lumma | 7396387cd5bebdafed26cb32d52ea4c780b08e8bb358db7b20e743448391e016

Resubmissions

25/02/2025, 16:58

250225-vhcetsxpx3 1

21/01/2025, 19:12

250121-xwkpgaxqfr 10

Analysis

max time kernel
331s
max time network
331s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.zip
Size

156.3MB
MD5

07c25292f2c72370b9798591d0ec42a7
SHA1

7262e0214d8266f234a8db925900ba46b4fec8ff
SHA256

7396387cd5bebdafed26cb32d52ea4c780b08e8bb358db7b20e743448391e016
SHA512

f5cccb9a3f663fd168d1242845a7d32d720c7671d2e2efc253e601b53878445c7f3504a416394c32c9d83469a409a631253c8a9a75ddefefaf7ef57bc8115066
SSDEEP

3145728:5SjEVsBz/OLgeHkmeZDldmQj+0ixyCcsVLpsGnH7GTslm:5Sj3DOLZDeZDl0A1sHcsTtnwkm

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://uncoverreduop.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Set-up.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Set-up.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Set-up.exe

Executes dropped EXE 6 IoCs

pid	Process
2956	Set-up.exe
1088	Stanford.com
2040	Set-up.exe
3232	Stanford.com
1428	Set-up.exe
2028	Stanford.com

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
2052	tasklist.exe
2536	tasklist.exe
2324	tasklist.exe
4112	tasklist.exe
4988	tasklist.exe
4120	tasklist.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CamcordersJudgment	Set-up.exe
File opened for modification	C:\Windows\SunsetVenture	Set-up.exe
File opened for modification	C:\Windows\GraphPraise	Set-up.exe
File opened for modification	C:\Windows\CamcordersJudgment	Set-up.exe
File opened for modification	C:\Windows\CeRu	Set-up.exe
File opened for modification	C:\Windows\SunsetVenture	Set-up.exe
File opened for modification	C:\Windows\GraphPraise	Set-up.exe
File opened for modification	C:\Windows\CamcordersJudgment	Set-up.exe
File opened for modification	C:\Windows\CeRu	Set-up.exe
File opened for modification	C:\Windows\SunsetVenture	Set-up.exe
File opened for modification	C:\Windows\GraphPraise	Set-up.exe
File opened for modification	C:\Windows\CeRu	Set-up.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stanford.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stanford.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stanford.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819605075369401"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{C7AC053A-4BA5-464C-B045-2EE14394DB7B}	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1088	Stanford.com
1088	Stanford.com
1088	Stanford.com
1088	Stanford.com
1088	Stanford.com
1088	Stanford.com
3232	Stanford.com
3232	Stanford.com
3232	Stanford.com
3232	Stanford.com
3232	Stanford.com
3232	Stanford.com
2028	Stanford.com
2028	Stanford.com
2028	Stanford.com
2028	Stanford.com
2028	Stanford.com
2028	Stanford.com
5108	chrome.exe
5108	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3212	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3212	7zFM.exe
Token: 35	3212	7zFM.exe
Token: SeSecurityPrivilege	3212	7zFM.exe
Token: SeDebugPrivilege	4120	tasklist.exe
Token: SeDebugPrivilege	2052	tasklist.exe
Token: SeDebugPrivilege	2536	tasklist.exe
Token: SeDebugPrivilege	2324	tasklist.exe
Token: SeDebugPrivilege	4112	tasklist.exe
Token: SeDebugPrivilege	4988	tasklist.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe
Token: SeCreatePagefilePrivilege	5108	chrome.exe
Token: SeShutdownPrivilege	5108	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3212	7zFM.exe
3212	7zFM.exe
1088	Stanford.com
1088	Stanford.com
1088	Stanford.com
3232	Stanford.com
3232	Stanford.com
3232	Stanford.com
2028	Stanford.com
2028	Stanford.com
2028	Stanford.com
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1088	Stanford.com
1088	Stanford.com
1088	Stanford.com
3232	Stanford.com
3232	Stanford.com
3232	Stanford.com
2028	Stanford.com
2028	Stanford.com
2028	Stanford.com
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe
5108	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 4392	2956	Set-up.exe	107
PID 2956 wrote to memory of 4392	2956	Set-up.exe	107
PID 2956 wrote to memory of 4392	2956	Set-up.exe	107
PID 4392 wrote to memory of 4120	4392	cmd.exe	109
PID 4392 wrote to memory of 4120	4392	cmd.exe	109
PID 4392 wrote to memory of 4120	4392	cmd.exe	109
PID 4392 wrote to memory of 4212	4392	cmd.exe	110
PID 4392 wrote to memory of 4212	4392	cmd.exe	110
PID 4392 wrote to memory of 4212	4392	cmd.exe	110
PID 4392 wrote to memory of 2052	4392	cmd.exe	111
PID 4392 wrote to memory of 2052	4392	cmd.exe	111
PID 4392 wrote to memory of 2052	4392	cmd.exe	111
PID 4392 wrote to memory of 4936	4392	cmd.exe	112
PID 4392 wrote to memory of 4936	4392	cmd.exe	112
PID 4392 wrote to memory of 4936	4392	cmd.exe	112
PID 4392 wrote to memory of 1512	4392	cmd.exe	114
PID 4392 wrote to memory of 1512	4392	cmd.exe	114
PID 4392 wrote to memory of 1512	4392	cmd.exe	114
PID 4392 wrote to memory of 2072	4392	cmd.exe	115
PID 4392 wrote to memory of 2072	4392	cmd.exe	115
PID 4392 wrote to memory of 2072	4392	cmd.exe	115
PID 4392 wrote to memory of 2328	4392	cmd.exe	116
PID 4392 wrote to memory of 2328	4392	cmd.exe	116
PID 4392 wrote to memory of 2328	4392	cmd.exe	116
PID 4392 wrote to memory of 3288	4392	cmd.exe	117
PID 4392 wrote to memory of 3288	4392	cmd.exe	117
PID 4392 wrote to memory of 3288	4392	cmd.exe	117
PID 4392 wrote to memory of 2456	4392	cmd.exe	118
PID 4392 wrote to memory of 2456	4392	cmd.exe	118
PID 4392 wrote to memory of 2456	4392	cmd.exe	118
PID 4392 wrote to memory of 1088	4392	cmd.exe	119
PID 4392 wrote to memory of 1088	4392	cmd.exe	119
PID 4392 wrote to memory of 1088	4392	cmd.exe	119
PID 4392 wrote to memory of 3388	4392	cmd.exe	120
PID 4392 wrote to memory of 3388	4392	cmd.exe	120
PID 4392 wrote to memory of 3388	4392	cmd.exe	120
PID 2040 wrote to memory of 5004	2040	Set-up.exe	123
PID 2040 wrote to memory of 5004	2040	Set-up.exe	123
PID 2040 wrote to memory of 5004	2040	Set-up.exe	123
PID 5004 wrote to memory of 2536	5004	cmd.exe	125
PID 5004 wrote to memory of 2536	5004	cmd.exe	125
PID 5004 wrote to memory of 2536	5004	cmd.exe	125
PID 5004 wrote to memory of 4280	5004	cmd.exe	126
PID 5004 wrote to memory of 4280	5004	cmd.exe	126
PID 5004 wrote to memory of 4280	5004	cmd.exe	126
PID 5004 wrote to memory of 2324	5004	cmd.exe	127
PID 5004 wrote to memory of 2324	5004	cmd.exe	127
PID 5004 wrote to memory of 2324	5004	cmd.exe	127
PID 5004 wrote to memory of 3728	5004	cmd.exe	128
PID 5004 wrote to memory of 3728	5004	cmd.exe	128
PID 5004 wrote to memory of 3728	5004	cmd.exe	128
PID 5004 wrote to memory of 3980	5004	cmd.exe	129
PID 5004 wrote to memory of 3980	5004	cmd.exe	129
PID 5004 wrote to memory of 3980	5004	cmd.exe	129
PID 5004 wrote to memory of 4804	5004	cmd.exe	130
PID 5004 wrote to memory of 4804	5004	cmd.exe	130
PID 5004 wrote to memory of 4804	5004	cmd.exe	130
PID 5004 wrote to memory of 5044	5004	cmd.exe	131
PID 5004 wrote to memory of 5044	5004	cmd.exe	131
PID 5004 wrote to memory of 5044	5004	cmd.exe	131
PID 5004 wrote to memory of 2008	5004	cmd.exe	132
PID 5004 wrote to memory of 2008	5004	cmd.exe	132
PID 5004 wrote to memory of 2008	5004	cmd.exe	132
PID 5004 wrote to memory of 3232	5004	cmd.exe	133

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2284

C:\Users\Admin\Downloads\Set-up.exe
"C:\Users\Admin\Downloads\Set-up.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Banners Banners.cmd & Banners.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 467160
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Singing
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "FLYING" Lack
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 467160\Stanford.com + Calculation + Proposed + Stats + Broke + Fully + Teaching + Properly + Dominant + Ring + Benefit 467160\Stanford.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Samba + ..\Pressure + ..\Hands + ..\Flag + ..\Proceeds + ..\Franklin P
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Users\Admin\AppData\Local\Temp\467160\Stanford.com
    Stanford.com P
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1088
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3388

C:\Users\Admin\Downloads\Set-up.exe
"C:\Users\Admin\Downloads\Set-up.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Banners Banners.cmd & Banners.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4280
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 467160
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Singing
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 467160\Stanford.com + Calculation + Proposed + Stats + Broke + Fully + Teaching + Properly + Dominant + Ring + Benefit 467160\Stanford.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Samba + ..\Pressure + ..\Hands + ..\Flag + ..\Proceeds + ..\Franklin P
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\467160\Stanford.com
    Stanford.com P
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3232
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936

C:\Users\Admin\Downloads\Set-up.exe
"C:\Users\Admin\Downloads\Set-up.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Banners Banners.cmd & Banners.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4676
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 467160
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3908
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Singing
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 467160\Stanford.com + Calculation + Proposed + Stats + Broke + Fully + Teaching + Properly + Dominant + Ring + Benefit 467160\Stanford.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Samba + ..\Pressure + ..\Hands + ..\Flag + ..\Proceeds + ..\Franklin P
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3464
- - C:\Users\Admin\AppData\Local\Temp\467160\Stanford.com
    Stanford.com P
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2028
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd4248cc40,0x7ffd4248cc4c,0x7ffd4248cc58
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2480 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3716,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5184,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5220,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5224,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:2
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5388,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3360,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4804,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5296,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5276,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5468,i,1215064096223163667,9192960375062932191,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\54986441-63c2-404a-bc39-490dc1b13ff1.tmp

Filesize
9KB

MD5
fe0daf899b20428d1c5d5fd8d05c7c5e

SHA1
6397084c16ec8c0ebac4d55772c7a9a66161ae6b

SHA256
370e465a5ea0ea33932d10bd0fea632372ac6d6c63000274c3bfaa671396ecfa

SHA512
a7301ed197ea10085f26aa936bab5c451feb6a57cc0589daf5f87a533a6c08447774190852d015fee04dc8352a7017f7ad824efb38a868fa683ce6c2a501aae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f13c6401adb46e8642528ae0bd1a71cb

SHA1
ebb2ab1ab499f7cfc9479b94b3d6ec0fdfea68ff

SHA256
03d6f32b7efa136e3e1a0463ee4840aa8117e95c68f72291dad0ac39814ada67

SHA512
ba9099b4bb052f97c5dde7493ce4d56deff806fb6b88764b3e41152b8c990a12f14879d9812c769bc1ce43d0e8fe84c3fe585276d3126f2aa4654a9906b98b25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
153613bb63b29e0955cedfb58cbe8802

SHA1
969efd7b4a2e9104ba8dbe75dd93c25f695c4080

SHA256
2e86d3cc87ef0e1a9c28123226b5cd3a026cb8429c0b45d981ad1eeec96d2d6d

SHA512
65e3a134093cec64ea09c242441c114b66f9bbebf9c16d135c409d1e2aa6a4bcb873ac68de2b1fee795f5c4f437ff01a6eee6c2420fd6277c54249391f5f2175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6fe146e4533e91d4bfec3be2af87ddb7

SHA1
5e054301e6a2504c1491adb99986c865581c6485

SHA256
71497083e192266416023f3e08549e325e6c77de2324c1bdb39165d10f7e4a0c

SHA512
3af4aa91380f597882f5e18b464f5fa85982d7c588d1eb5b0d55594e27e5ca79750cc257a672b3a012598e5cdb36fb67e5eae62378ac47cccd8dd5047e37f870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6b89098a33bc363a85c86dcd15831fe3

SHA1
e54886701c7c8b5a7c78388099a2702d8902c56e

SHA256
9ac6f2a6f519431f0017171f167a692637ef1767ce9b915c9815d6dc186cb8ae

SHA512
25e47d8276a5ece2c3dc6bee0daa41100b7a8dfa283937397c5474f2b22e8adc4f8d197ff5166cca4961c58e7cd20be1b3a059f569375d151a4dbf44ff58bb74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
2bf12ce18b199ab12f44e129fbe3612b

SHA1
6f05b6237460e1de04fced681640adbd322c3c89

SHA256
5ccf0b35411db690f46a8fcbbd26fd04c228827b0e46848819bb565d2c3358ca

SHA512
4594956208d9415cc33b71e9f4970e4c27ae2e12b1712d75087a9669feaf00b890ec8fc445c170cfe7d2df7b18edc696f2c0d28fef8443dcaa8ce90bb73f602a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
bbad688cd3d10c49946d943f2199752d

SHA1
11efee96bc0059e184d6a5a035c6e835424dbc82

SHA256
0ce34f8d8e5cd247f9fea550e4c4a4edf321bfd0c33e9650e5ae216abebc16b9

SHA512
c9b427501569a53ad27007901a79af54075d4cb143a8021defa66b39d9ee405f94aaa4434ce1e2128118b7d67d4f205baa8764904b4fdccf04751cb4d4823816

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d1db8794fe19589d9322bba47d371494

SHA1
c809558b59891a01f1a799566e6c2b48827e450c

SHA256
859b2ac3b8a3b1e4ae1346d96462f6fddc093594b18e0a4fef0492ddd6ee9ee4

SHA512
b96bd701d2c5e4edc5c075ab222944ab77956e678e4d0c12467573077ab619a1ab7697cf04e21b3f410e9e0797632c7f923da60e4c39749632b4f7565402cb5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
487d26c1c35de35c0d9a856d8566c261

SHA1
2d537a1efa424513034256700025d91a108f6ea4

SHA256
975eff02931c39eefcea9ce660009884b6a4e54a8abe2984121a53da011b14cc

SHA512
bd04e63bb4c126843e3bb17fd8e6404a5280a30713feca15d8f0ac8cbeb5a906535902e2bd7eb97aaaf403c312367e6b7ff814fe13be187456f23e23c6709eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
abe5f4fef43476a3f6d0f25d974d9388

SHA1
288e161329a29af3c257aa2abb9cd57cb1704a26

SHA256
4ba48c036073155c925ae83a5cd50eef10d07e5383855a8f98e33ea216a8b07d

SHA512
b5f4c0d3f3169f7be74ae03d423061370933797fd06810b1457e959b29e1f8b9b9270f99d1faa2634fe066b619f7f38f23c9deae6d0c83406d19c9d1b2efd5a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d830f441a3914073dc05392bd2135b62

SHA1
c59a81f27eba2e4cd4c54ec89a01851c44001c49

SHA256
2a30536f8d17fe4ebdc77395567227aa64fb3d6531c98b651c4f274ad45cb5d0

SHA512
35d94b944e261430900169f5ac3980ce0d72507aa2903131fc06a16d15b0e51c9ac82e07d62ea2af76e8029337522a0d2aec06924cccfd997d02947e5e4b6197

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
cc19fd9e962a819ad487739be2c2aa6b

SHA1
26de3f61303f021999e4c0560fdbe5f89ec72f27

SHA256
d789826f4994b206bd2588aa7bd8559d17b18a5adfd045d80d09783e20397590

SHA512
b0ec7fcd282e0a30dbe28500b99c102346f5e284f0bf4024dd3a96b19c318301aca904d543cd5ee641264018b7d639fa667f704099bc083b430a1e0a0fedc016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
c14ede2621108e0754324e26e406d852

SHA1
2b6875d5871689668d54b35933ed6d5659787231

SHA256
515da3a4b331a6cc44ccc3b2bb3e45c0bade4ad7940bb1e06de80f05ec98d26a

SHA512
f1f6e0ae45de159bed9e67cc6d384b440d19356f21d9936defad7c47fbab0d1194a6ebf1275e0023390bf56c6a9325f1f451cc94f65c1fc9f5127201e53325e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
24229a8586173252c6c1b5e1d727a765

SHA1
b00bd8abcb29c51ccadcfcbea882e522bd63fa27

SHA256
ea3336037c4ed91f50faff27f8fb5807057c4daa86c2ba20ee88d9a574d2329c

SHA512
ca4c3f4d4255f00563a0a268ddcb85136ce1141f7fac33d7a36cee0cb1ee916f8a5ba1cb22cbaf70748595787bfc1c2ebe82d2dd30aad2571ee8d2dba80d0aa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2a90ea6dd148d5b4c587b720a95b2f2d

SHA1
60212f2d5a7d0c045ac256e466507a39fa6199fe

SHA256
44f96c569644e242942f134b9aa66d47c62f5b29fa69e5c635a02109c302bc62

SHA512
44e136ac567ad2e69232b88a64e15a2130dc36aea154493f3590e9009295251b9bd291884cdc116227c48c7d19dd61919d00a7df5aab92c5973695c6503d6377

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9fb3b1854e5c5b4e861bc989426c7415

SHA1
a2a75b074f17cefe31f3d9ef29eb6557bbc27cbc

SHA256
a5f9d3ffbdbcca68a2b46c379c6276bacc29da18599ce83d6dea24acdb5a957c

SHA512
3f03f11c006ab41395dfa2a2a57b8267bb78e9aad90001e2d8eac43aa1256e344e0ad911a33fbf54758731f999cd7069f8d60de0ed66d79609f641b06655d9cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a1ffb9f93bb3f0492df4f7239ce72097

SHA1
efad29e11b18227913793237979ca1c07ac6acba

SHA256
0873bd4f3886f0807b1b6c3868e14eb7d19db06f3893f713ca76510a2a4d2acf

SHA512
996d89e8eaba3a5baa407b9645e89ca5cfe42151c5003347e115dff8427ddd0185be53fea9d91a9ae872fa2e604bb4accc106d8ab6a7ec8a8b19b320b15598c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
b8214a6414fbdf608082eab5e28392c4

SHA1
dff78778bf932ed154e407a3f88fc9168d5ef1de

SHA256
5ac8ffd873d27c19c904494eded769dc8f29012ae145ee7c95c5ed8c73e18474

SHA512
5439516c274aeedf2406d9383345c2db7fd6c4bbd38d03cf6f142f6a2c4650c063b8617ecf8fc0afee0add53da6f20a4be74139301ff428eb72c52a2b290da50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
a73aef7e4b59fa9a25e69293d1f80d4e

SHA1
0ba9939e16cdbc9f6f732fd8e952fc1fea489753

SHA256
2ea7959de3e090e7695fab24e4d4ca87757b52b966235709e8965e921141146b

SHA512
3d44083c5c718a9fba7a6d5acdf149ee1ff161c74fd63b94a74900824dc6cebc8018031739a8511b2f35dff79cb43a5a6d0f051e05b3ff7caabbafe40f84249e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
308e06de2096b1d4499c2f0fc107eb3a

SHA1
c5479741e512170beae31a170d6c89cf9b9aad17

SHA256
966639d0369707243ddf9f89c343b9ce51a0f34c851dfeb106be102f183ab36f

SHA512
8859792dfde8f5365e4f72991e5c9e664e427996870ebf4decd12f645c247327766e277e0930f624256dd69536ac70c108f11b4466481256d87b975c3b04f4fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3aeea0c3fd7534b1d12ccd6ce0a3689e

SHA1
49d38c413e4d447ac5c0d8b87c77dad1df16248d

SHA256
5e7d568981be31601d893711b77b125fcb48e933ec4aa0aa7bcfe2334c8f4d0d

SHA512
5c66741d16a15e02477788a530ec38b8f19d96347f86d6fe5cd569813dc7053fa470bd4f1d62b045e1b676ff9588211dc0730b112aefd32a40ca4e21d4941907

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4681fbf51ad0aa48409364ecc653eb80

SHA1
edde3ba28828ddda28063b1616ed7881876c4579

SHA256
e068ff616b65e7431498efd3d97c699d57b8c9d1ecfd4cf164f86c4b806cc0c6

SHA512
bb00e5f5c079d5e4e0c3bc644d13da05cfb401c67bfe756344473854f476a44908126bf99b2918db7619be44ca85ece5429bffc0e35703f6f93b600f2b47dcc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
228ef333c4d16de652b167ff4b72fa8e

SHA1
4635212f56ea6397b51f3eeef7c1e7e42876a19b

SHA256
25559af66806f6ac1099ed793263970cf2bed2171954821e3a9590270763ce39

SHA512
ab50c87e628080671b37b9bbafe4b39684ef52dfcadf16d3c5d11e27418d2e7d181abb642a7ac47a620c33a57a9a896c8c000302ed5a0f0410d9665925839a2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a329743da2b6deb9c337c353be9bd8e2

SHA1
301e9ef41343286ca3b10989ca05d8057db066f8

SHA256
55b747b032603d4194fd97db10c37f69f0a3b90c8986289ac381b74a234d889f

SHA512
1ef7a9c7d2df7a4eee0a5a0cfd03db615c835e05e47730b1d122346335bd1eb3b3f4a908833cb1a31579c9560a7374b8c8526e470105896bb381013029c4ab7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1d7dd07a2c7d1a6fc8b55ddf314d3725

SHA1
e2dd79492af27fbe6456b57455fb7ea1fd299ae3

SHA256
8bb36003fd6b6b3111c158bc453eb8f80980198defd2814da9263727a4c34e63

SHA512
3be0a533eeee128cc22df69687315c4eb487238ec6d3f41a0775ae44c5959ee85fd3700d728c161bcbfdd04cdf319bd68abc1496246253a896cc8552303d36fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
996ac2d16777d1774a683edea8843759

SHA1
89dbe1432a379b037e380e61029c51b0b2d6956e

SHA256
d6ef2118ccb6dde0249c26ad69092eeeb7112a0d361801e2c35b1570ef08b729

SHA512
1a20d89e0852ca9b2649603f7612e85de222eacd86f30efc6cadbe050a259918f186b2cc0270cb88dccfdee35302d80cb34050f145790defe8bcb2faf7b26afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf18d459c510799de125d90a59cd03b8

SHA1
2113787496503dbe3300ca7ef0b40657312d614f

SHA256
0402eb649b9fd0a3a6b7cc91be57877f400106d17fc0beb7f60333e2533ccde4

SHA512
9b023c63a3246467218f72894d892d95be1b5e3d20f8555a3f68fa983c57e2bf774270c5a584b618403465253eed76c4e854fc68cbf69cf3238f392cffe2ec2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6f39b112117f6c00515827dcad30e1c3

SHA1
4614c76fa2e1a39228f65026c63b15156e70214a

SHA256
cb8d10cb130fe6893bdeea2af636ae710c2699839284eac68bb3468e5bc0afdb

SHA512
49ec5b8d38666991eb0447fec6973798e28a92795daa59c049fe45e0f815ff43a1664ff9d9874e06b0d61c1c32fe385608769d2b662cf4db55e5a272cef3ff99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd5e2d0fc26e1a54c5dfd5781c8b8cb8

SHA1
f7f2de439c65b82f61cee0f509eef7e786996e5e

SHA256
98122465c4360c08c4ee05eda4297cd0e9bf7c5fef8caf32a40ed3f7a3468c04

SHA512
8171fe72734ecb38588afdcc8514744d54d67f6671d93043df3dbbb2f24dabeebb46dbc92bd7c300c3d4c58d8b6bd8262bc0e77f3430d76d3aaa8ed436490617

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
20387ca4d209491c927f631b737f0060

SHA1
117122a1429ed4340244a98a33360259ecdb4217

SHA256
c9a6e286695f000d6af028e09fe9963b66d5c6ead4d460a16f2d4eeba7ace7e2

SHA512
fef716702b8c6b359b025ff081fc725b05264420f6b725a8fd7e89a9aa9d0bfac26ea5328c89938ac25cb97b4929c8f64a3ddb228a861f2036cddf137a9f1dae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bdb64121d08c868a2cba6a9b6b3dbf2a

SHA1
1300a6034862da2f6ea5057b206bdb814b19325c

SHA256
5672c2b845926cf080430dbce95728b1fd00e7f18a54ba8d3a7975df223877c5

SHA512
4833b5117a9b9bc428dbf09d991a305068e54bfafa3e9b64e32363f0db4a2863f6c1f9eb2eadecd93a097f2649b89978405b4d4114139c897a5d5501e5a157c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f735c3a4089da7527a0788d6cf92809c

SHA1
667e5091820341344e1b30afdfd53640ada6d113

SHA256
d710561b387c4b0539db66e456caeffd25027ce042c76a4088884ce0685a6367

SHA512
0c8764b6cc0436a3a7550a69d05b5cf868fb642024436e4eea04d8eee5475a36a63ff4ec4c55b22889de7d1b9a2b397627abc754d9baf5ce42336b0a077f36b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
090933ac2b42a8bbd4a7cefbe075bedc

SHA1
c176ffe7bd1652f9ee5c7b994d4e78b88f98998e

SHA256
93246f208091bcbb40d66e867ec3f019d3bfb9124694c7a28671a4ee7f112472

SHA512
145914c8ecd18848425a76e2766c5699d4371a95520b21fd9aa677953dbf3931feac37cdad6da50c5c2e0d1176042a96fcec994157a37aea2effbef91bcfc080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
010176e3a1302fe2da04ae654ee33158

SHA1
ab978dd6de714c7256787cbeb27094531141d7ba

SHA256
0f7b4efd0d7aed0190a045bce3ff89ef8e29c7fe1eb5c298f60366d43783baa3

SHA512
ec0f4ccd5298d3669916ea23b197bf55fd7ca99756585fd2b79d1522cd9e5b7fc610ad0981874de41240fe46b1696e81d2182dbe86134da934ce71002e0717da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a3be2ecf77753d0cfdaae3939d4d8d07

SHA1
cb48d2b517597eea98e23cff1fedd11cd1122903

SHA256
6512574f44b9419721e62579a82be2e351b350359fb4dc7fd918687d6711a58d

SHA512
9caebe40c86a51bf454feaddd36c1c63fa29c2ce1705610bc450c9c88cc1031459b34bd0944f8ae4353a834e55d29c2ea26f02e56f863e3f4658b4174be09e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c36828f788120400d1170c6fbd7079f5

SHA1
76d3947b083a4b204d33a881a15fb3f1242c0b2d

SHA256
50320f8bf3fbe9323b3d1176fb49b62e7920db18fe58c005ea2b665453b2fa1a

SHA512
599836222baf8223c728128897340f02f3b0ab5ae82966726ad84d6b260e155d8278b488370e4755239ec3ce9a5c6999770da33797fe62b16be12efc401cd31c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
6e01ae66eb3795eb76935c9931c423d4

SHA1
3db4200cbed1b60c6d53b45706a20a7c33d4caa4

SHA256
7636cb7f9c73b46abde12ebe2e4851d6eae64644b141874ffa9adc2834f66158

SHA512
58ff4c68d738573c54157743d24ee6cc58ddadee25dce4e16267c8b52a7d5a32a6c1b99583348508a6bdcc3ff803e0d79939ec4fe102b7fc7ac72eac15a8444e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
304103aa59ea94d430d266b84ec32823

SHA1
2f14d1404a315ffe2fee680d8ad024df47e72c67

SHA256
d81a0bbcca622d2bd891de0fbf60e54327ae9cccd5cfad1878042d0ca3549030

SHA512
0d1055475a74264a60448d162adb236de57cf5ffa895f493cb63c4882a6d082e59826fbf9695a74c70320894941f2b3e72ebb6afea7d98e5dc66cf3c9e7007c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\467160\P

Filesize
488KB

MD5
45fa0d43c4ef5e24be6de431274b2be8

SHA1
3fa113ef420d4c16b76b5c9c80360c10d468f8ba

SHA256
576ac6ed125714b128c80492aebed3f6035760698e2310eca4bb5e41705c140f

SHA512
94241fc0b636d2ff41f461539cdf1937d7f78299e142fd2a5aeb609a73d7302ccafb244d5bb291b930a61a8b3083ab82f572602a56f73171568d053c4d86d31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\467160\Stanford.com

Filesize
1KB

MD5
17afe2783752ca69652dff3dc61aef0c

SHA1
e71fbe4914bf9ad1388633cf230374fd0110e5d2

SHA256
7d74cbf070573a377fddf5e5c0e036ac5dffe51e53507ce5e3b95a0e0fc9412e

SHA512
ef32511e4fb8d41fa68c29ddcf5e0b1d9b04370cacf5a863e12b8379f4754d5b954f077f0705069c9d5b3ff3e39f15972b80e0277b7e715154f9756e8e5e89f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\467160\Stanford.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Banners

Filesize
24KB

MD5
17116614df623047abaf6800dbf1dd2b

SHA1
b3578bf84825f873e5a63eb43b8549a476c64527

SHA256
479e66ca860c701c58c0cf145b965141cd9fa6e6f59b110519c0bec60b37e19a

SHA512
862fdbe6fdddf9c58ab940c13c5584d3cd7f51856f8ce5caf65f30fb953f2174ad397812226307a46a2dc55a50c4d42f2692d913785990f00310924007eea4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Benefit

Filesize
99KB

MD5
b48c5dd1de3817df83dd5bb19278174e

SHA1
a28f40e202730d9ec20619a2623521cc3a932d2c

SHA256
887e60ea343cedc48ecb8e7f86f3bc8e5d10f09988e09ebb5f422dfe141553b4

SHA512
6e11968600fb25127c5ef45403bcb44951a3f681ac8b11d96c0be9c46246cdd63ff854bc11af4fb969ff2b8a6694bd13f149aa62de641794c8366d436ab4cfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broke

Filesize
63KB

MD5
d6be95854a81b762f30a23fdbd7bbd96

SHA1
9296ea214ec4ddbabec61ad6405119fffaeb433b

SHA256
2e627def7291c00b26807c46415fc50d69ec263dcadda39d0de1dc4dee2461b5

SHA512
a69ee4eb44c088b2099d0c2310f8404aa223a9956e0d5ca530f76d0f57a4c043888e35aa9adf1375a233f84fffa9b850fda95af4b9736c2c1b3f866f21578259

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calculation

Filesize
133KB

MD5
f006aec2e2b8a6850270599be28a952c

SHA1
549f986689d217449976d2993f2e986f1f7efd45

SHA256
41941c6e0651494c2057de7f480efe0e789e1b8db0acbbe1cce5faa084f2409c

SHA512
4190ac126e3fa95be72fb73b218c2c04b0151f7ea7b2337004a0f973fcae2765bccedf54ecd524a9c28bbfd18f8e6661475099b77c3f10bd31ff0d2134058677

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dominant

Filesize
55KB

MD5
d4aea529dc8fe22b70293aaf58d4a07f

SHA1
fb9ac540fce1dc302688d13bbd3bcfc9e54d1858

SHA256
438025f73a8ff374229106ae435f04fd44bcf0ed8bf9b70deb06207ef8bdb5dc

SHA512
bb51aef207254f82670342b7d3340c59538cffda6e5c194c01c1c8dc0ffaa25977cf6596d1d76a38edce035cc3d0a18326faaf9b6e7046e4d94c2f91b883e3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Flag

Filesize
85KB

MD5
2e97d7c609e08827fa36750736c37cf0

SHA1
b0c0453f3290eeb27c1ae71b1b38fcbc4405f164

SHA256
74365dc99cde4b4124c2b3d96959d82645c133ae2a501607ca64d3edc0f28d75

SHA512
302e0b7113b6c308b9028fe1780bbb2e9b356a008b4f11846a8b31cc05e8864ad91ffc9998fbdc05db4cb3eac6d7f5a7daa5deb76df6eaf39ab8ac7f9940aa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Franklin

Filesize
65KB

MD5
0c77a477ccf65d1712043498503fa685

SHA1
510e129cbac5d5eb65260a5fb350efc3e2b808bc

SHA256
ffdf4ebbf29d870f14b64980deb8e89581c48e36acd1a6489228601fe54f8186

SHA512
c52ee5ac0ce9803e197c7cd86c22799c586072d18818c42dbf6d4ef0cc518ec164a20744495ab885bfc165b7d1000741f2bc130d3634eae5f3a046683221baf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fully

Filesize
121KB

MD5
4a0d556839ae9b1d2d144db97dd0a347

SHA1
554630c5861fd10ca98bc752a552037f17832b44

SHA256
112c32cb3799d822007d626d145db727bc472137e9d6f9d1ec3d87734d1e6823

SHA512
af0a39503347204a30fc60c43a8dd6d8bf0d977c7317d9667e5fbff8ce440d0f2fdd0156f55e4143e18be38812bb7f562f91af6d454a448233db2613c81cf685

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hands

Filesize
90KB

MD5
1e9f8a74a7b9852d55ccd38de4f434fd

SHA1
43b11cf35f97c0bc58bceae4ac60671f069b6402

SHA256
500c143a9cffa03054f993ee3e2883ee260d58bbb923009836012b7114348f66

SHA512
ff6aa5cfe6083dd4a92650d052f0957ddbb8f849747aad2e7a0398ded14adfca0f3723742b791b10cd17222bb617bcf2280a5d444f691ec341b3f54342a22108

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lack

Filesize
1KB

MD5
a544ddfdb62466ea0b83bbca6befeffa

SHA1
9791aa3d0cc977a1cc4b4d08fe2e984382d99bf5

SHA256
c8d2c276e6044722f0c84102a86431382d38975321bf2322bd72b1d1af6a06d4

SHA512
39e037c34ad494b3349992db630cb8e7a8dbd5710681fb9d41c5fa5c42fa5f5cfead58b7dd723c82abae9133e4081f8f1e9f2be9a1cdfbc42b4349e616d598af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pressure

Filesize
92KB

MD5
c77ac6e96e9272e9bbe06ca603f31afc

SHA1
60ffb5eb58c5b32e96654a681546e29088387d80

SHA256
32c9a717f6e655a9e166a990286b0f2238db8f20d105db4e6ba913962e23e8a1

SHA512
16b1363dc5a591fe6157b1cc516419eaaaa01547dbcfdbef8cb69eecae9176f685d655fe52ee0a629be8ed87657cb5205fd6838f26d34441189ce3f84d0c84d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proceeds

Filesize
96KB

MD5
a443b0016f9b45ba23b0a43047b38cec

SHA1
ce65baf114481027a7a4f096b0c412f82adaabdd

SHA256
7484b8890b311bab54b34908f50221ff2f9a3b2b25a0188fbfd2c30de70ca184

SHA512
18005aa0b8e7084007d944734cfda9c06ba6427a76543301e6abf17eebb39bfa0b36d3f23d3e9c3f10f325fe7b2200f9d5053eaf702a8e293a4faeb08a2a8102

Download Submit
C:\Users\Admin\AppData\Local\Temp\Properly

Filesize
105KB

MD5
ab1e9d88999b0a303b1734054352f213

SHA1
7fd511ef475f3f53698fb18e47fbc5f2032e6920

SHA256
46930626575a010330036eabcf25061a3e329602107bf01c710e7e02f53117c9

SHA512
0b3d4f2e9430776bdeebaf626251ece7511640f3769533fe7bb65bc37f41aa3e41cd418a169ba35860a5abe78ec71a2331f6839c8dda60051e688d1e4ffa0249

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proposed

Filesize
114KB

MD5
97b767f7e1948ed79819fd47419b86c1

SHA1
00f324c6d0ac00ed0116e6620ecddb289b1ab05c

SHA256
221dfbe4660a7e8ce39d6a323485836131c4bc8cb8a5e83ba84c9afa249c85d5

SHA512
9eb38be1e2794558c0453fa280e72e43ea85d32fa1493a3edfdf42178a80426c4d57f365bfddf015438c3821e43bf8fb3d149006acdfd57cfd3f43bf2a756c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ring

Filesize
71KB

MD5
72125243bd619b087ea51f9a1418aea3

SHA1
e8b767be8043d25618754c74f56234ac3268a8b7

SHA256
23064adf745e31d9be46ba56f53067b31ad491af0b951dc8bb5083e584815a88

SHA512
f5cb0964b9982c846e7167753bca801860037badc303576538ad0a01ba82f9e5478b8239a3007581c860126b45097f47e9f48c715a05e0396b01fc580d509fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Samba

Filesize
60KB

MD5
f67e7e954a4412997b86ad42179a2adc

SHA1
7d3ef4aba61acd3a444d3fb37651c5a5bfb6bb25

SHA256
71f6e539c51dde054ff4f229a3b179f7aab243101d559c150a8332f2fe234c67

SHA512
f21e2f363447bd9f53ea186ca9132e68bc0d9fe0698578bbada7fe479f7871b552ba4b91e8576de1a6a24e8e52fa8bd41090cda23aa631462281e18115b2f784

Download Submit
C:\Users\Admin\AppData\Local\Temp\Singing

Filesize
477KB

MD5
8eadb7648d4a71dff2c393df522cbad9

SHA1
3a1b0cc70489580b1b3ac36f7bfd7528e40efe22

SHA256
5a610717297bd05a955faa145104813e58af89544e276fc0c12e89ee499ad459

SHA512
7ebd6644d0aeed01b97dba3e097dce7b8b2f17751030b4d629e17d740d1c364f57b6a4dc0d627c76187e89c7b6ec4fcda992a50871b2099b2d4a6c6a330d185b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stats

Filesize
88KB

MD5
af347c113e07789c929f1caab31751f8

SHA1
42ea2e9dffb548a4c289de92557a1bb98a13ff1c

SHA256
2fbbf9f36ea7a45404eab6955258f0eff108eb07269480a910fbab001c848f72

SHA512
5da49d81f45f556e850f578993252d4067c907ded7cf0ae6588a05109b9ee66dde45892937e148cdc7d6d260531311e414e8ac736aa4091c0ecc3368960d95d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Teaching

Filesize
74KB

MD5
1665bda2fd1c5332bbe6af9083078975

SHA1
9a5ce4b59ed25195f07397196147faf7328d739c

SHA256
af5535bd8446bf7a43461345818f677c93ef1980d02292b6e91fde1f16fe73a7

SHA512
be328b4aa09e2f850a4eaccc114e9adaebeca682b9d105d9dc5c8e130b3c82484a4c111d8f8ef4a77c96a171adc06475e602aafd2a20c8ba0b7ef97a1db29f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5108_1131469352\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5108_1131469352\db9a6262-fe3a-4e0d-8687-c5d5344fada8.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\KeyFile\1049\sharedmanagementobjects_keyfile.dll

Filesize
23KB

MD5
5e54cb9759d1a9416f51ac1e759bbccf

SHA1
1a033a7aae7c294967b1baba0b1e6673d4eeefc6

SHA256
f7e5cae32e2ec2c35346954bfb0b7352f9a697c08586e52494a71ef00e40d948

SHA512
32dcca4432ec0d2a8ad35fe555f201fef828b2f467a2b95417b42ff5b5149aee39d626d244bc295dca8a00cd81ef33a20f9e681dd47eb6ee47932d5d8dd2c664

Download Submit
memory/1088-1558-0x0000000004890000-0x00000000048E8000-memory.dmp

Filesize
352KB

Download
memory/1088-1557-0x0000000004890000-0x00000000048E8000-memory.dmp

Filesize
352KB

Download
memory/1088-1555-0x0000000004890000-0x00000000048E8000-memory.dmp

Filesize
352KB

Download
memory/1088-1559-0x0000000004890000-0x00000000048E8000-memory.dmp

Filesize
352KB

Download
memory/1088-1556-0x0000000004890000-0x00000000048E8000-memory.dmp

Filesize
352KB

Download