remcos | 5d4360996a1f89361dda1818a51dcdd2a551698c6c4d887b5ba67fd86b946e3b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df74554fa84972532ee1f476046f8885.exe
Size

1.1MB
MD5

df74554fa84972532ee1f476046f8885
SHA1

67f378bbec8e05083b92ae7663d56d60abcd3157
SHA256

5d4360996a1f89361dda1818a51dcdd2a551698c6c4d887b5ba67fd86b946e3b
SHA512

25bda3e078a97fefbd2c67a2063d0c1f9c26affa446d3e00c64eaf8ed81711bb831460ea05a8f375d4669d9948cdce6895769b34f312d06cb9282953a4cf5a60
SSDEEP

24576:5iJN+UVsONWfU4KeR3VayNE42bro59PVRGgYNPzokvn:U3+UnWc4fRUyObq5VkLUk/

Score

10^/10

remcos remotehost collection credential_access discovery execution rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

103.195.236.227:2728

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PPPZAN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2656-217-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2984-220-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1788-219-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2984-220-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/2656-217-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1964	powershell.exe
3708	powershell.exe

Uses browser remote debugging 2 TTPs 9 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
1520	Chrome.exe
4808	Chrome.exe
3040	Chrome.exe
1920	Chrome.exe
3432	msedge.exe
3624	msedge.exe
2564	msedge.exe
4176	msedge.exe
2464	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	df74554fa84972532ee1f476046f8885.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	df74554fa84972532ee1f476046f8885.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3508 set thread context of 2656	3508	df74554fa84972532ee1f476046f8885.exe	107
PID 3508 set thread context of 2984	3508	df74554fa84972532ee1f476046f8885.exe	110
PID 3508 set thread context of 1788	3508	df74554fa84972532ee1f476046f8885.exe	111

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df74554fa84972532ee1f476046f8885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df74554fa84972532ee1f476046f8885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df74554fa84972532ee1f476046f8885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df74554fa84972532ee1f476046f8885.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df74554fa84972532ee1f476046f8885.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	df74554fa84972532ee1f476046f8885.exe
1964	powershell.exe
3708	powershell.exe
3532	df74554fa84972532ee1f476046f8885.exe
3708	powershell.exe
1964	powershell.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
1520	Chrome.exe
1520	Chrome.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
2656	df74554fa84972532ee1f476046f8885.exe
2656	df74554fa84972532ee1f476046f8885.exe
1788	df74554fa84972532ee1f476046f8885.exe
1788	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe
3508	df74554fa84972532ee1f476046f8885.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	df74554fa84972532ee1f476046f8885.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	1788	df74554fa84972532ee1f476046f8885.exe
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeCreatePagefilePrivilege	1520	Chrome.exe
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeCreatePagefilePrivilege	1520	Chrome.exe
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeCreatePagefilePrivilege	1520	Chrome.exe
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeCreatePagefilePrivilege	1520	Chrome.exe
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeCreatePagefilePrivilege	1520	Chrome.exe
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeCreatePagefilePrivilege	1520	Chrome.exe
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeCreatePagefilePrivilege	1520	Chrome.exe
Token: SeShutdownPrivilege	1520	Chrome.exe
Token: SeCreatePagefilePrivilege	1520	Chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1520	Chrome.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1964	3532	df74554fa84972532ee1f476046f8885.exe	85
PID 3532 wrote to memory of 1964	3532	df74554fa84972532ee1f476046f8885.exe	85
PID 3532 wrote to memory of 1964	3532	df74554fa84972532ee1f476046f8885.exe	85
PID 3532 wrote to memory of 3708	3532	df74554fa84972532ee1f476046f8885.exe	87
PID 3532 wrote to memory of 3708	3532	df74554fa84972532ee1f476046f8885.exe	87
PID 3532 wrote to memory of 3708	3532	df74554fa84972532ee1f476046f8885.exe	87
PID 3532 wrote to memory of 2960	3532	df74554fa84972532ee1f476046f8885.exe	89
PID 3532 wrote to memory of 2960	3532	df74554fa84972532ee1f476046f8885.exe	89
PID 3532 wrote to memory of 2960	3532	df74554fa84972532ee1f476046f8885.exe	89
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3532 wrote to memory of 3508	3532	df74554fa84972532ee1f476046f8885.exe	91
PID 3508 wrote to memory of 1520	3508	df74554fa84972532ee1f476046f8885.exe	98
PID 3508 wrote to memory of 1520	3508	df74554fa84972532ee1f476046f8885.exe	98
PID 1520 wrote to memory of 924	1520	Chrome.exe	99
PID 1520 wrote to memory of 924	1520	Chrome.exe	99
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 3592	1520	Chrome.exe	100
PID 1520 wrote to memory of 4228	1520	Chrome.exe	101
PID 1520 wrote to memory of 4228	1520	Chrome.exe	101
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102
PID 1520 wrote to memory of 2204	1520	Chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe
"C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SRsRirfIdHo.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SRsRirfIdHo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCA9.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe
  "C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Program Files\Google\Chrome\Application\Chrome.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeca00cc40,0x7ffeca00cc4c,0x7ffeca00cc58
      4⤵
      PID:924
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,11276616166573342304,5256241245519824685,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2024 /prefetch:2
      4⤵
      PID:3592
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1840,i,11276616166573342304,5256241245519824685,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1852 /prefetch:3
      4⤵
      PID:4228
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,11276616166573342304,5256241245519824685,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:8
      4⤵
      PID:2204
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,11276616166573342304,5256241245519824685,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3040
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,11276616166573342304,5256241245519824685,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4808
  - - C:\Program Files\Google\Chrome\Application\Chrome.exe
      "C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,11276616166573342304,5256241245519824685,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1920
- - C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe
    C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe /stext "C:\Users\Admin\AppData\Local\Temp\hlnycteepp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe
    C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe /stext "C:\Users\Admin\AppData\Local\Temp\jnsrdlpfdxcnyh"
    3⤵
    PID:4616
- - C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe
    C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe /stext "C:\Users\Admin\AppData\Local\Temp\jnsrdlpfdxcnyh"
    3⤵
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe
    C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe /stext "C:\Users\Admin\AppData\Local\Temp\jnsrdlpfdxcnyh"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe
    C:\Users\Admin\AppData\Local\Temp\df74554fa84972532ee1f476046f8885.exe /stext "C:\Users\Admin\AppData\Local\Temp\tiybddizrfusinyhw"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:3624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffec94146f8,0x7ffec9414708,0x7ffec9414718
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1709685388185075733,8563713712124977711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:2656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1709685388185075733,8563713712124977711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,1709685388185075733,8563713712124977711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2136,1709685388185075733,8563713712124977711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:4176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2136,1709685388185075733,8563713712124977711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2136,1709685388185075733,8563713712124977711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2136,1709685388185075733,8563713712124977711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3432

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
05489d1c16ce20e50830f3ff4f690df1

SHA1
bc459363523c10e2b34e5e2580b87f2732178f8d

SHA256
0380ea3252d3fcee0b9a0f663db873c0be09c9fce2ab498995bc003d20a65450

SHA512
11ea21eeeec2f5e8e3f7298feec7a9801be040e37e551c7c085e9ce3a391691be00af320b39908649e7866f9b3b9560fc540d437eb370370893a0a9d2d39cc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
40B

MD5
5867f84eae6cf449df9bd8d8b85cccaf

SHA1
0f287d23ad465920210f3e8b1a97a2b0799c66f3

SHA256
dcd11b5da6e6473229a2475967177f7ccad987910362bdce361486a9aa8a58a7

SHA512
a47da039fcc02c689f719cbb5520b928cf102fe4fd23f67457e12b2a2266d38fccd419b71d350d92769158925e5eb455a948c579494c92937e83d592fa2dd46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
217fcf82505cd264557e653528c1d3bc

SHA1
383339a29daa1247803ae306b361b40e4b1eab60

SHA256
75093aeed1be294a3598007d7589eb61e10c9df2e7019a16ad71a16ed1ea062f

SHA512
d078990604ca688c9199597889b2824f4eaaebe6f65a79b691faf1db795a664984d444cae403f6099d2418d2cfcb45b03b320646544438f36afc4ae0d03ec254

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
24e0d8d9524abbae037d2577f0827509

SHA1
7bc1a023d7545ec83a443652847c3bb6cf44f75b

SHA256
a76e41efa60ad26c0feebbad8e8a1010d71416b04823760bab4390c33c74106a

SHA512
11b7e5588cd387afc24fc529e97ee7354464b955059a1f97805b02580d7b9d4dcf1d9816161f72a9b4381973a50020abe66bde1ff024f8def8913ddd5a401430

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

Filesize
152B

MD5
c3274063c457c90837878589dbdf384c

SHA1
f504845f32b60472225fd7fe8e1efc28c1716fdd

SHA256
cdade2873523f7e602ee72901389708d233dace50564e2db7b21cbee61f52380

SHA512
488e150100111a150098e5761404e52936daeb23c9a52f28d5644bab9fb8044864969c5e72fa896e37f0c03d1d06a603cdd3d212d1bf2e88b5baf058e9f020ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
392f806fb87d2c9c227d154a0ed80e72

SHA1
55bd9778b047d4e7b537b5d036d4c7f1d678ad56

SHA256
20ec07e877144e0a6d41149572b8f0fa634dcdabb1d067a280fa174117c14187

SHA512
8cf02bd464d16d295a56a192a859e98e827762a33ec81c214ee0680c9237ca059e145b270fe88e83572ff81acc71ac89f9900c712a45eeb112726df01db1b8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Extension State\LOG

Filesize
265B

MD5
47e7b8d7424a060138cf0eee34080bd7

SHA1
f85084e1791dce1b9a25e1387f58c8215d89325b

SHA256
9eed7667851fe6c77a8d29302492534ee186449b7388c87fb509a38774321c74

SHA512
93517c6a31249fc7b8e1d0c8ff95dca9501c759bbe40b969ae883a05ae7f62f8c8ff18ca1c879abef76e47223d13d8e7724db9e1315dfaeddbcc6766ebcc9f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

Filesize
20KB

MD5
b40e1be3d7543b6678720c3aeaf3dec3

SHA1
7758593d371b07423ba7cb84f99ebe3416624f56

SHA256
2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4

SHA512
fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

Filesize
256KB

MD5
7fd37b8c282c2f203b40d825a00e922c

SHA1
62a8b5cd0653824aac18fd435ab38ca2352b4630

SHA256
1154a72dd0ed9195feac5c9c8aad05ee44dc04c218d2d7425d01e35669fb910d

SHA512
bc9e3c0ef6cc236b03ddd185e935977587c7010df3d3af19c0842f759c126856a58831b05b743c26b2ea22d10f99738559d0a9441f78081d09b6dccf7b303241

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

Filesize
192KB

MD5
d30bfa66491904286f1907f46212dd72

SHA1
9f56e96a6da2294512897ea2ea76953a70012564

SHA256
25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907

SHA512
44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

Filesize
277B

MD5
9ec47c36b221d6b47715121ff4f71cde

SHA1
8b0e0477d0f5a5930f01e220bf7bb07e585fa179

SHA256
e00df51f8890d8fbabe5a1f659c92c8a22921df9ad58e66505f23e136ebf2448

SHA512
2910711892223990ac445332b93115a4a97c2a5c55bd3ac7aaabc171ba57923420b6b11b38489d0898bd603f67aebc81d0033f27c81e0e2df1744fb54dd19106

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

Filesize
1KB

MD5
10e38241f7c976c57e2b652e9b94b94c

SHA1
2232f8740e43cca8c9734b1c31e09dfee3e9fee7

SHA256
4679a8767ceadc5b65620cec66f847fe161b6e8fd3b378ee14a7191f0e35712b

SHA512
7671eb45025b4a6c246ca324a66e79a05d5f86538f0134e60347a781f4dac83459cda497c429e273ce34087d9b2b037b14090b8bdf573a66562791b5312d592b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

Filesize
20KB

MD5
fe8f391e22ec6fc921ba2b28adcf27d9

SHA1
6bc83e830973375fa42f900fcbd2cb2b87d11e08

SHA256
23ab17b4cd2214c9b4c3d65fcf06ec9eb6a42c7f191f749ddbd4bf2e62e49eec

SHA512
2e8808bf5663d7c3b643b08051659db311eccbeb9afbfcb004c69070e345f42593c95d59592713ebddf0f0fc799cb51aff5711710a72b79ed3225de7a6409674

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
5KB

MD5
d48165e49215ce0931ee3d5ad5363e1a

SHA1
384478f7674cb232ada9004a5a628609a34a3462

SHA256
18cc3f9d973fa962cd6f31c1a1f9c43a4e1e96df9bd6f3bbe562667768dde85f

SHA512
5ccf13bdfd5a13a5af07e1242f605aef408e747e5ff726d20e0acc55877f7e29d0009c5cd834dbfb4ff22d0023654cd0bd0209658d965027982ea2532b76349a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

Filesize
1KB

MD5
f26dbd713a735bbe58608786d67e4eb7

SHA1
b8b6089fa4f021ca11b0adb347867125b0fa94e4

SHA256
ff75bc5625661d0180ada2a29ea6315b3ece381f35b34dce67bf1822981907a1

SHA512
774e35b00a2b90461b0734322035c629e86ae3ec52fabd688f80fe3bd2ef8879c3c116723bdae33d1e0e066ff12b922b431f18adf11d4b0de950753180ab319c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
15KB

MD5
41b0bd2703f2fbe7b1c502560dfa417b

SHA1
31c16919ee60f7637b0b177e20605ded90944681

SHA256
963984ee46a83e2a3048d78e0e7090e96922181f9eed59b2b02bf859df24b8c6

SHA512
49f3cce1e384e1206aaf82b3be3cd027f25aa7c8ba6699b509aa05536db3257abd1fc95e8a64f682049444296f12cbe2dd3ffea964f701c19532c4b7d6d6c80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

Filesize
24KB

MD5
3bf275ad7c396401afb4c58a726ad1b6

SHA1
96bf533576e086a90bd1a6618dd68e940d1e9560

SHA256
f52768ee3e6f25ea1894eb1c4bb7d0feb89efab07cd2fb169bc71a2122faf0b1

SHA512
79af46b585a913f7b03c410ff38004effc98fb074107e90592d98c4fefd668bef7ec76f4c710f692cc71b6d41ee613905483e539d1327d6be49a0d374cbc9e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

Filesize
241B

MD5
9082ba76dad3cf4f527b8bb631ef4bb2

SHA1
4ab9c4a48c186b029d5f8ad4c3f53985499c21b0

SHA256
bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd

SHA512
621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

Filesize
279B

MD5
875531aa719ea64b2077179ea56d3039

SHA1
5465241de3a7b1bc98f21fb928f3297ca5fd678e

SHA256
268b145eb5a014fe3937c707dd7c78856e23597279fa8bc03143be72c311389d

SHA512
5b53da1de399398c21622e0ffcdd1d72c3a3db63a165400ca74f6e8dd7cdf16274f0b120e9418cb43025d3a747eca8c2fa33fdc9096519421071349b49155dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

Filesize
80B

MD5
69449520fd9c139c534e2970342c6bd8

SHA1
230fe369a09def748f8cc23ad70fd19ed8d1b885

SHA256
3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277

SHA512
ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

Filesize
265B

MD5
801e0d13e140c6dd4c92a291d35ceaa6

SHA1
3514b9ccbb4f8e9a1b1cb1f7264047b4b770ec8c

SHA256
7accd1003adb050f3a23ebce35ef6b57d4664a26d343d6cf24f9d52da9aea12b

SHA512
a94c4d57776baa22c6eef6c5222e196c81e2fad88017428fea6288de39c380ec7d4721ee439355d3b081f2759b7489deb336ef2532e52ef83242da392cd0a332

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

Filesize
291B

MD5
cc229581eeeef01d09c841c4222ad005

SHA1
e92de72b5e5888c54db9eb5e794bb97245f3c692

SHA256
a937376d8b1807a803ab03005ec6cc5ff12d8df4e049903945778578d4cb98cf

SHA512
ac4fc960ff20313cf2e470bfd439970e1852815ee188e4fa880d85f1c53f15856e654364b5a7c89f53643ec00702ad15524dc6d52d522fc09e67855f561e4b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

Filesize
267B

MD5
8745d0e4ffb561928abdee220cef5d11

SHA1
3965c557156130c207dc6d52f062a8666ff3879a

SHA256
8f07b0908c161d4e3b97345d0e0a41c108d6d7703adbba3fbd85ca6c73c510ee

SHA512
b28c0403e18f3bd04c9563f3d795d888912ef5788dbc0d731e7dbfb0586ed5d6b1abc12581ce6a788d0bb47428844587ac50161c3756a9b0d63327fb431c4f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

Filesize
20KB

MD5
986962efd2be05909f2aaded39b753a6

SHA1
657924eda5b9473c70cc359d06b6ca731f6a1170

SHA256
d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889

SHA512
e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

Filesize
128KB

MD5
2d950725deac521ba69f8704704912b8

SHA1
2a2fa1f0e2e63a2cd87326d4a15ee48cf4eb1c0b

SHA256
40564fcc6a9ad52f042656940d891fb3a9b67e94a7bcc31185333bd2686ec89f

SHA512
29718110de5d14f04496b67304d4fc163d350ed29a6f9f781eeb5109a57334f209fb0d52dae64906b4404b44c7501a6012200eeb202b9aded966a92f6ae42a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

Filesize
114KB

MD5
a113e0a89528d2f11c17e8e8ea65453e

SHA1
460960bef6dd0099a1175dc3caf220152f748b62

SHA256
16033db94ab648de27f8a3099be9e0d739c5e9a213d67812d6efeae6f68c0a9c

SHA512
c3e9734ddb4e03ede79ff83469cc9deca008b9480459c3f4c3a75174c252e5e4429cf8991aeebb300b9d76439e97d7a5275c6f674ff3134a23efa7e884ef7151

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
a45eb13f5d5b613525ee8d17c8f99ff4

SHA1
8d2d57d84bc0b8dec54901e528daa6fe86876aa7

SHA256
28ba1bafd1717f1152bf9f7e73e15b339f65f3badd704d5fd540ffec4945ba7e

SHA512
58926d650996b7639b9eaeb41e53439d0b65bb2cfeb323c6704d3c8202f31689aefa32756f5f1e6cf4c60a6f8441eea5949ecd6783a889254fcda513bdfdaa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

Filesize
263B

MD5
cf386a23a81b97772fd4f4dcfa90b99a

SHA1
0cb1ec07abdd445a65c5675af34ff1a13f32132a

SHA256
51f911fc21f124b250d0bc417d500187d3387763938c648ebaf23de92bf74837

SHA512
57b4bc480d77171184449035a73797fa32ffc598701b5ccbccf80b9e4a22efd9f8da99bdb6f8e1efa86f1742e7617bde57adb2ddd48e5f76dd34f93bf658b7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

Filesize
682B

MD5
09d69f5adb00554f1e2dd56d4b427064

SHA1
daa0c276a3dc634179b72c34c334d43811a9cd32

SHA256
f0919ac27b38c019eeda83e55b6397cf7627f5d0eeaf483d108b93ec4189fbe7

SHA512
0704065c2585159947be474717eb25d5028479f67be2a5c174a00e098e0200aefe12a567ed48ace903aa344e66841c33017d2aeadc0c888e0c775ea61387b766

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

Filesize
281B

MD5
125e39d7b6bedeecd3a26ec56e5604e0

SHA1
9c012229bf3f0617cab23e3cb3e64aed4a6b97b9

SHA256
b348fd4ddcce9b3332ea8df9b56e05db04e768294d01c089c3e0feac91c15093

SHA512
c1437300f0b753f371d47d0c394ebcbf4231d92c4a939db6751bdf38ba32be8c9f2040bb37b459a2215f33d3f37a814e03c821e7ad169ed148635cebc9b3412a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
116KB

MD5
e2dd296f52f06776f4aa5d658e695a67

SHA1
7b39c8419398e37975d85dbc84e0e77f0a567a15

SHA256
f46246b4f3c4c1fc1c690b44a5c64ab9927f3cc61eabb84c8ee7a09d4decd515

SHA512
461efa24108c4e44e61891ea3723f9091d83af07623ba0d25dc3055107bed2b49f144b5fa584efa4c441bbb17ee8b093897ad7aba18a351ebc39c8d88e35ee91

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

Filesize
8KB

MD5
857637919c61322f413429ecb2b03469

SHA1
47381f431189e4534fd998e8b2e235a32fa78c32

SHA256
14633c6c3826475555f954a4c657184d3b470a23388acf69c7900ba838ca1083

SHA512
4a116a732e8f60eb77d16298f5769d58ff70c18d1fc9b3b4269a0c16aba887704e08cd73308d26cd9c685cfda75bb36d91473c3dfac756248461d47552e8b007

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydwcyrxr.pj0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlnycteepp

Filesize
4KB

MD5
c3c5f2de99b7486f697634681e21bab0

SHA1
00f90d495c0b2b63fde6532e033fdd2ade25633d

SHA256
76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

SHA512
7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBCA9.tmp

Filesize
1KB

MD5
a0b6baf8959d148114c1ac2823476ca9

SHA1
71d1dc0b2cab82d97cee26b92572fd51c610c75e

SHA256
4edeba8629f3db756123893373d8c6bbfd3b7b92f81ef77b66215c79a995f026

SHA512
4a74ddec102a579f691d84747cd1f195b3d44e8b0013766321adb664472a0273397b5b30af71718ea781fa5a334be5c27d021cac479dc53e1b2504bf507ec538

Download Submit
memory/1788-215-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1788-218-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1788-219-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1964-79-0x0000000075530000-0x000000007557C000-memory.dmp

Filesize
304KB

Download
memory/1964-98-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1964-50-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1964-18-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1964-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1964-16-0x0000000005790000-0x0000000005DB8000-memory.dmp

Filesize
6.2MB

Download
memory/1964-15-0x0000000005020000-0x0000000005056000-memory.dmp

Filesize
216KB

Download
memory/2656-214-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2656-217-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2656-212-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2984-216-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2984-213-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2984-220-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3508-245-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-48-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-414-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-413-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-412-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-411-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-104-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/3508-100-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/3508-103-0x0000000010000000-0x0000000010034000-memory.dmp

Filesize
208KB

Download
memory/3508-410-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-409-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-408-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-242-0x0000000004470000-0x0000000004489000-memory.dmp

Filesize
100KB

Download
memory/3508-241-0x0000000004470000-0x0000000004489000-memory.dmp

Filesize
100KB

Download
memory/3508-243-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-239-0x0000000004470000-0x0000000004489000-memory.dmp

Filesize
100KB

Download
memory/3508-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-244-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-407-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-406-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-77-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-36-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-47-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3508-49-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3532-7-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/3532-1-0x00000000002C0000-0x00000000003D2000-memory.dmp

Filesize
1.1MB

Download
memory/3532-51-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3532-2-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/3532-3-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/3532-4-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/3532-5-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3532-6-0x0000000006430000-0x0000000006456000-memory.dmp

Filesize
152KB

Download
memory/3532-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/3532-8-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3532-9-0x000000000B160000-0x000000000B224000-memory.dmp

Filesize
784KB

Download
memory/3532-10-0x000000000E2C0000-0x000000000E35C000-memory.dmp

Filesize
624KB

Download
memory/3708-31-0x0000000005FD0000-0x0000000006324000-memory.dmp

Filesize
3.3MB

Download
memory/3708-66-0x00000000075B0000-0x0000000007653000-memory.dmp

Filesize
652KB

Download
memory/3708-92-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

Filesize
32KB

Download
memory/3708-72-0x0000000007B40000-0x0000000007BD6000-memory.dmp

Filesize
600KB

Download
memory/3708-19-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3708-78-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

Filesize
68KB

Download
memory/3708-21-0x00000000054F0000-0x0000000005512000-memory.dmp

Filesize
136KB

Download
memory/3708-24-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3708-25-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3708-89-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

Filesize
56KB

Download
memory/3708-23-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/3708-53-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/3708-91-0x0000000007C00000-0x0000000007C1A000-memory.dmp

Filesize
104KB

Download
memory/3708-90-0x0000000007B00000-0x0000000007B14000-memory.dmp

Filesize
80KB

Download
memory/3708-22-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/3708-65-0x0000000006B30000-0x0000000006B4E000-memory.dmp

Filesize
120KB

Download
memory/3708-55-0x0000000075530000-0x000000007557C000-memory.dmp

Filesize
304KB

Download
memory/3708-69-0x0000000007930000-0x000000000793A000-memory.dmp

Filesize
40KB

Download
memory/3708-99-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3708-67-0x0000000007F10000-0x000000000858A000-memory.dmp

Filesize
6.5MB

Download
memory/3708-68-0x00000000078C0000-0x00000000078DA000-memory.dmp

Filesize
104KB

Download
memory/3708-54-0x0000000006B90000-0x0000000006BC2000-memory.dmp

Filesize
200KB

Download
memory/3708-52-0x00000000065A0000-0x00000000065BE000-memory.dmp

Filesize
120KB

Download