a31c79ab26328dfe4fcead06fe24f3

                                                      SHA1

                                                      89bf3e7f611e857923f1608fbf2b3d2c2f431d6c

                                                      SHA256

                                                      4c6e5ed4a3b935a4bc196f9db806ad5b1ea078d59e6dff756347a57a2e5f2f9c

                                                      SHA512

                                                      2ce67636672fe1b0fba30273aa2385b9bc5447c7a2d90e9f0037e0017d90e38233e5febf1cd03e90f06a4e891deccb0358a536272e5814e88e3a51a655213b8f

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1017068001\849a67a42f.exe
                                                      Filesize

                                                      4.2MB

                                                      MD5

                                                      3a425626cbd40345f5b8dddd6b2b9efa

                                                      SHA1

                                                      7b50e108e293e54c15dce816552356f424eea97a

                                                      SHA256

                                                      ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

                                                      SHA512

                                                      a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\1017069001\e2791f8a36.exe
                                                      Filesize

                                                      3.1MB

                                                      MD5

                                                      c00a67d527ef38dc6f49d0ad7f13b393

                                                      SHA1

                                                      7b8f2de130ab5e4e59c3c2f4a071bda831ac219d

                                                      SHA256

                                                      12226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3

                                                      SHA512

                                                      9286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\OYIPP49A7OL4QAOZIAQ2CWDYSY0ASE.exe
                                                      Filesize

                                                      2.9MB

                                                      MD5

                                                      4452ec57b9f73248dc972b2b312757a8

                                                      SHA1

                                                      64864da549ac01ae995614ce1cff74fa4d534d0c

                                                      SHA256

                                                      664e69b71a65f6affb6e66ec4711c67cbebbb58781d49cf5c0a0e2d33d869225

                                                      SHA512

                                                      bb7be4b4529724464300c663bf42a1c4d30e16abb1f156a19161c863d91aad20270ec88f7a5bc74ea88e3415e13e6a65b7f9277a7d1af4742aad06fc3a9bee01

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                      Filesize

                                                      2.9MB

                                                      MD5

                                                      f04e6f4a98b27fccb18cdde586a3e946

                                                      SHA1

                                                      9bf30c2d707089f4b0afbb8d6ea4a7a8a2374691

                                                      SHA256

                                                      5eb00b4d1604a197ddd4f16476ddcb649686de0160158c2a04136e7a62d0246b

                                                      SHA512

                                                      841c22e9e66d490a918de842b5d5e458aeb9cc178d54e8a34ac6f4b81932e9305a41095cef70c8eb4b0582068cc492e26baa7440a921b86ee05833ffc0142bb5

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                      Filesize

                                                      458KB

                                                      MD5

                                                      619f7135621b50fd1900ff24aade1524

                                                      SHA1

                                                      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

                                                      SHA256

                                                      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

                                                      SHA512

                                                      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\main\main.bat
                                                      Filesize

                                                      440B

                                                      MD5

                                                      3626532127e3066df98e34c3d56a1869

                                                      SHA1

                                                      5fa7102f02615afde4efd4ed091744e842c63f78

                                                      SHA256

                                                      2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

                                                      SHA512

                                                      dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                      Filesize

                                                      442KB

                                                      MD5

                                                      85430baed3398695717b0263807cf97c

                                                      SHA1

                                                      fffbee923cea216f50fce5d54219a188a5100f41

                                                      SHA256

                                                      a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                                                      SHA512

                                                      06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6TAM3AQ4SWIVVZDX69OR.temp
                                                      Filesize

                                                      7KB

                                                      MD5

                                                      29c2393e35d19904067bc4b7f835a98f

                                                      SHA1

                                                      998f84dd72f251f3f06a3df2d46769a60888396f

                                                      SHA256

                                                      b770da3ebe31e07f23c63af7e444338a9824e718ed02c43a96c76b9c63d514fa

                                                      SHA512

                                                      7ca89d6df9d8ea180ca4411d9fea87696689eca3b9fbb4f62f2255115d870434b73f513c496506897bae7662cdc40b6157139353ab00d4232f272b08ff4c0ce6

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
                                                      Filesize

                                                      2KB

                                                      MD5

                                                      dc1ec167d1159b736388f8a70a45ddc4

                                                      SHA1

                                                      453574cdba0376b4d7ed016c7dee1ea97a84d554

                                                      SHA256

                                                      76b7a9683257af7411968f70aac4f8f0f2698d9ab908b388bf29c1a8142620ee

                                                      SHA512

                                                      4aa7db508110f899f1e3bafa69914949146926a21c375df1ca0c484f62c3bbff2ee020bea67659d29ac19a6c488c466b608061a030ecece52e015dfab5d03e1c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\7a434ce8-9136-4032-8dad-7782c313bf45
                                                      Filesize

                                                      745B

                                                      MD5

                                                      0512245539fdca02bdc690aadd03c0cd

                                                      SHA1

                                                      f83fd722427883453ce9e94338b5ae3c11ddf8f3

                                                      SHA256

                                                      f941dadb25c4fd718bd1293224a46c38870798063460bd8e5b01aa5e3e98e4ad

                                                      SHA512

                                                      eb5fe1048e0c7990b231d5bd720f3c235065c6df6e32129d530d6354e451bacf0ac54bb6a1e5a28881962d8884c9b9c8b6ea23dafe46d61279b92f000b72fdef

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\7c58fb35-68ed-4eef-bfb1-2244721ddf44
                                                      Filesize

                                                      11KB

                                                      MD5

                                                      ec9ffa10232aebe885c760fc0875352d

                                                      SHA1

                                                      b4f5b39b178ae2a9be72141a829a4390644c4eaa

                                                      SHA256

                                                      e88cfd1d7c9ecd411304ac522b5f625b8c66f3ab32561c87733086cf2fe14911

                                                      SHA512

                                                      5468bfcc05c35da3e83ea058c1f54e435b79477a9fc307d278382f1bb364e5723fb71729e1388e3ca52d1bbd996c49e962026210984076600d59eaf1dd680e21

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                                                      Filesize

                                                      997KB

                                                      MD5

                                                      fe3355639648c417e8307c6d051e3e37

                                                      SHA1

                                                      f54602d4b4778da21bc97c7238fc66aa68c8ee34

                                                      SHA256

                                                      1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                                                      SHA512

                                                      8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                                                      Filesize

                                                      116B

                                                      MD5

                                                      3d33cdc0b3d281e67dd52e14435dd04f

                                                      SHA1

                                                      4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                                                      SHA256

                                                      f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                                                      SHA512

                                                      a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs-1.js
                                                      Filesize

                                                      6KB

                                                      MD5

                                                      6ae8902615394652a94ad14e3f8a3b69

                                                      SHA1

                                                      e7e0e6593cb1293b628d101f365cde9ef6de0a41

                                                      SHA256

                                                      20d05a99f1cf9506702ec96aedcc36ee13f1fa8973b7fe9b298cac184569c7d6

                                                      SHA512

                                                      4ea8f515eeac1b7d57db8d8b2638de7b4d0f84dd09a7549cf2f073dee73bb99b746e5d720b7af654667078474256c0fcdec1cad1aa9333b47944c2373c96b8b8

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\prefs.js
                                                      Filesize

                                                      6KB

                                                      MD5

                                                      08c1e01a0f558660db20383fca953360

                                                      SHA1

                                                      5fdbdd275935d38cb21388759bfdef0457af1bc6

                                                      SHA256

                                                      50e8071de3ba3419cb31a4ba8fa1257d6bdfda1f9c5979d1f3ed1b1c3adacff5

                                                      SHA512

                                                      db4a2fb610555efa6723359c296cfc2d68cd6c7673c1694017d227932a173cff42e2752cd8b0c6f99632cc1d314236dd1d3889df53fa30433db75e5aac8c955d

                                                      Download Submit

                                                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
                                                      Filesize

                                                      4KB

                                                      MD5

                                                      00b5210ce308bf31cbc0adc25f5f860c

                                                      SHA1

                                                      b814ebe46bfb6830283c54fca9a3972e37e2cc5d

                                                      SHA256

                                                      3bd99d977e77d27490517cdb4ff68d27b89fb214bd41dfdd02e2f40957b0b5fe

                                                      SHA512

                                                      1fbacb838290ba733abc5a1724e7ba1e01777cdedab6c301f165355fc7846e7fd6e24fce57ac2e1c6c27f72f658a81f0b998e1edfc77898014cd74f09387faf1

                                                      Download Submit

                                                    • \Users\Admin\AppData\Local\Temp\4196QTKXW13E9FZH7JVJQF3BDLPY5.exe
                                                      Filesize

                                                      1.7MB

                                                      MD5

                                                      ad032d27245fb875c3a6cca4ce138495

                                                      SHA1

                                                      39236146bf25941b206f447d1c90521b050d99ff

                                                      SHA256

                                                      024252845c56aaf523d909ad02ddc6dc8160fbc0f5d5caa24b45af09afe3730d

                                                      SHA512

                                                      09379949e8921144f092aca9e5aef72f027a81d8aea82c1986ca262cd5d69173cf23f07c2fa8a6a392eb41191431e6407b614f6384c7d163380e77d0ac36c2fb

                                                      Download Submit

                                                    • memory/1400-824-0x0000000000CF0000-0x0000000001200000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1524-823-0x00000000067E0000-0x0000000006CF0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1524-664-0x0000000000D10000-0x000000000102E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/1524-918-0x0000000000D10000-0x000000000102E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/1524-789-0x0000000000D10000-0x000000000102E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/1524-617-0x0000000000D10000-0x000000000102E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/1524-863-0x0000000000D10000-0x000000000102E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/1736-846-0x0000000001100000-0x00000000015B0000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/1736-917-0x00000000009C0000-0x0000000000ED0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1736-839-0x0000000004C90000-0x0000000005090000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/1736-840-0x0000000004C90000-0x0000000005090000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/1736-841-0x00000000776A0000-0x0000000077849000-memory.dmp

                                                      Filesize

                                                      1.7MB

                                                      Download

                                                    • memory/1736-843-0x0000000075940000-0x0000000075987000-memory.dmp

                                                      Filesize

                                                      284KB

                                                      Download

                                                    • memory/1972-319-0x0000000001190000-0x00000000016A0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1972-320-0x0000000001190000-0x00000000016A0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1972-549-0x0000000001190000-0x00000000016A0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1972-38-0x0000000001190000-0x00000000016A0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1972-511-0x0000000001190000-0x00000000016A0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1972-40-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                      Filesize

                                                      972KB

                                                      Download

                                                    • memory/1972-541-0x0000000001190000-0x00000000016A0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/1992-892-0x0000000000070000-0x0000000000BCE000-memory.dmp

                                                      Filesize

                                                      11.4MB

                                                      Download

                                                    • memory/2056-662-0x00000000003B0000-0x00000000003BC000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/2084-587-0x0000000000810000-0x00000000019A6000-memory.dmp

                                                      Filesize

                                                      17.6MB

                                                      Download

                                                    • memory/2160-847-0x0000000001B80000-0x0000000001F80000-memory.dmp

                                                      Filesize

                                                      4.0MB

                                                      Download

                                                    • memory/2160-844-0x00000000000C0000-0x00000000000CA000-memory.dmp

                                                      Filesize

                                                      40KB

                                                      Download

                                                    • memory/2160-850-0x0000000075940000-0x0000000075987000-memory.dmp

                                                      Filesize

                                                      284KB

                                                      Download

                                                    • memory/2160-848-0x00000000776A0000-0x0000000077849000-memory.dmp

                                                      Filesize

                                                      1.7MB

                                                      Download

                                                    • memory/2160-735-0x000000013F120000-0x0000000140367000-memory.dmp

                                                      Filesize

                                                      18.3MB

                                                      Download

                                                    • memory/2204-634-0x0000000001240000-0x00000000016E6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2204-891-0x0000000001240000-0x00000000016E6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2204-834-0x0000000001240000-0x00000000016E6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2204-893-0x0000000001240000-0x00000000016E6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2204-806-0x0000000001240000-0x00000000016E6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2332-919-0x0000000000100000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2332-807-0x0000000006C50000-0x00000000070FB000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2332-574-0x0000000000100000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2332-866-0x0000000000100000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2332-618-0x0000000000100000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2332-601-0x0000000006630000-0x000000000694E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2332-633-0x0000000006C50000-0x00000000070F6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2332-559-0x0000000000100000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2332-790-0x0000000000100000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2332-864-0x0000000006C50000-0x00000000070FB000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2332-804-0x0000000006C50000-0x00000000070FB000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2332-851-0x0000000006C50000-0x00000000070FB000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2332-808-0x0000000006C50000-0x00000000070F6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2332-603-0x0000000006630000-0x000000000694E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2332-632-0x0000000006630000-0x000000000694E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2332-805-0x0000000006C50000-0x00000000070F6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2332-573-0x0000000000100000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2332-635-0x0000000006C50000-0x00000000070F6000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2332-575-0x0000000000100000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2420-788-0x000000013FC20000-0x0000000140687000-memory.dmp

                                                      Filesize

                                                      10.4MB

                                                      Download

                                                    • memory/2452-17-0x00000000061D0000-0x0000000006630000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/2452-7-0x00000000008E0000-0x0000000000D81000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2452-35-0x00000000008E0000-0x0000000000D81000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2452-34-0x00000000061D0000-0x00000000066E0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/2452-15-0x00000000061D0000-0x0000000006630000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/2452-0-0x00000000008E0000-0x0000000000D81000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2452-1-0x0000000077890000-0x0000000077892000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/2452-36-0x00000000061D0000-0x00000000066E0000-memory.dmp

                                                      Filesize

                                                      5.1MB

                                                      Download

                                                    • memory/2452-6-0x00000000008E0000-0x0000000000D81000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2452-5-0x00000000008E0000-0x0000000000D81000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2452-4-0x00000000008E0000-0x0000000000D81000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2452-3-0x00000000008E0000-0x0000000000D81000-memory.dmp

                                                      Filesize

                                                      4.6MB

                                                      Download

                                                    • memory/2452-2-0x00000000008E1000-0x0000000000906000-memory.dmp

                                                      Filesize

                                                      148KB

                                                      Download

                                                    • memory/2588-545-0x0000000001FE0000-0x0000000002309000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2588-572-0x0000000001FE0000-0x0000000002309000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2604-865-0x00000000013D0000-0x00000000016F9000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2616-920-0x0000000000D90000-0x000000000123B000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2616-867-0x0000000000D90000-0x000000000123B000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2616-809-0x0000000000D90000-0x000000000123B000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2616-868-0x0000000000D90000-0x000000000123B000-memory.dmp

                                                      Filesize

                                                      4.7MB

                                                      Download

                                                    • memory/2648-602-0x0000000001080000-0x000000000139E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2648-616-0x0000000006960000-0x0000000006C7E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2648-615-0x0000000001080000-0x000000000139E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2648-614-0x0000000006960000-0x0000000006C7E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2648-663-0x0000000006960000-0x0000000006C7E000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2736-644-0x0000000005380000-0x00000000054D6000-memory.dmp

                                                      Filesize

                                                      1.3MB

                                                      Download

                                                    • memory/2736-645-0x00000000007D0000-0x00000000007F2000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/2736-571-0x0000000000860000-0x0000000000B80000-memory.dmp

                                                      Filesize

                                                      3.1MB

                                                      Download

                                                    • memory/2816-558-0x0000000001390000-0x00000000016B9000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2816-557-0x0000000006370000-0x0000000006699000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2816-546-0x0000000001390000-0x00000000016B9000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/2836-25-0x0000000000A00000-0x0000000000E60000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/2836-18-0x0000000000A00000-0x0000000000E60000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/2968-658-0x0000000000400000-0x0000000000456000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/2968-657-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2968-651-0x0000000000400000-0x0000000000456000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/2968-656-0x0000000000400000-0x0000000000456000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/2968-647-0x0000000000400000-0x0000000000456000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/2968-653-0x0000000000400000-0x0000000000456000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/2968-649-0x0000000000400000-0x0000000000456000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/2968-659-0x0000000000400000-0x0000000000456000-memory.dmp

                                                      Filesize

                                                      344KB

                                                      Download

                                                    • memory/3236-1235-0x0000000000100000-0x0000000000428000-memory.dmp

                                                      Filesize

                                                      3.2MB

                                                      Download

                                                    • memory/3284-1209-0x000000001B590000-0x000000001B872000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                      Download

                                                    • memory/3284-1210-0x00000000022D0000-0x00000000022D8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                      Download

                                                    • memory/3368-1045-0x0000000000140000-0x00000000005A0000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/3368-1044-0x0000000000140000-0x00000000005A0000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/4088-1114-0x0000000001150000-0x00000000015B0000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download

                                                    • memory/4088-1115-0x0000000001150000-0x00000000015B0000-memory.dmp

                                                      Filesize

                                                      4.4MB

                                                      Download