gurcu | 835660cab66991d746aec86d76a04554f4e37b0c2130b0a8c11cbb34d824c408

Analysis

max time kernel
255s
max time network
259s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13/01/2025, 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RisePro_Stealer.zip
Size

132.3MB
MD5

f3f75e768b2f9ce2fcea5b13a4359fd5
SHA1

298cceaacb6d32a2999eb0e70bcc1b5fa6dd1e71
SHA256

835660cab66991d746aec86d76a04554f4e37b0c2130b0a8c11cbb34d824c408
SHA512

6cbad6270f74a51a4cd6d4a08fffd5c75e123bc26edbba44c3e87bce4996bada3d9f914271d9436a9254d91b74721a4a1eb2d3b7387c726491abd7d05ba13694
SSDEEP

3145728:y0r5qDHbowmPqvPiszd66UEebXFf2Vo88SZdN2Ath69RXc4ydZVdyH:H4Dbowmq3fdvgOS88Sxn4c4yDyH

Score

10^/10

gurcu privateloader risepro xworm discovery evasion execution loader persistence privilege_escalation rat stealer trojan

Malware Config

Extracted

Family

xworm

dsasinject-58214.portmap.io:3388

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Extracted

Family

gurcu

https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002aaea-430.dat	family_xworm
behavioral1/memory/4768-439-0x0000000000310000-0x0000000000324000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Risepro family
risepro
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1436	powershell.exe
4112	powershell.exe
2140	powershell.exe
3292	powershell.exe
132	powershell.exe
4792	powershell.exe
1136	powershell.exe
1252	powershell.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1572	netsh.exe
2852	netsh.exe
2316	netsh.exe
2816	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 64 IoCs

pid	Process
1384	RisePro_Server‌‌.exe
3672	RisePro_Server.exe
4768	svchost.exe
808	csrss.exe
1756	GoogleRestore.exe
1404	GoogleRestore.exe
3580	node.exe
5376	RisePro_Proxy‌‌‌.exe
2032	RisePro_Proxy.exe
4756	svchost.exe
2088	csrss.exe
564	RisePro_Proxy.exe
5836	svchost.exe
4312	csrss.exe
4240	RisePro_Proxy.exe
5680	svchost.exe
1940	csrss.exe
5416	RisePro_Proxy.exe
5544	svchost.exe
5488	csrss.exe
4616	RisePro_Proxy.exe
1168	svchost.exe
2988	csrss.exe
4704	RisePro_Proxy.exe
1856	svchost.exe
336	csrss.exe
1904	RisePro_Proxy.exe
2100	svchost.exe
6104	csrss.exe
2144	RisePro_Proxy.exe
844	svchost.exe
1032	csrss.exe
5324	RisePro_Proxy.exe
1948	svchost.exe
6044	csrss.exe
1796	RisePro_Proxy.exe
5152	svchost.exe
4144	csrss.exe
5620	RisePro_Proxy.exe
2876	svchost.exe
5988	csrss.exe
5600	RisePro_Proxy.exe
5616	svchost.exe
3252	csrss.exe
1572	RisePro_Proxy.exe
4980	svchost.exe
4332	csrss.exe
2988	RisePro_Proxy.exe
2372	svchost.exe
3084	csrss.exe
2340	RisePro_Proxy.exe
6120	svchost.exe
1076	csrss.exe
3740	RisePro_Proxy.exe
1624	svchost.exe
5848	csrss.exe
4124	RisePro_Proxy.exe
3992	svchost.exe
4512	csrss.exe
2088	RisePro_Proxy.exe
1612	svchost.exe
3112	csrss.exe
1796	RisePro_Proxy.exe
2552	svchost.exe

Loads dropped DLL 51 IoCs

pid	Process
3672	RisePro_Server.exe
3672	RisePro_Server.exe
3672	RisePro_Server.exe
3672	RisePro_Server.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe
1404	GoogleRestore.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3672	RisePro_Server.exe
3672	RisePro_Server.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RisePro_Server.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
576	chrome.exe

Checks processor information in registry 2 TTPs 32 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 8c003100000000002d5ad9b8110050524f4752417e310000740009000400efbec55259612d5ad9b82e0000003f0000000000010000000000000000004a0000000000ce335e00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
808	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	powershell.exe
3292	powershell.exe
132	powershell.exe
132	powershell.exe
4792	powershell.exe
4792	powershell.exe
1136	powershell.exe
1136	powershell.exe
1252	powershell.exe
1252	powershell.exe
1436	powershell.exe
1436	powershell.exe
3672	RisePro_Server.exe
3672	RisePro_Server.exe
4112	powershell.exe
2140	powershell.exe
2140	powershell.exe
4112	powershell.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe
4768	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4040	7zFM.exe
5720	OpenWith.exe
5552	OpenWith.exe
4768	svchost.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	4040	7zFM.exe
Token: 35	4040	7zFM.exe
Token: SeDebugPrivilege	2928	firefox.exe
Token: SeDebugPrivilege	2928	firefox.exe
Token: SeSecurityPrivilege	4040	7zFM.exe
Token: SeDebugPrivilege	4768	svchost.exe
Token: SeDebugPrivilege	808	csrss.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	132	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeBackupPrivilege	2372	vssvc.exe
Token: SeRestorePrivilege	2372	vssvc.exe
Token: SeAuditPrivilege	2372	vssvc.exe
Token: SeDebugPrivilege	6136	firefox.exe
Token: SeDebugPrivilege	6136	firefox.exe
Token: SeRestorePrivilege	1624	7zFM.exe
Token: 35	1624	7zFM.exe
Token: SeDebugPrivilege	6136	firefox.exe
Token: SeDebugPrivilege	6136	firefox.exe
Token: SeDebugPrivilege	6136	firefox.exe
Token: SeDebugPrivilege	4756	svchost.exe
Token: SeDebugPrivilege	5836	svchost.exe
Token: SeDebugPrivilege	5680	svchost.exe
Token: SeDebugPrivilege	5544	svchost.exe
Token: SeDebugPrivilege	1168	svchost.exe
Token: SeDebugPrivilege	1856	svchost.exe
Token: SeDebugPrivilege	2100	svchost.exe
Token: SeDebugPrivilege	844	svchost.exe
Token: SeDebugPrivilege	1948	svchost.exe
Token: SeDebugPrivilege	5152	svchost.exe
Token: SeDebugPrivilege	2876	svchost.exe
Token: SeDebugPrivilege	5616	svchost.exe
Token: SeDebugPrivilege	4980	svchost.exe
Token: SeDebugPrivilege	2372	svchost.exe
Token: SeDebugPrivilege	6120	svchost.exe
Token: SeDebugPrivilege	1624	svchost.exe
Token: SeDebugPrivilege	3992	svchost.exe
Token: SeDebugPrivilege	1612	svchost.exe
Token: SeDebugPrivilege	2552	svchost.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4040	7zFM.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
2928	firefox.exe
4040	7zFM.exe
6136	firefox.exe
1624	7zFM.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe

Suspicious use of SetWindowsHookEx 53 IoCs

pid	Process
2928	firefox.exe
4768	svchost.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5720	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
5552	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
1404	OpenWith.exe
6136	firefox.exe
6136	firefox.exe
6136	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 4624 wrote to memory of 2928	4624	firefox.exe	81
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4216	2928	firefox.exe	82
PID 2928 wrote to memory of 4984	2928	firefox.exe	83
PID 2928 wrote to memory of 4984	2928	firefox.exe	83
PID 2928 wrote to memory of 4984	2928	firefox.exe	83
PID 2928 wrote to memory of 4984	2928	firefox.exe	83
PID 2928 wrote to memory of 4984	2928	firefox.exe	83
PID 2928 wrote to memory of 4984	2928	firefox.exe	83
PID 2928 wrote to memory of 4984	2928	firefox.exe	83
PID 2928 wrote to memory of 4984	2928	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RisePro_Stealer.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdd0a5d6-5695-43b2-a161-4cffe80fcd84} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" gpu
    3⤵
    PID:4216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ee8d4f1-6634-40e8-a7dc-17d805bd623c} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" socket
    3⤵
    - Checks processor information in registry
    PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1352 -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 3188 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {554fe01c-8696-4b82-b800-b76fc9873db5} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab
    3⤵
    PID:4524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -childID 2 -isForBrowser -prefsHandle 3612 -prefMapHandle 3608 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {653e2758-74b5-4872-ba17-95f8344755f8} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab
    3⤵
    PID:612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4668 -prefMapHandle 4656 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d0ab7e1-ab4b-4dde-985c-55e4c75981c8} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" utility
    3⤵
    - Checks processor information in registry
    PID:4132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5504 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b57bdc66-4eaf-462d-b5ec-e7fa9c675036} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab
    3⤵
    PID:4164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 5728 -prefMapHandle 5724 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4c9229e-5a09-4ff2-9478-282553d956d9} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab
    3⤵
    PID:2948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 5 -isForBrowser -prefsHandle 5620 -prefMapHandle 5624 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63ecc167-435d-4389-b08a-1f65b81ff0af} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" tab
    3⤵
    PID:4608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:904

C:\Users\Admin\Desktop\Panel\RisePro_Server‌‌.exe
"C:\Users\Admin\Desktop\Panel\RisePro_Server‌‌.exe"
1⤵
- Executes dropped EXE
PID:1384
- C:\Users\Admin\Desktop\Panel\RisePro_Server.exe
  "C:\Users\Admin\Desktop\Panel\RisePro_Server.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Users\Admin\Desktop\Panel\tmp\GoogleRestore.exe
    .\tmp\GoogleRestore.exe
    3⤵
    - Executes dropped EXE
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\GoogleRestore.exe
      .\tmp\GoogleRestore.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\playwright\driver\playwright.cmd run-driver
        5⤵
        
        PID:3036
      - C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\playwright\driver\node.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\playwright\driver\node.exe" "C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\playwright\driver\package\lib\cli\cli.js" run-driver
        6⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-field-trial-config --disable-background-networking --enable-features=NetworkService,NetworkServiceInProcess --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=ImprovedCookieControls,LazyFrameLoading,GlobalMediaControls,DestroyProfileOnBrowserClose,MediaRouter,DialMediaRouteProvider,AcceptCHFrame,AutoExpandDetailsElement,CertificateTransparencyComponentUpdater,AvoidUnnecessaryBeforeUnloadCheckSync,Translate,HttpsUpgrades --allow-pre-commit-input --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --force-color-profile=srgb --metrics-recording-only --no-first-run --enable-automation --password-store=basic --use-mock-keychain --no-service-autorun --export-tagged-pdf --disable-search-engine-choice-screen --headless --hide-scrollbars --mute-audio --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --no-sandbox --user-data-dir=C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium --remote-debugging-pipe about:blank
        7⤵
        Drops file in Windows directory
        System Time Discovery
        
        PID:576
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff88800cc40,0x7ff88800cc4c,0x7ff88800cc58
        8⤵
        
        PID:432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --disable-breakpad --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1452,i,93564123764440497,15905512125148203183,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AcceptCHFrame,AutoExpandDetailsElement,AvoidUnnecessaryBeforeUnloadCheckSync,CertificateTransparencyComponentUpdater,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,ImprovedCookieControls,LazyFrameLoading,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=1440 /prefetch:2
        8⤵
        
        PID:300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --field-trial-handle=1628,i,93564123764440497,15905512125148203183,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AcceptCHFrame,AutoExpandDetailsElement,AvoidUnnecessaryBeforeUnloadCheckSync,CertificateTransparencyComponentUpdater,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,ImprovedCookieControls,LazyFrameLoading,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=1624 /prefetch:3
        8⤵
        
        PID:3500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --no-sandbox --disable-back-forward-cache --disable-background-timer-throttling --disable-breakpad --enable-automation --force-color-profile=srgb --remote-debugging-pipe --allow-pre-commit-input --blink-settings=primaryHoverType=2,availableHoverTypes=2,primaryPointerType=4,availablePointerTypes=4 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=1740,i,93564123764440497,15905512125148203183,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AcceptCHFrame,AutoExpandDetailsElement,AvoidUnnecessaryBeforeUnloadCheckSync,CertificateTransparencyComponentUpdater,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,ImprovedCookieControls,LazyFrameLoading,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=1732 /prefetch:1
        8⤵
        Drops file in Program Files directory
        
        PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="RisePro External - 50500" > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall show rule name="RisePro External - 50500"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="RisePro External - 1080" > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4728
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall show rule name="RisePro External - 1080"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="RisePro External - 50500" dir=in action=allow protocol=TCP localport=50500
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3584
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="RisePro External - 50500" dir=in action=allow protocol=TCP localport=50500
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="RisePro External - 1080" dir=in action=allow protocol=TCP localport=1080
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4216
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="RisePro External - 1080" dir=in action=allow protocol=TCP localport=1080
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2816
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- C:\ProgramData\csrss.exe
  "C:\ProgramData\csrss.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6120
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:6136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1868 -parentBuildID 20240401114208 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 26762 -prefMapSize 244694 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d20f4291-d0e4-4009-9a15-9607ad56508f} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" gpu
    3⤵
    PID:3404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2116 -parentBuildID 20240401114208 -prefsHandle 2192 -prefMapHandle 1572 -prefsLen 26762 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9ca3fe-98c2-4d66-a7b3-2898908a2ff7} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" socket
    3⤵
    PID:2528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2920 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3256 -prefsLen 27261 -prefMapSize 244694 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9bbad9e-f6d1-488d-8231-559bdbfda0d6} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" tab
    3⤵
    PID:3952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3644 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 32494 -prefMapSize 244694 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37a79805-4b1f-4d86-9367-ed0a70c329a7} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" tab
    3⤵
    PID:5184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2484 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4396 -prefMapHandle 4392 -prefsLen 32494 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06f1dacb-5116-4745-bcc2-22e8f15612ea} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" utility
    3⤵
    - Checks processor information in registry
    PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 5332 -prefsLen 27445 -prefMapSize 244694 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {988fc897-69c8-41c7-be94-2e441458610c} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" tab
    3⤵
    PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 4 -isForBrowser -prefsHandle 3604 -prefMapHandle 5408 -prefsLen 27445 -prefMapSize 244694 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0da65f7e-49c7-449d-8ebd-753a8959078c} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" tab
    3⤵
    PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 27445 -prefMapSize 244694 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5acbef8-96f6-4fcc-b4c3-fae162281793} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" tab
    3⤵
    PID:1520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 6 -isForBrowser -prefsHandle 5604 -prefMapHandle 5812 -prefsLen 27445 -prefMapSize 244694 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {807a5d02-a85b-4626-9dae-28b85e2e1d4b} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" tab
    3⤵
    PID:5492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5016 -childID 7 -isForBrowser -prefsHandle 4228 -prefMapHandle 4232 -prefsLen 33852 -prefMapSize 244694 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47fa64e9-bae3-4ef3-bf70-28d54589c32b} 6136 "\\.\pipe\gecko-crash-server-pipe.6136" tab
    3⤵
    PID:5348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5552

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Panel\tmp\ports.json"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1404
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\Panel\tmp\ports.json"
  2⤵
  PID:1080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\Panel\tmp\ports.json
    3⤵
    - Checks processor information in registry
    PID:3924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\Proxy\rise_settings.json"
1⤵
PID:5624
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\Proxy\rise_settings.json
  2⤵
  - Checks processor information in registry
  PID:5016

C:\Users\Admin\Desktop\Proxy\RisePro_Proxy‌‌‌.exe
"C:\Users\Admin\Desktop\Proxy\RisePro_Proxy‌‌‌.exe"
1⤵
- Executes dropped EXE
PID:5376
- C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
  "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
  2⤵
  - Executes dropped EXE
  PID:2032
- - C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
    "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
    3⤵
    - Executes dropped EXE
    PID:564
  - - C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
      "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
      4⤵
      Executes dropped EXE
      PID:4240
    - - C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        5⤵
        Executes dropped EXE
        
        PID:5416
      - C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        6⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        7⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        8⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        9⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        10⤵
        Executes dropped EXE
        
        PID:5324
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        11⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        12⤵
        Executes dropped EXE
        
        PID:5620
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        13⤵
        Executes dropped EXE
        
        PID:5600
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        14⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        15⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        16⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        17⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        18⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        19⤵
        Executes dropped EXE
        
        PID:2088
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        20⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe
        
        "C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe"
        21⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        21⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        20⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        19⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        18⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        17⤵
        Executes dropped EXE
        
        PID:5848
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6120
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        16⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        15⤵
        Executes dropped EXE
        
        PID:3084
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        14⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5616
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        13⤵
        Executes dropped EXE
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        12⤵
        Executes dropped EXE
        
        PID:5988
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5152
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        11⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        10⤵
        Executes dropped EXE
        
        PID:6044
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        9⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        8⤵
        Executes dropped EXE
        
        PID:6104
        
        C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        7⤵
        Executes dropped EXE
        
        PID:336
      - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
      - C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        6⤵
        Executes dropped EXE
        
        PID:2988
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
    - - C:\ProgramData\csrss.exe
        
        "C:\ProgramData\csrss.exe"
        5⤵
        Executes dropped EXE
        
        PID:5488
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5680
  - - C:\ProgramData\csrss.exe
      "C:\ProgramData\csrss.exe"
      4⤵
      Executes dropped EXE
      PID:1940
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5836
- - C:\ProgramData\csrss.exe
    "C:\ProgramData\csrss.exe"
    3⤵
    - Executes dropped EXE
    PID:4312
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\ProgramData\csrss.exe
  "C:\ProgramData\csrss.exe"
  2⤵
  - Executes dropped EXE
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe

Filesize
28KB

MD5
95a96f8e151ea62c58078f10c758f38d

SHA1
229535cd7780450490d11297e0c0866f58227c49

SHA256
0533f95f961b28efb7b747dde819e8400d515140cd0beecd14f55ac9a9a1ebcd

SHA512
ef52f5306acbc876cc0d7d318496933b59315e0dfb0bc09e6331faff1f93447b97029f2bb5e1f82f52896fe298faca9d74280be690da068bd13c8b6518da7908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
437395ef86850fbff98c12dff89eb621

SHA1
9cec41e230fa9839de1e5c42b7dbc8b31df0d69c

SHA256
9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6

SHA512
bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c24caab1947646fcc49d6158d78a56f5

SHA1
aa2cd00401eb273991f2d6fdc739d473ff6e8319

SHA256
0696315ad3df3edd5426276c265bd13d8bd2a0d101548bcaedd82e2aebde655a

SHA512
35e1d214dfb4c7f078496e3e303aea152aa48f9db5b9aa188aeb82b541582ed77f60bfe8712836232b5aa31d3645edfc79b42c8f90e92e06778f21aa44971bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69cd31d6260d02c53adead66b8bb3fee

SHA1
0e8d7b65bfe4e6f7322521183aa08d9b6f0cd33b

SHA256
3c46703036811ffa65154f16ee7e323b11be85a9f4724d013ac9965d70676713

SHA512
d141b98bfd230487fa783025b93edafae2b84217a022003d43092c80e82e14f1d54862271381179ad1a58d3d168d5324a66cc718784a51b681acd98076cd2cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8082885362359f72fb414d2fa6ad357d

SHA1
c6111820bcf1adf9ac4e8a441d984790465b6393

SHA256
0b70605985f4148a236426049c44406110e9edc165a0501f636015a30340beef

SHA512
b5d227b5ac6549566d7456616b98fe9aa62f6721be43a9e5674c35c2c9d218f7fec0fea978bdaff3ec73b6591c6e41efa8946526c2ab473da1c443a5a851a145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b5e7ecd47495de42a2219f5b7bed772c

SHA1
22e80700abc2bc8fd1e3f5028e89d6fad6764409

SHA256
690598e276b1890a9d90ad1ad4f389021208678a36228865a8bb219e9e7e90e2

SHA512
8aad70b749d4857400f1ac52f3b33c91030ab6bcacef48ce8eac9294e1d81f0448fb83084b6781cb031e300bdece6926649b8985a9897fa276a0beff65ebebd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8056b432529751805addfc766fe407b8

SHA1
c74fb4c43afb2e4b267b61b27ff8c61cccba9abe

SHA256
8696d935349646432457e2249844ed2e58fb5247c7187fa83363c312d626ccd3

SHA512
5934c3ca1bf4fbfb57a7b190b92b5a2ebb545581f1af979f93a006ae9ea0693387f26ea18dcbd317c2b31ae10dafcc612cf25855fcd41a5bdb4a3a25d70a247e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
11835fd2ff6420cdbf63db0b2dede61c

SHA1
5cede3ab94f14ce61ec4582ce0df7b5f93ce9cfe

SHA256
7d097a8b5eee5fd2342cf7a2f505547de4eb171337de05293a7d8a23b8ac9045

SHA512
58eeef2cf42455102982f2b0ee4691778f0ae51ae3d3b04abb5e32636222a3f06e3837e714be30ef51eefb238c07fe58fb8b6188ec1223cad60537b9f6d6a267

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\doomed\11598

Filesize
131KB

MD5
278296684110f663d5497db1ebd4f94e

SHA1
e6d141387d60b9b961e7c6bb12de05391623d37c

SHA256
60653d3fc819373591147870eefb39b022236d62f5590f13cc5dfac653194df0

SHA512
1f03dd93b021d3da28e8463580b58b9ed5a5f22e32c3ab6857ce8f75ddd1cceac0a46d6d44dd90dd6e3213f1b593efdfbba5397c370752c42236fd328b50f10b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\cache2\entries\AF08C83293D139073643C23F75C13B62256141B4

Filesize
9KB

MD5
03c414782b43ab76aea2cd9695392577

SHA1
6c7f267b954ac9fef105d9f563871f17aab2e165

SHA256
278be2a2498bc24c1893eb10915efb40ad029ca04b4857004693f07fc69aaf3a

SHA512
53910369b3b7dbe5a42424ef01462e2ced3e616b10f7efed37b386aafbb4f9c2200da8b44baa0f56282c2228b486fff7d095722e4cbcf644f62e3d73ac7051a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\er3umqpr.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
5a76bb7ca33ab8ee1ef9582ec06cf748

SHA1
f8f15975cbae2212aa6e60f6ca0996ce081a6ac4

SHA256
1d0db5fa30ccf7a702269c47a2ae808df845d1dadfa1603dca19a18749583229

SHA512
95f7e58293eac42b3364bc475967ad66af7d84465249b9dc4b8e5fffdf2fb311998685534eaf794364f2890814e9791ba74f49f3a48fe7c3394c24a9673ca7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\Chromium\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd

Filesize
49KB

MD5
8b3d764024c447853b2f362a4e06cfc6

SHA1
a8fd99268cea18647bfa6592180186731bff6051

SHA256
ca131fc4a8c77daff8cff1b7e743b564745f6d2b4f9bb371b1286eb383c0692e

SHA512
720d58c3db8febd66e3bc372b7b0a409185e9722402ee49e038ade2141a70ec209b79cde7c4d67a90e5b3b35ed545b3400c8dbe73124299a266be2b036934e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_zoneinfo.pyd

Filesize
43KB

MD5
f7679dc17a0b3d87c531003d5c87b8af

SHA1
b9a54caa6250bd75bbac0e677c573bebf53703bc

SHA256
91859a46309e7abf3ea21270e299a46d3dcc50ccd49989258abb2bcaf20c3d51

SHA512
2b1749b7c8537317291bf069de1ae309d4dd5023c0d21b4f6c799d89befebcea792ff271c7020b05de0d2666c23ff9e0350805c96b0dcb53f257b4ce2c426e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_db54ckjj.nsy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\GoogleRestore.exe

Filesize
42.0MB

MD5
e87468059f0dbf9db59dc5e4383a00f5

SHA1
4ef6b9ee98070a0893f68d824f5b125bd0c97b53

SHA256
f66a3a553aad6ae0f90179837a98f55a5a9fb0f21c102d0a054deb1de747b392

SHA512
d5f0a359e975e1a7dbea1b742a5e6f599bf83ba7d97775be97f55629ca48b67e091f1f79a9e3dcce4f1dbfa2ff7ea37e81ce8939cceb72b0160b67957f9d7de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\_asyncio.pyd

Filesize
63KB

MD5
42b1b82a77f4179b66262475ba5a8332

SHA1
9f6c979e2c59e27cc1e7494fc1cc1b0536aa3c22

SHA256
8ec1af6be27a49e3dc70075d0b5ef9255fad52cbbdab6a5072080085b4e45e89

SHA512
2ee9fc9079714cb2ae2226c87c9c790b6f52b110667dbe0f1677eedb27335949b41df200daf7f67aa5c90db63e369b4904aac986c040706f8a3f542c44daf1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\_bz2.pyd

Filesize
82KB

MD5
a8a37ba5e81d967433809bf14d34e81d

SHA1
e4d9265449950b5c5a665e8163f7dda2badd5c41

SHA256
50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b

SHA512
b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\_lzma.pyd

Filesize
155KB

MD5
bc07d7ac5fdc92db1e23395fde3420f2

SHA1
e89479381beeba40992d8eb306850977d3b95806

SHA256
ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b

SHA512
b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\_socket.pyd

Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\_sqlite3.pyd

Filesize
117KB

MD5
562fecc2467778f1179d36af8554849f

SHA1
097c28814722c651f5af59967427f4beb64bf2d1

SHA256
88b541d570afa0542135cc33e891650346997d5c99ae170ef724fa46c87d545a

SHA512
e106ccdd100d0ce42e909d9a21b1ad3b12aee8350033f249ed4c69b195b00adaf441aa199d9885c9d16488db963c751746ce98786246d96568bade4c707d362a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\_ssl.pyd

Filesize
157KB

MD5
0a7eb5d67b14b983a38f82909472f380

SHA1
596f94c4659a055d8c629bc21a719ce441d8b924

SHA256
3bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380

SHA512
3b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\_uuid.pyd

Filesize
24KB

MD5
a16b1acfdaadc7bb4f6ddf17659a8d12

SHA1
482982d623d88627c447f96703e4d166f9e51db4

SHA256
8af17a746533844b0f1b8f15f612e1cf0df76ac8f073388e80cfc60759e94de0

SHA512
03d65f37efc6aba325109b5a982be71380210d41dbf8c068d6a994228888d805adac1264851cc6f378e61c3aff1485cc6c059e83218b239397eda0cec87bd533

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\orjson\orjson.pyd

Filesize
222KB

MD5
99c8f7860edb42728f208c87e22188e5

SHA1
be90fa5b7e0987403cce4492b51b4dd4cffe5221

SHA256
c7aa4f83c1ef47326c3353dcdce3eb5bcc320f1e519b9aa4f0d36d36fcaad07c

SHA512
986e94c8b2ab0467b60f2695fdea5af310e71aadfcf421a326e5e9a9f7669942cabd37ca23a220502833cd791a59ccc8c06c9c56916e4253da6b25f79183955c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\select.pyd

Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Africa\Banjul

Filesize
130B

MD5
796a57137d718e4fa3db8ef611f18e61

SHA1
23f0868c618aee82234605f5a0002356042e9349

SHA256
f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e

SHA512
64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Africa\Djibouti

Filesize
191B

MD5
fe54394a3dcf951bad3c293980109dd2

SHA1
4650b524081009959e8487ed97c07a331c13fd2d

SHA256
0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466

SHA512
fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Africa\Kigali

Filesize
131B

MD5
a87061b72790e27d9f155644521d8cce

SHA1
78de9718a513568db02a07447958b30ed9bae879

SHA256
fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e

SHA512
3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Africa\Lagos

Filesize
180B

MD5
89de77d185e9a76612bd5f9fb043a9c2

SHA1
0c58600cb28c94c8642dedb01ac1c3ce84ee9acf

SHA256
e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4

SHA512
e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Africa\Maseru

Filesize
190B

MD5
a46a56e63a69fd5c5373a33203250d39

SHA1
da4256239fbc544037f0d198cd407e6a202d1925

SHA256
d19aebe2435c4e84bf7ae65533d23a9d440f98162e5b4d69c73f783e02299ec8

SHA512
fc9c48be574219047f00bf2ba91e085076aec96db89f5e44741596b10b8766d4f80da3676d421a6a929b48a7eb85e4eafa4cc4673fc40d8f45aa96569c48e12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Argentina\Catamarca

Filesize
708B

MD5
e3467a68822f3d1365e3494970219b03

SHA1
3b37cd19a0ecda386ce185f888f4830d4767ac35

SHA256
502d1fc71ed93e68cfc370f404afb9bdaa7e735701cdb811dbddcc76611f3b1d

SHA512
4ae79f4a57134ebae1776c259af4236fb75827e4feadf952eafcd33a15f1cae49a68855eb67b1a129dfb2cfe44ade4bba274051c972434517e179fd36e4b6534

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Atikokan

Filesize
149B

MD5
595e67b4c97fda031a90e5ef80813e7d

SHA1
7194eb1a70c1acc1749c19617601595d910b9744

SHA256
a78d73067ba3cbd94f8a23dfdd6aa8b68cb33b18484bc17b4e20ea1aec2f0a81

SHA512
27925a87379552403a0960c2ec191994610bc05b2d67fb1fbbeeb6086a16091bdc69449bce3426b31a2775f3845ed8cc07d1882f8b3b4e63f437775a2eea5d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Atka

Filesize
969B

MD5
1df7e605c33529940c76c1c145c52fc5

SHA1
09c48d350827083bd4579e0cabf5be2ff7bf718b

SHA256
abfb1980e20d5f84ec5fd881c7580d77a5c6c019f30a383aaa97404212b489e0

SHA512
27af4d1bb570244667132cf8981f62f245b2228518324ecc67867eb15c8440446ddd6f2a221cbb2aeb15adfd955dab01bd708ac2c2723a113aa30839ff6632c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Curacao

Filesize
177B

MD5
92d3b867243120ea811c24c038e5b053

SHA1
ade39dfb24b20a67d3ac8cc7f59d364904934174

SHA256
abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d

SHA512
1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Ensenada

Filesize
1KB

MD5
661db30d5b9bb274f574dfc456f95137

SHA1
b516ee5e78315138d9a13c04e482c063a2a20422

SHA256
f1f9dbc6d26a4273fa9b259655d7afd9e2353b9c8173c3f984b53d7ec918305e

SHA512
523304ff0be8c841d817df59a09aa88d2e96761f81eea240bcc99e7569246864d498fca94542f881910e70df3abc9ce22ecf3561ac26ec6ad5e383e6c009b442

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Fort_Wayne

Filesize
531B

MD5
9208172103191bf0d660e0023b358ea1

SHA1
6f19863d563ade21b63df66afd12e0c67903a341

SHA256
e678f42a13efbd7be0f26a9ce53e04b1c28a582eab05611cb01c16836432f07b

SHA512
013be7c175dba66510fbd2972e0d4b76b7073a079aaed9e0a454753dc5e18fb1133b2947c48bd7e1cfa70820b397af6ff49b41434a4909906f87a8c91b853178

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Indiana\Knox

Filesize
1016B

MD5
964fb4bc6d047b2a8826a0734633ab0b

SHA1
e22e9a86e34a20fbeb4087fd94145b287c28e74f

SHA256
2890b35dcb7c093308b552d82d8781a8ce9a4fa6f9de058283a6836ec1f9f282

SHA512
869203f9854bf2cd0ffcc75f4524965757ecb03879a08e1275404b7eaeb5942eb25dff0f6ca6bfa236e659e2fb315c1b9dfcfc544a59ff7b3cdd6ab6904aa298

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Phoenix

Filesize
240B

MD5
db536e94d95836d7c5725c3b3c086586

SHA1
f0c3fb96c02359a66ed4f7000a6ecda3d4a699ec

SHA256
ae11453c21d08984de75f2efec04dc93178a7b4e23c5e52f2098b8bd45ccb547

SHA512
87aa4f9f8b3b01c4bdc96fe971be12b38e16219f58b741c93a52c369146f6a3ae669e2bff2021403f5c1aee1f216c02d1faeb30012454e1de463c467c7f6b374

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Rio_Branco

Filesize
418B

MD5
0b427173cd7de48179954c1706df9f0f

SHA1
6f3bb01406ad71ca9718e7bc536fca9251754938

SHA256
563b9052bebaf2986ae5b707e34afde013e7641287cc97ff31005f33a0dbf7a5

SHA512
2be3257bef4949ce42d143d3f0e095ea26347ac22fd436d98445af8590186f74a165777e9f423b8bdac416758e42a636fc6bdb86a097256100d61c2828b522d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Rosario

Filesize
708B

MD5
5c57dc3d11f5a64fac22a08ea0c64d25

SHA1
53f6da348a256b7f84be5e9088a851331b82db9d

SHA256
f488f75a34fd99630a438dcb792508a90b836fdcd2dc54a51d83d535025315fd

SHA512
18f23ddb3dca6fa3efe9cbea294bdfc6ad9db3bea98fc1766e0f317754d8a452e12edd692b1505810ec7842d0f8dbdcf1f50a4027dbc2621cde865311ff5b259

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Toronto

Filesize
1KB

MD5
628174eba2d7050564c54d1370a19ca8

SHA1
e350a7a426e09233cc0af406f5729d0ab888624f

SHA256
ad2d427ab03715175039471b61aa611d4fdf33cfb61f2b15993ec17c401ba1e5

SHA512
e12bf4b9a296b4b2e8288b3f1e8f0f3aeaee52781a21f249708e6b785a48100feab10ac8ba10ac8067e4b84312d3d94ed5878a9bda06c63efe96322f05ebbc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Winnipeg

Filesize
1KB

MD5
1ee6e72e10673d4a16b6e24671f793ec

SHA1
439bd8f20d919a71ac25cec391caa8084f3b7cc3

SHA256
00dcf0606054d4f927416e0b47e1fdda2e5ce036fde4b53e51084f8566428c3a

SHA512
dbcc75cd333e3565c5bda2329f69ff83816b1383456a5f4f11b960fe90436798182565119a48dfe590a7eed5a82e436fe39a1d5d2d71a4c12bdced265d89d7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\America\Yellowknife

Filesize
970B

MD5
beb91df50b24718aed963a509c0c2958

SHA1
a45d9b4187fe62ae513557bd430b73826f27b8e6

SHA256
0eada6c5c48d59984c591ab1c30b4c71aab000818cc243b3cfe996f1f26c715f

SHA512
6cf096f7cd01fe83e8a49539667f21137fe36b473e2f92ffb78316026eaadf2723cdf66780fb24b661cb5acf0d388ed0526db794cdb8c7af8da1f5b8660ca5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Antarctica\Syowa

Filesize
133B

MD5
165baa2c51758e236a98a6a1c4cf09a0

SHA1
dbf6914834465a72dc63d15272d309a4331cd1c3

SHA256
46853e94276af2eea8e86c2f152a871c092df195dc51273b8fc7091faa4b461c

SHA512
82f71fe26f83940b802676221f6efc6cfd66aa0cf0c3befdab9b60d7a8e951e504c547f90876890e7ecb18c7f89a41152d276f32f7e5ac6abead24b6fd47f3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Asia\Bangkok

Filesize
152B

MD5
ff94f36118acae9ef3e19438688e266b

SHA1
b68e4823cff72b73c1c6d9111be41e688487ec8a

SHA256
cdc8e2c282d8bc9a5e9c3caf2fc45ff4e9e5cd18f5dec8cb873340ad7c584d64

SHA512
e2ded089e3f51c57e2c32333dbca528551440ca76cdbcbaab9d627f8ee0824f1b3cae20f26352dc7edd6887e74fc78357ab52044fbfadf2192129052f82cbee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Asia\Dubai

Filesize
133B

MD5
667e494c45d181f0706bd07b211c850b

SHA1
bb2072fbc0357111a7570af852bc873b0f0070e1

SHA256
0d9ea5053e83188032a6fb4d301d5db688f43011e5b6b1f917a11b71a0da7b16

SHA512
57a367ee2efb608cb11fa83d2ce4be99c55f223b717ee9da3d78a5f273a6dc0e8face0d255304d3ab99f1dc7c6155376afb53eda8bc0b8ac481fcd54b3a3313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Asia\Istanbul

Filesize
1KB

MD5
48252c9a797f0f4bea97557a5094cf98

SHA1
6e6893d64fa2e3249efdb170face5085e5f5945d

SHA256
2a7163b16b94806f69991348e7d0a60c46eb61b1f0305f5f4b83f613db10806f

SHA512
f091784b4dd4a9683c5a70194dd957e6bbf3a43a0bc469fa12c9788f1f478256dae78dd7f5eb1b49753f3661893f8dfaf1f988b07a00a0209106d4d231a27bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Asia\Jerusalem

Filesize
1KB

MD5
9360bb34802002d91d9bba174c25a8dc

SHA1
fb7e5e8341272ebd89210ece724b9a6c685b8a69

SHA256
9fcde8d584dea0585f5c8727aaf35f48a149e0dbd3a83bf6cef8bca9c14021e3

SHA512
6e0d68f6c58a2f7aba3e1b0d85ccaea46b63695edf7a4476f0b65f7853d3c28b086d5c8a2f0f6e1dc2f7ef6a71b2165e3f07a885e3307c8488ef739ffe429f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Asia\Kashgar

Filesize
133B

MD5
67c981ccf51584922a1f72dd2d529730

SHA1
60ef0baeb39358fee28d01525962e05a7f71e217

SHA256
849cafd377611cc2fc2b41891ab63c6fb3343949045db961fd16267593315ad4

SHA512
0e563b55141e0f63d762dff0b8fe428897e9a98233dc2af04df09c79c702623b6567178de0b65a2ba35381971bbc14e4721dd0aada6ab52190efa8a436e7b480

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Asia\Kuala_Lumpur

Filesize
256B

MD5
8a2bb95893137bb40748ef4ecd8d7435

SHA1
6d65ec8958626477d7cb6ddfc036e70e7949c533

SHA256
0954b2d9a301d94f4348024606a71bbcb2fa24d3cd3709f5bc8bca605039785d

SHA512
360d4e0ff1f06c63be5abf3d2fc336d5f11e5e0db055999fa856f03344c16d30b7b8b4145e7fb5f8a6bc0b912c4db46b8f66af586fddcb74225228dd1805e6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Asia\Shanghai

Filesize
393B

MD5
dff9cd919f10d25842d1381cdff9f7f7

SHA1
2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f

SHA256
bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a

SHA512
c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Asia\Yangon

Filesize
187B

MD5
37f26cf8b8fe9179833e366ca13b8916

SHA1
da0b9ee83039fcd70fb0d439fac9f453768abc28

SHA256
e89d835c811d4da44aa8b386782ce8828df085aa0ee8f25661a9881d2f00e90c

SHA512
60817dde97cea65dd16de8b91d0fd6475a8a2151881a1e3a9a496d143c71509ca6d6f802505cdfd6b8b91f6478717d5509abee8e301a926207a8fac7630bf1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Australia\ACT

Filesize
904B

MD5
a1085ba102822f56191705c405f2a8ad

SHA1
ccb304b084e1121dd8370c3c49e4d9bea8382eb6

SHA256
820d45a868a88f81c731d5b2c758b4ed000039b6260a80433f8e0f094a604b59

SHA512
3d2fa63913f22aedbffad9f94697a19aefe0920c1b9e4be47144022706fb309e46b38d85322f9ff4d8fc2472ca43fe3c5aec6486f94a89fb728a05753c075239

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Australia\Hobart

Filesize
1003B

MD5
8371d9f10ef8a679be6eadedc6641d73

SHA1
541dd89e23dc4e37e77fe3991b452915e465c00f

SHA256
d4801581fd00037b013d71616b119fbbd510fdca5de06369b10f718a8da5e32d

SHA512
0c08054c08a4aa20efd8ef18af57fbd914fa99b5ce1aa837e8c491274b09ef934a831e4a36c4b64332d2d47f5e3083f30d4e505560c5a3188c02a4cebbf820e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Etc\UCT

Filesize
111B

MD5
51d8a0e68892ebf0854a1b4250ffb26b

SHA1
b3ea2db080cd92273d70a8795d1f6378ac1d2b74

SHA256
fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93

SHA512
4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Europe\Brussels

Filesize
1KB

MD5
7a350885dea1ebe1bf630eb4254e9abc

SHA1
5036277ce20a4d75d228cf82a07ed8e56c22e197

SHA256
b10f9542a8509f0a63ebca78e3d80432dd86b8ea296400280febd9cfa76e8288

SHA512
524ed4fb0c158a1d526dd9071df7111fb78940d468e964bf63ba5418f9b551ec28c38fa1dc2711415aa31f926d8729eac63d6b1e2946b7942ce822f09d00c5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Europe\Isle_of_Man

Filesize
1KB

MD5
b14ab0a98fb1964def4eaf00d2a6bb73

SHA1
842e6ede8817936de650a0c1266569f26994790a

SHA256
bb29fb3bc9e07af2a8004ccdd996c4a92b6b64694f84d558e20fc29473445c57

SHA512
301ba2529dfe935c96665160bf3f873aaa393de3c85b32a0ba29610d35a52b199db6aff36a2aa4b1a0125617bd9bf746838312e87097a320dad9752c70302d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Europe\Kiev

Filesize
558B

MD5
2a6d051e23c2e3ace6355f98f024796a

SHA1
1a3890e9e13690f20f4cf2cff51c6b24e0efbb49

SHA256
d0eaac7c9875dc638583a6893f520031a1dc7dac1545370b669b76ca72b7ac90

SHA512
084eeae9ac4f1563e6eab94199cc09d81e37b9c54d1aac47dfe38a6e1243d7b5d850ebdb31b9b520beda17f2c322360a15e5f7635dbddbd3f7ce76cc0a5f6990

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Europe\Oslo

Filesize
705B

MD5
2577d6d2ba90616ca47c8ee8d9fbca20

SHA1
e8f7079796d21c70589f90d7682f730ed236afd4

SHA256
a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7

SHA512
f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Europe\San_Marino

Filesize
947B

MD5
c57843caa48aa4715344a26830df1f13

SHA1
c2f1530fce47b5a7d976f0bd4af28e273a02d706

SHA256
86bd26a06fe3057b36cf29dd7a338f2524aff8116ef08d005aa2114ea6122869

SHA512
5e93be3d2a9f4fe6ce98c938cc08ea6c08c36c05ef797c639f97cda82c1bd272e7826df413991929a94a33b8b0c96656f3f96f61d338737ccc26be72388c6408

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Europe\Skopje

Filesize
478B

MD5
a4ac1780d547f4e4c41cab4c6cf1d76d

SHA1
9033138c20102912b7078149abc940ea83268587

SHA256
a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6

SHA512
7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Europe\Vaduz

Filesize
497B

MD5
07b0081174b26fd15187b9d6a019e322

SHA1
f5b9e42b94198a4d6e8a7ae1d4bdd6b7255ce1f6

SHA256
199062b1c30cfeb2375ec84c56df52be51891986a6293b7a124d3a62509f45e9

SHA512
18916dc499f8b0a600cbe03dca3509465c7693b64c9c27cda3c97d0de7269279b4c9c918c3a9aafc4a3c9f3eab79a521f791dba257aaf436d906aaf4526bd369

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Greenwich

Filesize
111B

MD5
e7577ad74319a942781e7153a97d7690

SHA1
91d9c2bf1cbb44214a808e923469d2153b3f9a3f

SHA256
dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7

SHA512
b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\NZ

Filesize
1KB

MD5
655680c9ae07d4896919210710185038

SHA1
fa67d7b3440bbcef845611a51380d34524d5df4a

SHA256
0e06e7e55aedbc92ef5b3d106e7c392ab1628cfd8a428b20e92e99028a0bfbb9

SHA512
28ca8023b1091b2630bf46314fa1737ac66a3b464cdd48c2d8300edcb2eb5847710e98e4f63be358e443bfa8ca6dc73a8b3f38fc6df4f7c0ff324520c91bc498

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Navajo

Filesize
1KB

MD5
c1b9655d5b1ce7fbc9ac213e921acc88

SHA1
064be7292142a188c73bf9438d382002c373c342

SHA256
9bb703920eca4b6119e81a105583a4f6ca220651f13b418479ab7cd56c413f3e

SHA512
2a188d7bcc48acc17b229e50e136b55dbc59058ae9be6ef217238cd1b6c0a59817954ab98817d2e2ff836a6f7d7461be5850ad73a9096d7a14ce9fd8c2a3c29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Pacific\Johnston

Filesize
221B

MD5
5ed332a521639d91536739cfb9e4dde6

SHA1
0c24de3971dc5c1a3e9ec3bc01556af018c4c9ea

SHA256
1daa5729aa1e0f32cd44be112d01ad4cc567a9fe76d87dcbb9182be8d2c88ff0

SHA512
0014e8f2499fe415644e21456f5ca73297c36603de24d60459355a55174e1db81e6929278ccd0df79c750c519d2d6e5ee49019feb63b42f9240c8b8402f3db98

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Pacific\Midway

Filesize
146B

MD5
f789c65f289caa627ea1f690836c48f6

SHA1
dd4dadc39a757b9a02efd931a5e9a877e065441f

SHA256
650d918751366590553063cd681592fdca8a09957e0ce2c18d6697ec385ef796

SHA512
f7461e9b6c0af87b45dccc1a8884c47bca59462c9cb5ceac74aebc314cc924c2aebefa993a7466d4d3d4ab3fcdc76c6bc43c7522395f8f053273f55f3eb8305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Pacific\Pohnpei

Filesize
134B

MD5
44355d47052f97ac7388446bce23e3ab

SHA1
2035f1c7a9ff65687b1e765ce240f701cdc7bc82

SHA256
522f0f374b61e2c6f5fa7d19f1c7acccd09e4a213462ee3b42c90d32bf2bf18c

SHA512
3dde34960b8aa19fe30f43588b3ba8a25b256f918a19cd03594e15ca482252eed1e987611fdc6b09997205efe1ceb93cf77e487a2dfea54a21214c66a394a086

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Pacific\Wallis

Filesize
134B

MD5
ba8d62a6ed66f462087e00ad76f7354d

SHA1
584a5063b3f9c2c1159cebea8ea2813e105f3173

SHA256
09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e

SHA512
9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1756_133812831990677074\tzdata\zoneinfo\Pacific\Yap

Filesize
154B

MD5
bcf8aa818432d7ae244087c7306bcb23

SHA1
5a91d56826d9fc9bc84c408c581a12127690ed11

SHA256
683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19

SHA512
d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin

Filesize
8KB

MD5
92506cb1ddb662dda0defe6126552668

SHA1
ed602da34425eaab2c8a2273bf28dd7732028d0d

SHA256
8eb0b920935c9f7fce85ae03de3a577693bd12d5798aa4b458ae8fbb2136aedf

SHA512
c3a52ca8091eba6b32392f3a6968a4a7f815c0271b28691da0bd8fc96a2a608378142af68c5cc9cf46192240c5c79ecbd47b3e193bca61ba50259885d2af8ad5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\AlternateServices.bin

Filesize
12KB

MD5
08b79b53422d47934bb86ca7d46ca86f

SHA1
4cc06f7ba40ef99ba9eb4a8bb1c773d0bfab91e8

SHA256
86843a798f3e446692052066bb666e2e16ff383252b2477fdae4a2d1ee2bebbd

SHA512
67e6d515496ef3927ed37bd7f9e17d356c2ded76583ab292ed464fe90dea5141b91e0a549cf21a93be5ab3d34cc5fe34ac4d3bf68a1cde051a6fb69c035bf651

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e5f000560edc58cc11bac16f34ba80ef

SHA1
d57c1514b8d38680c1ba6fe653af366891368320

SHA256
3817cedb0ae611dc609db9fa5472b35b9a6b54d8da4a14a3ed52798be13193d8

SHA512
77bc700d22dbb8db0b0df7a5378c168a4486cbb47429e0dbbd43053b4dd7b6bbda0cd58a290ce1eafa906b85f918f4e45482ae3d80c44a296c4ce5ac6472dced

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f58cfab9b5ca85911ce9712465de1b41

SHA1
b8261a13db02e42ac09d6c1e93ddcec8052f417f

SHA256
ba9a0ce7adc524827e556725fb07f2dd2d19af8fcfa3b09d7294f3f43912ddbf

SHA512
b749beed4bd93e5511192d00fbcbd9799e62c5fffe9d4087c9c3c48e3320dee2cff9601c9c3e94e384371ab164066eadbb5a47fefb04c30fe623c08edd66ebf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
3a530da6290dc1cdc62ffd4027339937

SHA1
ed80be33d99a72eec791abb91418228367326d33

SHA256
3e0a21c580c926e23e8847b2849531c65ff6e3ed7d995ffa96595a98e0aa3cc0

SHA512
ae3c5bd6d4e1ad6632bd70a7842a1430b1833534b85ac96169ea2aa16c6e07503de9fbdc047fa868297fb07e6a9744acfc2b0e826aa5d5c4307b7892bf9613a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
18KB

MD5
ae6d098d642091cc245ec897645a0f83

SHA1
2f22cd96db559549a5e02d99cc799134ea264f7d

SHA256
93ecfe2cf18060b66fb1741381af21f9d7aef76905cfcd0f2fb51043197d0bc0

SHA512
68476da9e07661a0cb5a607f271c5a340b67c884d68711defc06fcb7a5ff1af637c6809f0271f6819580cccc03236dbf515bd2ba7e20e8cbabf5e59bee4c217b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
2c5f8c89ca0cd606b3c0d4735658c43d

SHA1
c0ab9d26e9c977041c48087c6918104c612c9c4d

SHA256
0750c7d93688c6c6c5e7fa14d77a1e8116da1b32b73df500c18216bef3e29f7d

SHA512
a8b48bae36473ab84945fd73440ef9aac0eac38063ac069b1bd7b3cafcd23872b10e54cace6df2779bb73706f60e4b2f2f7dda7eb298a07d3a946c649f2f09a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\19fac8c1-d716-4358-b12f-6546a37081f2

Filesize
671B

MD5
022e2e5f47cefc913d63d8449b3ed277

SHA1
f19bb4e11023a8b5ffa748dab3c91c7a535bbc72

SHA256
ba92f381c5723461b81c530003b4a8bbc29099dca1895bf1e218f84a8e20c084

SHA512
3ee99360440912d6f25bfc0e4e0c6626fd9fe592361bbb964b70e0d54a9533c9a7b5344fae6dd30c930cdba17beaa51657d32f4345ff2a3cc8b508f44bf14351

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\28229b6b-66d5-455f-9ae7-1e846fbbf5f5

Filesize
25KB

MD5
21f974133ecfc4422d87c2fec0cbddfb

SHA1
4595215799d58d534d832b869add7d9649f9a352

SHA256
0815638c1b428b7553f367c756c89ec88e60bd5c09ed245cee2fced31175bf20

SHA512
3bb6864c44b15432ca7b981dba02d78c43ceaf0505d9fd8721785c8ec2d022ce2b105d72abcfa3c6479ceceaa15b50c7d3bd94695581b86da5ffa7966deb5894

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\54754dc2-42a4-4d0a-9803-0e93fbb9149e

Filesize
905B

MD5
6e43ceb0a27b535b03230f17dc7e4b92

SHA1
1d14628ffad085d283cc7ac526f46152d5d86444

SHA256
c5cf74048766002829eb79d480a509de04f2bf5d4bb2a351c94a6fab0fa59719

SHA512
b8213e9fcc2378190753f517a6b68e67ce5ab8818cb6f0f70ca6ec3b1fea415f71bc0f50cffe739b521712c83e6348fe0a98dbad40c81ff2291222d2f90238b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\7d64cb79-5f9a-4eb3-a694-0c43712a5a9f

Filesize
659B

MD5
7c25766e17cf6a24778759e2e7cd8426

SHA1
10d00f8e9bf70aca6483a39348a14f87affa14f5

SHA256
5caaec15bb72ed9f84d575bbc820fd082c494902653cb9497cc8677d4c4ed9bf

SHA512
caefc8650ba9ef81c5fc9c4301d0853bcfa2ff1de36c5856db2793868807e8302a52f4ddb822a5f06134ccbfc47eaad498edcd35f0c6db02e51f8b7c1dad7331

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\datareporting\glean\pending_pings\b9f7922c-38ce-4d2a-82b4-58b47d16c629

Filesize
982B

MD5
8aee365892aedcce01bad2241d47a00c

SHA1
deafa619678847f837beb368cd4ab072f4fd7482

SHA256
c0885f1deb2c21c5b071d751cc1cfe47682d6487a9fa956198d1689718d05edc

SHA512
385a297c43f80aef32924027b760064bda3e7c73677078753a0cc13fe95eb9646554877bb040271cce6230beb4be1d535e99e39d636b765b4e96b292ceee91d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
9KB

MD5
25a64f1ce7fdc5ad25fe33ddcd860990

SHA1
0f0100b2be2c08659f95db5d2b899fe1260ea5ec

SHA256
6b1a8952a0e94407b4c3ccdcbec065b1641d07d4a14ad199f0e147c9ac49fa67

SHA512
00632e7e52fa8da698a50f18d8bf2e35ebc3c01d96e121cbcdf7561f55c6a008f7c6b0f549b76b1170e21e1590eda5c609214b0bd5f28006e43c3186c6742d15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
9KB

MD5
8c394530f851d6d9b8863c8fe232f601

SHA1
0fa7bf7846669ac2e504bfd2e9a2905982ea6d2e

SHA256
c848334e8c2b14aa601ed67d9fd1e7ca04a4cd15cafcef485ea05b423bce97d3

SHA512
ff7bf19b205001600357dd602c0f9c78ab57b6494f53df70f1adbd50955c54ca6cc8556439b04ef617b7cd644e79cacd88561e3771be7604721a11d62daadd9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs-1.js

Filesize
9KB

MD5
adc9220d705a06c80ae466fb41bce66e

SHA1
3df2b6257ab8d3c90da2baa4e6d68174f9ac4f6e

SHA256
38443248d9c92e0732820a4dc5284928787d76155b3faf24ed531acd011a6b85

SHA512
d5d22acf56ce124210b21fbdf80cc27e7a09612b957b33aed3ee2742adca24e8c2f3fdc4e7fcb10b5d297ba822f362153c817cb78d12df800ccdab5012247fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\prefs.js

Filesize
10KB

MD5
83be6901c4218cb23bab65375b491d85

SHA1
3344455391b70e8c196f3bea938c742f5d5e3597

SHA256
13ea0f63148542eef74096937a848466bb43ece9358b57808799af48f092fe45

SHA512
635cb79fd3b416aea68b60f8c4338572c7c2320f83cf41267fbcc52b6c1e51910a9bdb8f6d926f24aace526a789fb9179f49d94c39ebffbb978df28ffa4ae3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
60KB

MD5
e7f13254db5774ed90c4a10abe1fd6f6

SHA1
3372f866ce5d7665f85a9750353f7e80f13a2c8d

SHA256
7dc6e5830af51290bbe147484c530a0b030788a5caba37ff9f341ddea8b80610

SHA512
b7205bfed74aba2a68b20d4d8fabc087a2ecb79eddda962d430337dae773d38a40f35f6b2114e169c58c4ce81594965f38282ffd688e768d9c7fb2c66e81e7a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
60KB

MD5
e1b17426a99d3baba107277e30ca9684

SHA1
ea886954c55e68704a15f3862ac607a10dd5f086

SHA256
3aa34c2a794be5d16ae30ba024cede6e097ccd4c1c8144a475a8e8ec938f70b1

SHA512
8eeace99db06ccd5d2909070639dc9afd9e46d49e55474628852ca68a466965e54b5b205532ea0f09530ab81a31153d1daede82940eedc2c77bdc19e12cdcd84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
1802ee230bae2efa4b3ce1c82552bb26

SHA1
c7e5d6b4ea581cd8a584834b09af9691cfa3590f

SHA256
91496058b1a456bf46e73c4ff0e68ccac0ef478ce6675f76f9d3c3bc79391d72

SHA512
41bd2c09df4b9e8ee91076fab21c2cc37e4a7f6269f38457dc845ea997917a12de5ccee491b6deeff06d1d1e8992c96dd2d081ffe010cea3bd1b281a636af473

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
59KB

MD5
401294291b95148da071134e4cbcd75b

SHA1
b7748dc6ae166111c921f4f0e735d2dea3e8d25b

SHA256
b7d39ebbc02d69d06865121d1954542ccb52f68ed66aa780167dbfeb002274e8

SHA512
268520bdba54e12cfdfa4c4572442d5b2cb48da03cc9da070c53f40a425eb564e754a6a23e858e6a0629fc4b5b9577daf9ac3d9a38adf72ee211ba37a97786ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
60KB

MD5
e4e0459b34ca541a5337fce9831119d2

SHA1
c4bd06bca9c53e69065287e79a4cfe3c311e9993

SHA256
08db717b4d6689461b01af2453c9f43e4e885b1cf04c12ba9ec50ed357b87303

SHA512
d1431077ca11adec34771238efa0503b10caffff2661f4dfbe84eee53e51815204bf07fc91ff5cc5ef187fefd12e3cb2da2b4c0cc3afd094d61354d3708d797a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
a3757cf080c83b4baeed7520d7199bf2

SHA1
9eaf52b49081230c31339bd2c153f9a19dfa78d8

SHA256
418fb5eb21012c05e64e05d0b629823cab2c8cbd9755f4b1da7c0725bf8fd0eb

SHA512
64877694819ecd3bdef29b59f2a528bdc1fdb9bf692621d44448510d19d12b4a1b3ce3033fd48eeabb21374861d78b78a86b1d661bc47d449450503c487d6257

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
efde6f2559aa486ddaf66b4cfd15d20b

SHA1
d0109eaf1e53f28b72aa61512a9e078d006d0fb7

SHA256
4ce30354dabdf7006928918aa85a27009a0ee4eea82536a506827c301c2cbeb1

SHA512
ff65924d030222945a2026d0b7c9dded578369a3394fb376c65b336e25b17ab15d2d89bcc647e4f4acfee75633fc86e8f53f5db1c04ca49e428361648bd40902

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
59KB

MD5
aa8cd48216d6b9aa44349ef1e667a484

SHA1
841087c7862ca7c2bde8cf44b24ad81b8795d51e

SHA256
11542b72f3055894ac061b15b216a3478f2cd73e8a1ecc40b7865e6d2b3166c1

SHA512
c39dfd1db9a07c8a8a0494513b415ca082d649a6de231964ca7c83b90ebe6695ceef9f61c87542e893adc292343ce434043247a6ad663796ef57a742be06e965

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\sessionstore-backups\recovery.baklz4

Filesize
59KB

MD5
1c8d3a1b1b0f45e96aecd5574ab6ea63

SHA1
6fa13800a1cda2fe7e16ea3019bea99399978a71

SHA256
870df5b83ce96c8698588820dd167b268d542805abeb75a1946f8061a4c8f465

SHA512
50905c1bc56a6c3785943fc85b565d99fcde05f9614f1a1168d42efdc0b09a25e02e77892478d0e7e1ab3816cfc045c7293e5221b15c84d8ec17ae6b0628c0a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er3umqpr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
592KB

MD5
ea94a22c51f4553873ca0e688bfd8916

SHA1
605742568d982a49a12b3345961f74207a6a0f4a

SHA256
d4d95bcfc20c7ebc49efa4b9ae9de72951528b209429bf62f81d3936c96d1fe9

SHA512
23b76700c0a9954f40ed5e591fd28df56e35d6183254dcd2294c197e4e2cc28d0a71b97b67578ee9d87543609bc2789d3eae46b65711717546be719ffc3dff01

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
55KB

MD5
6358f13806a6322f9682d07598bba1ce

SHA1
35bbf0b812578d23a27089f74672263caf73d0f3

SHA256
0b8adcae4613a7582171ce688f4e0ff9799afe65b6003775556e5387d67bf8a2

SHA512
9fb5eb3a0d0e161dfa0c89e89cb2c87bceeadaea323d8406fdbde25e42ffb35b4735b987718d631988309dfa74a55c72fc3ca906843f5e337cd7b2edf54f5c11

Download Submit
C:\Users\Admin\Desktop\Panel\logs\logs.db

Filesize
328KB

MD5
55cfc3b91f2163f92d8f316aa59b5d25

SHA1
73ceeb414f5cd452f99b4874221c383ce94ef67a

SHA256
15a5584248306b8cec549edd767a90cb5e1121e0315c3a2ffa9a3ea0d65177aa

SHA512
4ac5539b460a9557d6504ad89226c46b2db8a2ec133386eb0b14108bf0c7bf416e6a95e19902924e4f030de85c93a7169d4acd6199b9183e1ea80386ca0031ac

Download Submit
C:\Users\Admin\Desktop\Panel\tmp\GoogleRestore.exe

Filesize
35.8MB

MD5
a97a8ac0ac6e7b59dff255d775413ea9

SHA1
0670919b459f1a6eeb23c3d2ca814ab95a21f557

SHA256
c57a717fb7b84ebf85611d9229379cd6e5a861dfbfe3356ec748a57ee3d87aa5

SHA512
7f2a77d67475e1f1bbdb02c6866a97d6b4b5f5dabfe6fb3af90ed950a9847b43fc17e7685761b428cb143c74e126e326cfd61a968cf86d084756f577342c99de

Download Submit
C:\Users\Admin\Desktop\Panel\tmp\freebl3.dll

Filesize
326KB

MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\Users\Admin\Desktop\Panel\tmp\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\Users\Admin\Desktop\Panel\tmp\msvcp140.dll

Filesize
451KB

MD5
f027303816d6d2afeab12183c67b1348

SHA1
735e1625b17e4122608eb3aff3702b97e08f1e51

SHA256
75ddc9778c23ee95b6c57db6b689f11c07d164d5a4c158d4c0acb87a520b8004

SHA512
f55f6df42f266cc5f5f23690a5942068248d50d1c302708bf34d1f9d8831c7bfa174489de029dada30707df4544275b14fbb3dda09a0a022eb343e2618401797

Download Submit
C:\Users\Admin\Desktop\Panel\tmp\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\Desktop\Panel\tmp\ports.json

Filesize
66B

MD5
ce60ea5ab497ac5fd4896c3bed7aea24

SHA1
9b080c4e173ca3a9d226dba11fe0540aa8c61c4a

SHA256
d16e3e14f554534aef787b65b0dee952fa67b04edbab929ab4435f74ce3f6811

SHA512
b6d73c8688b6b0554a8c250a742d1f64d3df87d042357e08c01d6f485e177cc76b118c202edac9506edde8995b43d268528086139055eff55c4c688d961a4b41

Download Submit
C:\Users\Admin\Desktop\Panel\tmp\softokn3.dll

Filesize
141KB

MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\Users\Admin\Desktop\Panel\tmp\vcruntime140.dll

Filesize
85KB

MD5
ac139e08070885a2f021e30fab609eee

SHA1
3d3c2877cf3c4aa1a1f62708494375404d02cf22

SHA256
eea2df0c3d2bf84ee8bc811439a81578f6521c8b28b6cc815c93fb870ac7a0d7

SHA512
072dc8a2297eea0778f72f70ab5c8dc0400cecbe399115a4cee0cb7381d494565019d756f602d80077c22ab635b324ec10c644bf3c219a68d9c75840a8b5309f

Download Submit
C:\Users\Admin\Desktop\Proxy\RisePro_Proxy.exe

Filesize
462KB

MD5
2e76511c220ce52242101f5ec1666b2d

SHA1
938440a7fade75da14a63fc022cd23d1aad75d1d

SHA256
94257fc67394bd8057ff49c107dd0439c8cdde9632dc7c656fdd6aaf0f0f292a

SHA512
07b3614b90e21ac49a20be1019b4bcdbe37714029ed8dcc5c6665b73536ca6558c83433aef6bf27348704da5b6d2a98b306c0a34d8b1c0ef4704c2aef995db06

Download Submit
memory/564-2947-0x000000001B360000-0x000000001B513000-memory.dmp

Filesize
1.7MB

Download
memory/808-443-0x0000000000F20000-0x0000000000F2E000-memory.dmp

Filesize
56KB

Download
memory/1384-401-0x00007FF88ED33000-0x00007FF88ED35000-memory.dmp

Filesize
8KB

Download
memory/1384-402-0x0000000000C10000-0x00000000044F4000-memory.dmp

Filesize
56.9MB

Download
memory/1384-403-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/1384-438-0x000000001F330000-0x000000001F4E3000-memory.dmp

Filesize
1.7MB

Download
memory/1384-441-0x00007FF88ED30000-0x00007FF88F7F2000-memory.dmp

Filesize
10.8MB

Download
memory/1572-3014-0x000000001B580000-0x000000001B733000-memory.dmp

Filesize
1.7MB

Download
memory/1796-2991-0x000000001AF80000-0x000000001B133000-memory.dmp

Filesize
1.7MB

Download
memory/1904-2963-0x000000001B1F0000-0x000000001B3A3000-memory.dmp

Filesize
1.7MB

Download
memory/2032-2944-0x000000001B1B0000-0x000000001B363000-memory.dmp

Filesize
1.7MB

Download
memory/2032-2934-0x00000000004D0000-0x000000000054A000-memory.dmp

Filesize
488KB

Download
memory/2088-3026-0x000000001B4F0000-0x000000001B6A3000-memory.dmp

Filesize
1.7MB

Download
memory/2144-2965-0x000000001B400000-0x000000001B5B3000-memory.dmp

Filesize
1.7MB

Download
memory/2340-3022-0x000000001B0E0000-0x000000001B293000-memory.dmp

Filesize
1.7MB

Download
memory/2988-3021-0x000000001B260000-0x000000001B413000-memory.dmp

Filesize
1.7MB

Download
memory/3292-453-0x00000219F5860000-0x00000219F5882000-memory.dmp

Filesize
136KB

Download
memory/3672-512-0x0000000008530000-0x0000000008531000-memory.dmp

Filesize
4KB

Download
memory/3672-513-0x0000000008540000-0x0000000008541000-memory.dmp

Filesize
4KB

Download
memory/3672-510-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/3672-511-0x0000000008520000-0x0000000008521000-memory.dmp

Filesize
4KB

Download
memory/3672-515-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3672-507-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/3672-509-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/3672-514-0x0000000008550000-0x0000000008551000-memory.dmp

Filesize
4KB

Download
memory/3672-508-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/3740-3024-0x000000001B9C0000-0x000000001BB73000-memory.dmp

Filesize
1.7MB

Download
memory/4124-3025-0x000000001BAB0000-0x000000001BC63000-memory.dmp

Filesize
1.7MB

Download
memory/4240-2948-0x000000001BCD0000-0x000000001BE83000-memory.dmp

Filesize
1.7MB

Download
memory/4616-2961-0x000000001B4F0000-0x000000001B6A3000-memory.dmp

Filesize
1.7MB

Download
memory/4704-2962-0x000000001B280000-0x000000001B433000-memory.dmp

Filesize
1.7MB

Download
memory/4768-439-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/5324-2968-0x000000001BD90000-0x000000001BF43000-memory.dmp

Filesize
1.7MB

Download
memory/5376-2923-0x0000000000280000-0x0000000000316000-memory.dmp

Filesize
600KB

Download
memory/5376-2936-0x000000001B030000-0x000000001B1E3000-memory.dmp

Filesize
1.7MB

Download
memory/5416-2954-0x000000001B220000-0x000000001B3D3000-memory.dmp

Filesize
1.7MB

Download
memory/5600-3003-0x000000001AF90000-0x000000001B143000-memory.dmp

Filesize
1.7MB

Download
memory/5620-2995-0x000000001B530000-0x000000001B6E3000-memory.dmp

Filesize
1.7MB

Download