exelastealer | d018916535518e87158d763f5ccbf20e2c0e3d5ea0f482469751f35f46542931

Analysis

max time kernel
396s
max time network
403s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27/01/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Multiplayer AC Fix.exe
Size

38.2MB
MD5

28931075656fd1b8177124b7f995cdf8
SHA1

365ec5069a47acc352f55c13ca9802fd9533a088
SHA256

d018916535518e87158d763f5ccbf20e2c0e3d5ea0f482469751f35f46542931
SHA512

bed71d48520b5f83fabfa66873d14b24c323979bba8d7f4a9451edffff77dde43fc1194092b3bfa1fea966d2bf2e6c0f2b02eeb19a8fac422ea09718bd0f7b5d
SSDEEP

786432:wKYmajPKPKN6JBCIR4qM6/mXDrVHAp4hdrn1Q2SEcz5/2p2g:wDmiPK26J1v/mDpq4/rn1hSEQW

Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Downloads MZ/PE file 1 IoCs

flow	pid	Process
399	1640	firefox.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3720	netsh.exe
1972	netsh.exe
3536	netsh.exe
5788	netsh.exe
6112	netsh.exe
5328	netsh.exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2552	powershell.exe
1152	cmd.exe
1308	powershell.exe
5892	cmd.exe
4044	powershell.exe
2796	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
896	Stub.exe
1832	Stub.exe
5956	vc_redist.x64.exe
676	vc_redist.x64.exe
6076	Stub.exe
5312	Stub.exe
2768	Stub.exe
6124	Stub.exe
4532	Stub.exe

Loads dropped DLL 64 IoCs

pid	Process
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
896	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
1832	Stub.exe
676	vc_redist.x64.exe
6076	Stub.exe
6076	Stub.exe
6076	Stub.exe
6076	Stub.exe
6076	Stub.exe
6076	Stub.exe
6076	Stub.exe
6076	Stub.exe
6076	Stub.exe
6076	Stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
568	discord.com
21	discord.com
23	discord.com
64	raw.githubusercontent.com
569	discord.com
582	discord.com
583	discord.com
40	discord.com
62	discord.com
63	raw.githubusercontent.com
72	discord.com
87	discord.com
91	discord.com
579	discord.com
20	discord.com
567	discord.com
584	raw.githubusercontent.com
590	discord.com

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
139	ip-api.com
566	ipinfo.io
28	ip-api.com
86	ipinfo.io
85	ipinfo.io
565	ipinfo.io
577	ip-api.com
18	ipinfo.io
19	ipinfo.io

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2552	ARP.EXE
1620	cmd.exe
5520	ARP.EXE
4600	cmd.exe
3052	ARP.EXE
1720	cmd.exe

Enumerates processes with tasklist 1 TTPs 15 IoCs

discovery

Process Discovery

T1057

pid	Process
3552	tasklist.exe
5864	tasklist.exe
2912	tasklist.exe
1716	tasklist.exe
4136	tasklist.exe
2216	tasklist.exe
2280	tasklist.exe
4068	tasklist.exe
1312	tasklist.exe
5640	tasklist.exe
4452	tasklist.exe
5572	tasklist.exe
2888	tasklist.exe
4932	tasklist.exe
4992	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1544	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5776	sc.exe
1560	sc.exe
5056	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\vc_redist.x64.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0026000000046260-76.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x64.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1920	cmd.exe
2992	netsh.exe
4920	cmd.exe
1800	netsh.exe
2548	cmd.exe
1716	netsh.exe

System Network Connections Discovery 1 TTPs 3 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4684	NETSTAT.EXE
4832	NETSTAT.EXE
5760	NETSTAT.EXE

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Collects information from the system 1 TTPs 3 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2572	WMIC.exe
5352	WMIC.exe
4232	WMIC.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
396	WMIC.exe
2576	WMIC.exe
1944	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4832	NETSTAT.EXE
2364	ipconfig.exe
5576	ipconfig.exe
5760	NETSTAT.EXE
1472	ipconfig.exe
4684	NETSTAT.EXE

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3216	systeminfo.exe
2768	systeminfo.exe
2064	systeminfo.exe

Kills process with taskkill 25 IoCs

defense_evasion

pid	Process
5096	taskkill.exe
5592	taskkill.exe
4136	taskkill.exe
3956	taskkill.exe
4292	taskkill.exe
5336	taskkill.exe
252	taskkill.exe
5692	taskkill.exe
4908	taskkill.exe
1456	taskkill.exe
1168	taskkill.exe
5176	taskkill.exe
5412	taskkill.exe
5604	taskkill.exe
2740	taskkill.exe
5240	taskkill.exe
1540	taskkill.exe
3736	taskkill.exe
5896	taskkill.exe
5256	taskkill.exe
5488	taskkill.exe
3032	taskkill.exe
5644	taskkill.exe
2024	taskkill.exe
68	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133824261696929512"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\api-ms-win-crt-runtime-l1-1-0.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\vc_redist.x64.exe:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3752	WMIC.exe
3752	WMIC.exe
3752	WMIC.exe
3752	WMIC.exe
396	WMIC.exe
396	WMIC.exe
396	WMIC.exe
396	WMIC.exe
5024	WMIC.exe
5024	WMIC.exe
5024	WMIC.exe
5024	WMIC.exe
4816	WMIC.exe
4816	WMIC.exe
4816	WMIC.exe
4816	WMIC.exe
1308	powershell.exe
1308	powershell.exe
2572	WMIC.exe
2572	WMIC.exe
2572	WMIC.exe
2572	WMIC.exe
3140	WMIC.exe
3140	WMIC.exe
3140	WMIC.exe
3140	WMIC.exe
4988	WMIC.exe
4988	WMIC.exe
4988	WMIC.exe
4988	WMIC.exe
652	WMIC.exe
652	WMIC.exe
652	WMIC.exe
652	WMIC.exe
828	WMIC.exe
828	WMIC.exe
828	WMIC.exe
828	WMIC.exe
2576	WMIC.exe
2576	WMIC.exe
2576	WMIC.exe
2576	WMIC.exe
4948	WMIC.exe
4948	WMIC.exe
4948	WMIC.exe
4948	WMIC.exe
3736	WMIC.exe
3736	WMIC.exe
3736	WMIC.exe
3736	WMIC.exe
4044	powershell.exe
4044	powershell.exe
4044	powershell.exe
2276	chrome.exe
2276	chrome.exe
5352	WMIC.exe
5352	WMIC.exe
5352	WMIC.exe
5352	WMIC.exe
5556	WMIC.exe
5556	WMIC.exe
5556	WMIC.exe
5556	WMIC.exe
228	WMIC.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3752	WMIC.exe
Token: SeSecurityPrivilege	3752	WMIC.exe
Token: SeTakeOwnershipPrivilege	3752	WMIC.exe
Token: SeLoadDriverPrivilege	3752	WMIC.exe
Token: SeSystemProfilePrivilege	3752	WMIC.exe
Token: SeSystemtimePrivilege	3752	WMIC.exe
Token: SeProfSingleProcessPrivilege	3752	WMIC.exe
Token: SeIncBasePriorityPrivilege	3752	WMIC.exe
Token: SeCreatePagefilePrivilege	3752	WMIC.exe
Token: SeBackupPrivilege	3752	WMIC.exe
Token: SeRestorePrivilege	3752	WMIC.exe
Token: SeShutdownPrivilege	3752	WMIC.exe
Token: SeDebugPrivilege	3752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3752	WMIC.exe
Token: SeRemoteShutdownPrivilege	3752	WMIC.exe
Token: SeUndockPrivilege	3752	WMIC.exe
Token: SeManageVolumePrivilege	3752	WMIC.exe
Token: 33	3752	WMIC.exe
Token: 34	3752	WMIC.exe
Token: 35	3752	WMIC.exe
Token: 36	3752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	396	WMIC.exe
Token: SeSecurityPrivilege	396	WMIC.exe
Token: SeTakeOwnershipPrivilege	396	WMIC.exe
Token: SeLoadDriverPrivilege	396	WMIC.exe
Token: SeSystemProfilePrivilege	396	WMIC.exe
Token: SeSystemtimePrivilege	396	WMIC.exe
Token: SeProfSingleProcessPrivilege	396	WMIC.exe
Token: SeIncBasePriorityPrivilege	396	WMIC.exe
Token: SeCreatePagefilePrivilege	396	WMIC.exe
Token: SeBackupPrivilege	396	WMIC.exe
Token: SeRestorePrivilege	396	WMIC.exe
Token: SeShutdownPrivilege	396	WMIC.exe
Token: SeDebugPrivilege	396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	396	WMIC.exe
Token: SeRemoteShutdownPrivilege	396	WMIC.exe
Token: SeUndockPrivilege	396	WMIC.exe
Token: SeManageVolumePrivilege	396	WMIC.exe
Token: 33	396	WMIC.exe
Token: 34	396	WMIC.exe
Token: 35	396	WMIC.exe
Token: 36	396	WMIC.exe
Token: SeDebugPrivilege	1716	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3752	WMIC.exe
Token: SeSecurityPrivilege	3752	WMIC.exe
Token: SeTakeOwnershipPrivilege	3752	WMIC.exe
Token: SeLoadDriverPrivilege	3752	WMIC.exe
Token: SeSystemProfilePrivilege	3752	WMIC.exe
Token: SeSystemtimePrivilege	3752	WMIC.exe
Token: SeProfSingleProcessPrivilege	3752	WMIC.exe
Token: SeIncBasePriorityPrivilege	3752	WMIC.exe
Token: SeCreatePagefilePrivilege	3752	WMIC.exe
Token: SeBackupPrivilege	3752	WMIC.exe
Token: SeRestorePrivilege	3752	WMIC.exe
Token: SeShutdownPrivilege	3752	WMIC.exe
Token: SeDebugPrivilege	3752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3752	WMIC.exe
Token: SeRemoteShutdownPrivilege	3752	WMIC.exe
Token: SeUndockPrivilege	3752	WMIC.exe
Token: SeManageVolumePrivilege	3752	WMIC.exe
Token: 33	3752	WMIC.exe
Token: 34	3752	WMIC.exe
Token: 35	3752	WMIC.exe
Token: 36	3752	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2364	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe
1640	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 896	4456	Multiplayer AC Fix.exe	82
PID 4456 wrote to memory of 896	4456	Multiplayer AC Fix.exe	82
PID 896 wrote to memory of 4244	896	Stub.exe	87
PID 896 wrote to memory of 4244	896	Stub.exe	87
PID 896 wrote to memory of 2904	896	Stub.exe	89
PID 896 wrote to memory of 2904	896	Stub.exe	89
PID 896 wrote to memory of 2920	896	Stub.exe	90
PID 896 wrote to memory of 2920	896	Stub.exe	90
PID 896 wrote to memory of 4284	896	Stub.exe	91
PID 896 wrote to memory of 4284	896	Stub.exe	91
PID 896 wrote to memory of 5068	896	Stub.exe	92
PID 896 wrote to memory of 5068	896	Stub.exe	92
PID 2920 wrote to memory of 3752	2920	cmd.exe	97
PID 2920 wrote to memory of 3752	2920	cmd.exe	97
PID 2904 wrote to memory of 396	2904	cmd.exe	98
PID 2904 wrote to memory of 396	2904	cmd.exe	98
PID 5068 wrote to memory of 1716	5068	cmd.exe	99
PID 5068 wrote to memory of 1716	5068	cmd.exe	99
PID 896 wrote to memory of 4492	896	Stub.exe	100
PID 896 wrote to memory of 4492	896	Stub.exe	100
PID 4492 wrote to memory of 5024	4492	cmd.exe	102
PID 4492 wrote to memory of 5024	4492	cmd.exe	102
PID 896 wrote to memory of 1588	896	Stub.exe	103
PID 896 wrote to memory of 1588	896	Stub.exe	103
PID 896 wrote to memory of 460	896	Stub.exe	104
PID 896 wrote to memory of 460	896	Stub.exe	104
PID 1588 wrote to memory of 4816	1588	cmd.exe	107
PID 1588 wrote to memory of 4816	1588	cmd.exe	107
PID 460 wrote to memory of 2888	460	cmd.exe	108
PID 460 wrote to memory of 2888	460	cmd.exe	108
PID 896 wrote to memory of 1544	896	Stub.exe	109
PID 896 wrote to memory of 1544	896	Stub.exe	109
PID 1544 wrote to memory of 680	1544	cmd.exe	111
PID 1544 wrote to memory of 680	1544	cmd.exe	111
PID 896 wrote to memory of 4312	896	Stub.exe	112
PID 896 wrote to memory of 4312	896	Stub.exe	112
PID 896 wrote to memory of 5048	896	Stub.exe	113
PID 896 wrote to memory of 5048	896	Stub.exe	113
PID 5048 wrote to memory of 4452	5048	cmd.exe	116
PID 5048 wrote to memory of 4452	5048	cmd.exe	116
PID 4312 wrote to memory of 1320	4312	cmd.exe	117
PID 4312 wrote to memory of 1320	4312	cmd.exe	117
PID 896 wrote to memory of 740	896	Stub.exe	118
PID 896 wrote to memory of 740	896	Stub.exe	118
PID 896 wrote to memory of 556	896	Stub.exe	119
PID 896 wrote to memory of 556	896	Stub.exe	119
PID 896 wrote to memory of 2556	896	Stub.exe	120
PID 896 wrote to memory of 2556	896	Stub.exe	120
PID 896 wrote to memory of 1152	896	Stub.exe	122
PID 896 wrote to memory of 1152	896	Stub.exe	122
PID 740 wrote to memory of 4592	740	cmd.exe	127
PID 740 wrote to memory of 4592	740	cmd.exe	127
PID 4592 wrote to memory of 2028	4592	cmd.exe	128
PID 4592 wrote to memory of 2028	4592	cmd.exe	128
PID 556 wrote to memory of 2768	556	cmd.exe	129
PID 556 wrote to memory of 2768	556	cmd.exe	129
PID 1152 wrote to memory of 1308	1152	cmd.exe	130
PID 2556 wrote to memory of 4068	2556	cmd.exe	131
PID 1152 wrote to memory of 1308	1152	cmd.exe	130
PID 2556 wrote to memory of 4068	2556	cmd.exe	131
PID 2768 wrote to memory of 4024	2768	cmd.exe	132
PID 2768 wrote to memory of 4024	2768	cmd.exe	132
PID 896 wrote to memory of 1720	896	Stub.exe	133
PID 896 wrote to memory of 1720	896	Stub.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
680	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe
"C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\Stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
      4⤵
      Views/modifies file attributes
      PID:680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:1720
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3216
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4664
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious behavior: EnumeratesProcesses
      PID:2572
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:4300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4696
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2440
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2920
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2276
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2928
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1716
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1192
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:1180
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:760
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3140
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1312
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2364
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1464
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2552
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4832
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:5056
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1972
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1920
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:652

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe
"C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
1⤵
PID:5016
- C:\Users\Admin\AppData\Local\Temp\onefile_5016_133824261562860572\Stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:4592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5080
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:2452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3124
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:4512
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2768
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2364"
    3⤵
    PID:1540
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2364
      4⤵
      Kills process with taskkill
      PID:5176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1248"
    3⤵
    PID:5208
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1248
      4⤵
      Kills process with taskkill
      PID:5256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1436"
    3⤵
    PID:5288
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1436
      4⤵
      Kills process with taskkill
      PID:5336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3860"
    3⤵
    PID:5368
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3860
      4⤵
      Kills process with taskkill
      PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4244"
    3⤵
    PID:5444
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4244
      4⤵
      Kills process with taskkill
      PID:5488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5548"
    3⤵
    PID:5536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5548
      4⤵
      Kills process with taskkill
      PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5864
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4424
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5872
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4452
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5884
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4920
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:1620
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2768
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:5216
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious behavior: EnumeratesProcesses
      PID:5352
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:5336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:5288
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:5308
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:5436
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:5420
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:5412
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:5440
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:5376
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:5492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:5484
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:5476
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:5464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5556
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:5572
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:5576
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:5704
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:5520
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:5760
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:5776
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5788
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:6044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4412

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:480
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 27137 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f06df1-f06d-4556-9581-7a5c76c29ef5} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" gpu
    3⤵
    PID:1248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 27015 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82c69960-ee50-49bd-a0a4-132aec300798} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" socket
    3⤵
    PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3064 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f9a7d13-af0a-4020-98c9-2153a83ed76c} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:3860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3364 -childID 2 -isForBrowser -prefsHandle 3376 -prefMapHandle 3392 -prefsLen 32389 -prefMapSize 244658 -jsInitHandle 1116 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79f7b100-5805-4797-a39b-c4ebd8b2ee1a} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" tab
    3⤵
    PID:4244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4984 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2704 -prefMapHandle 2700 -prefsLen 32389 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9f8d321-4a8a-43f5-916d-3b51eed4d19e} 2364 "\\.\pipe\gecko-crash-server-pipe.2364" utility
    3⤵
    - Checks processor information in registry
    PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff92192cc40,0x7ff92192cc4c,0x7ff92192cc58
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2072,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:5612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=1780 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4960,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=504,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4896,i,3938640335836884298,6565510071771231392,262144 --variations-seed-version=20250112-180253.846000 --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  PID:5164

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6124
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1872 -prefsLen 26979 -prefMapSize 244710 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3ef2df9-7d05-45c0-92bc-5a452c94a986} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" gpu
    3⤵
    PID:1604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2372 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2348 -prefsLen 27015 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d533d783-ab53-4d2c-8ebe-802bcae0522d} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" socket
    3⤵
    PID:6000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 1 -isForBrowser -prefsHandle 2964 -prefMapHandle 3332 -prefsLen 27156 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad7e2f05-22da-43f7-8812-92fc371c2d31} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:4788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4064 -childID 2 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 32389 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec25861a-6a86-4675-89b4-ba950f9f326b} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:5412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4488 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 32554 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cb25380-cf07-4c08-b168-a1d94a9ab0a5} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" utility
    3⤵
    - Checks processor information in registry
    PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5056 -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5028 -prefsLen 27097 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bfd9ed4-5f7c-4fdd-9461-b1e5c86f6649} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:2108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5240 -childID 4 -isForBrowser -prefsHandle 5248 -prefMapHandle 5188 -prefsLen 27097 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e57cd4c7-cacf-4ac3-b9ae-3993f83afcbb} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:2340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 27097 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c614410-f159-4ea7-9956-f7c7c296f70f} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:3432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 6 -isForBrowser -prefsHandle 5936 -prefMapHandle 5904 -prefsLen 27257 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {184edaeb-7ad8-4fed-b111-488325e9018b} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4500 -childID 7 -isForBrowser -prefsHandle 4052 -prefMapHandle 4944 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2407144e-e96a-4c37-94a2-a1aa08a63774} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 8 -isForBrowser -prefsHandle 5632 -prefMapHandle 4548 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c23a7453-89b8-4593-a771-248924393cfb} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:2312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 9 -isForBrowser -prefsHandle 6396 -prefMapHandle 6392 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4be4882c-b1d8-46e4-a4c6-1c4a35cf42da} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:8
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6028 -childID 10 -isForBrowser -prefsHandle 6004 -prefMapHandle 3008 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52e00a09-90de-4182-87e0-5c497aa4dba1} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:2244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6548 -childID 11 -isForBrowser -prefsHandle 5244 -prefMapHandle 6612 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbb0959a-bb3d-4b91-b24a-1ec18113eaff} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:1084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 12 -isForBrowser -prefsHandle 6028 -prefMapHandle 3020 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20fa1294-8a59-4d26-80a9-0ea7cd84226f} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -childID 13 -isForBrowser -prefsHandle 6552 -prefMapHandle 3004 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {783f56a9-c297-4be6-8f11-55dffa10b550} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:6036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6676 -childID 14 -isForBrowser -prefsHandle 4676 -prefMapHandle 4200 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7940ff56-9f47-49f1-ab5a-e9af5b96543a} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4452 -childID 15 -isForBrowser -prefsHandle 5336 -prefMapHandle 4340 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee28c9bd-18da-46ac-ae65-c54789f0d791} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:2524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 16 -isForBrowser -prefsHandle 6112 -prefMapHandle 6572 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82983717-b1bb-4d6d-bf36-8054345b1ccc} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:1692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 17 -isForBrowser -prefsHandle 6560 -prefMapHandle 5632 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79e1b346-fa38-4fa7-93de-12a7de116f72} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6116 -childID 18 -isForBrowser -prefsHandle 5492 -prefMapHandle 4372 -prefsLen 28044 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0c3cc27-656e-44fb-ba8d-72f34b8fbf62} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:5124
- - C:\Users\Admin\Downloads\vc_redist.x64.exe
    "C:\Users\Admin\Downloads\vc_redist.x64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5956
  - - C:\Users\Admin\Downloads\vc_redist.x64.exe
      "C:\Users\Admin\Downloads\vc_redist.x64.exe" -burn.unelevated BurnPipe.{01A5A11D-53D9-4223-88F3-7596463D2196} {4768F8D3-FDE6-4897-A8F6-16BC58E11480} 5956
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 19 -isForBrowser -prefsHandle 3712 -prefMapHandle 5356 -prefsLen 28084 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {098c6a91-8b73-4e94-8f4f-cbfee7d27fd7} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 20 -isForBrowser -prefsHandle 6672 -prefMapHandle 3712 -prefsLen 28084 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6a67d8f-1612-4501-aa43-4464fee3cfec} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7844 -childID 21 -isForBrowser -prefsHandle 8008 -prefMapHandle 6708 -prefsLen 28084 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaf81958-7707-4409-8cfe-f8659b218f4c} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:1760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7800 -childID 22 -isForBrowser -prefsHandle 7820 -prefMapHandle 7812 -prefsLen 28084 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af5d4c50-aed2-4ba0-bcd6-f547d67efd4d} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:1832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7836 -childID 23 -isForBrowser -prefsHandle 8292 -prefMapHandle 8456 -prefsLen 28084 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04c36b09-c778-42e7-893c-942e360af5e4} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:6076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8544 -childID 24 -isForBrowser -prefsHandle 8596 -prefMapHandle 8600 -prefsLen 28084 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d24bed74-8c29-42a3-b97c-f7c4c94db8e4} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:3840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6008 -childID 25 -isForBrowser -prefsHandle 4328 -prefMapHandle 6188 -prefsLen 28084 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7c34627-b7d5-4f56-8c7a-74b62add7b3a} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:4800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7972 -childID 26 -isForBrowser -prefsHandle 7996 -prefMapHandle 5536 -prefsLen 28084 -prefMapSize 244710 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc0fe1cb-c892-4b25-8435-a9694e504545} 1640 "\\.\pipe\gecko-crash-server-pipe.1640" tab
    3⤵
    PID:4260

C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe
"C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
1⤵
PID:1972
- C:\Users\Admin\AppData\Local\Temp\onefile_1972_133824263780465070\Stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:2628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3620
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:4016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4944
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:5924
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:3360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3232
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2276"
    3⤵
    PID:5628
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2276
      4⤵
      Kills process with taskkill
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3080"
    3⤵
    PID:2712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3080
      4⤵
      Kills process with taskkill
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3036"
    3⤵
    PID:540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:220
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3036
      4⤵
      Kills process with taskkill
      PID:252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5612"
    3⤵
    PID:5360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5144
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5612
      4⤵
      Kills process with taskkill
      PID:5644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3752"
    3⤵
    PID:2408
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3752
      4⤵
      Kills process with taskkill
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3588"
    3⤵
    PID:4424
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3588
      4⤵
      Kills process with taskkill
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5324"
    3⤵
    PID:1432
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5096
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5324
      4⤵
      Kills process with taskkill
      PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1640"
    3⤵
    PID:5824
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1640
      4⤵
      Kills process with taskkill
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1604"
    3⤵
    PID:2280
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1604
      4⤵
      Kills process with taskkill
      PID:5592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 6000"
    3⤵
    PID:5080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 6000
      4⤵
      Kills process with taskkill
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4788"
    3⤵
    PID:4056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4788
      4⤵
      Kills process with taskkill
      PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5412"
    3⤵
    PID:5804
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5412
      4⤵
      Kills process with taskkill
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2480"
    3⤵
    PID:1312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2480
      4⤵
      Kills process with taskkill
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2108"
    3⤵
    PID:5228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2108
      4⤵
      Kills process with taskkill
      PID:5240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4940"
    3⤵
    PID:5368
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4940
      4⤵
      Kills process with taskkill
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1832"
    3⤵
    PID:4732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1832
      4⤵
      Kills process with taskkill
      PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3840"
    3⤵
    PID:4244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3840
      4⤵
      Kills process with taskkill
      PID:68
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4800"
    3⤵
    PID:4620
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4800
      4⤵
      Kills process with taskkill
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4260"
    3⤵
    PID:6112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4260
      4⤵
      Kills process with taskkill
      PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5920
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:6092
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5192
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4536
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:6100
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2548
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4600
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2064
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4232
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:8
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3836
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:3172
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1228
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3120
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2576
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2124
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:6116
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2892
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:1904
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:5084
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1780
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2912
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1472
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:928
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3052
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4684
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1560
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5328
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:884
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5728

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4948

C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe
"C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
1⤵
PID:5276
- C:\Users\Admin\AppData\Local\Temp\onefile_5276_133824264281940376\Stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
  2⤵
  - Executes dropped EXE
  PID:5312

C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe
"C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
1⤵
PID:5332
- C:\Users\Admin\AppData\Local\Temp\onefile_5332_133824264421159229\Stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
  2⤵
  - Executes dropped EXE
  PID:2768

C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe
"C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\onefile_1432_133824264456784157\Stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
  2⤵
  - Executes dropped EXE
  PID:6124

C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe
"C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
1⤵
PID:2992
- C:\Users\Admin\AppData\Local\Temp\onefile_2992_133824264474596736\Stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Multiplayer AC Fix.exe"
  2⤵
  - Executes dropped EXE
  PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6f3c1c122dafb2206ccf11dcadc71b92

SHA1
f5a2e6a63da8c590f0fa09ba90ce82f622404e40

SHA256
08ae924ee3c0a84bd455e274bac3c50ecd5495a7473f176a6a3836ab695de3f6

SHA512
5cdbc7d4d816b90b8526f07c480be6dbce734dd4f5db35498e66787ae57a0d0040e53c488cbf4e73857a883316023afc593a969a4bdd27327adc342ff96ef133

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
7b49e7ed72d5c3ab75ea4aa12182314a

SHA1
1338fc8f099438e5465615ace45c245450f98c84

SHA256
747c584047f6a46912d5c5354b6186e04ea24cf61246a89c57077faf96679db6

SHA512
6edf4594e2b850f3ede5a68738e6482dd6e9a5312bffa61b053312aa383df787641f6747ac91fa71bb80c51ed52a0c23cc911f063cd6e322d9a1210aea64e985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
11cb4cfaa0ce70bad33d1b8b35ad2b79

SHA1
0ae8d10b3d41ac36579640c9be5d9b5608911759

SHA256
96a766f5b520a9a7af71b0cb0a5007d15a09ff95af5aea4855310781d67b4d53

SHA512
c5468a590b8be1b3ee7f64788cebccb7f4b977967e61d3277bd74f30b446ad9511720281a7a5a8b62c0a7789f7844c8813fc8cb99ffbc05d4f7678c7dee5564d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
63dccaa4cb124573f69454cd186a3bf8

SHA1
feb762bfae3d76294f4afffb070f23fd764ef29d

SHA256
823366b5ae68edf78537802b63b4ce4e38f2ecd3f5b451b557b170202171d82d

SHA512
306b262d05c3dde37bccd4a4a6540b6a32a0f804c521c7115dcf2cb0bc96a35af238bf20ababff27e07afa6e28c0bb67ea4a778368fb8bf193b79a229c2149f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
17594455aa4251bec6141a2c24c649e0

SHA1
6df8f421ad99edf53fad8dea06c0788e2dcff2fe

SHA256
4279e0a2cb122c7cfe7d834fa0e09f1edfddae225326450ba31f7d6d7e15bda1

SHA512
b391c5bf2fb96e59759c4fe703958e99dcf8c9f2b1a408e6ae2ef35774bc251463b0ef4fac41f0ca1b712e402d360f5993e502419b392722f0c2d79eabf7092b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7f2b08eb8d24dd6258c4d05f8ace51bb

SHA1
fd009f35baa51822234f0071b0796a6625137065

SHA256
6a941de217c94fb130694da3b39fb31ea82a29b91665601c73f56e687ec5a65e

SHA512
7e3fc06b14237e559b1123ffc41d247160cf19f5239e14a6191bfed688104c6bb74801a14e9321ca6501ebfa187eefb2e695ec1d6c155e5132c260ce9ee65134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1154cda229f09652fdb703795b69991f

SHA1
dc4ad89c2f43a73b8744d46f8341d6fd6fb80323

SHA256
36c948bfa686a6b6ab3c7e299988668f518f1b5304c9adb8701d865de7fbd90b

SHA512
6691e17b6066a95fdc06408b15a4d84602d847653f1f9c3ab2996ddbd6274520380481b49633d7ccecd37fd069865dbd31281d7726457e99ccb199eac96650c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b077a33235a8c5bde3b0a180ba778f64

SHA1
b954a990f8517b3bd9a34bc50c2001fee02cd24d

SHA256
a77f98301cdec3a904340244bebae63730a7c0d2e58532c5f34ad9a53a35f4f4

SHA512
1c2ad344498e6ad3ea846c7a2dc5622d1fd42b4bff6c1aa18f7dcbbc0a3090ec7f7d00ad64ba585f393bc230f38025294151e98c4dd7043edd078afe9a6a7855

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
21c36ba21a1da631078c2869285a8176

SHA1
d995dc7875aafed43479081981cb274a1b52155e

SHA256
3ea7a959076add4796bc25d807fc2f7f94883b85ec1d103cf0e77d86b350e20b

SHA512
15fdbb527a4cec26cb7683640ca5461421d45e2eb7dc997a9dfcb332e607cda56ace9ac49bd84e68f2aab30dc48ed82d85a47d1d2f56e8cbcf7e9e74039dfed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
83f2924a93eb714fe5a6706f887798b8

SHA1
84c987233d5d7282e0f344341eceb7eb8faf2c87

SHA256
e9dac3c869881f32faced552055eb440d326e584eefe955d317c1199ee8f9ebb

SHA512
0005769a6e312a715d024b95a45eb75bc5fb567b4a319ca170a81e98c05604a61e27c714a4bdba222f37250a6b5146ff93b3227545de181c253bf598fabf19d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c41f042407659ec8b5542f6de3a25a0b

SHA1
c82541a2b6dc6c8a7603b9492cdbc8b90d458aa2

SHA256
44d64ee97d5060662dca6ff7adb683bda659a80e88d229c61a874f54cb27469f

SHA512
c15f1f586c5d2f4281048bbfbc5f9f5fb35481d7e85f1aa1e75218ce8e07d9ae45794cca2524fdca1b358224d69790236b08afad8a82b7e34a78315653843536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46e19386f7c980195dae6c51365afb5c

SHA1
ff807f96a85de5430a18127e3066c8d931965e32

SHA256
2355ef54028b2c811ff50624d3ce6014cc28332579f3cdbf45f2eeb56c9d10b5

SHA512
1a6cda07e0bd2029d9207910662ae4fbc55a30969e2b62fb71b2f2db49f0ff8137464ba0c2b1e6e4e46e9fdbf045cb009cdae833904c804362132b466d6f933c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
36579f1b142481ae1f61dd705f5139a2

SHA1
182e4f495380c91a6f2d91af06c0ae2a3d4a623b

SHA256
5950b62df31f2931ae0a3c2d6e252465d23eb4de2fb46170cf845dafbc3242f8

SHA512
06026fbc3618c08b3e540d8681dac9c765489c59bd0b2a096369a3b013fa3797ab63897bc208a8a85bf0d6183a8aa30344a5ce06e35e48b4cd9a6f621fc89272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
49551b876e9c04e411a9532958c571eb

SHA1
a212b6ca4d3e26ad6ab972f2efab0a648ba0fe92

SHA256
f09763266aed3bfd9e769c387f54b08034f09f08b88c894fbf89d4f2ce218404

SHA512
927c9f55aa014584376c71aad464838b7a6669a9e81230b20f6e5147c12a63b31c7d1d078c0f14d7781f2c0a3b9460ee97689597908943b8c1f462e5969be3da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29caa6491f1811c2a6bfc907c831de8c

SHA1
e362730ae44da49c144a4dd0aa9f441b81301c1e

SHA256
a76708a9bf3945e8171c87e7f9e545892416b755cfbb7e4dfd4dcca0caa43e0b

SHA512
b3f7e0112ec6e3377e4e875b77adc956c492f621a792ab5c53b8445184d28909e8d2ee64c77d3b3f98391506abd56154447f913666fffb82292ec59c292f3ab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d8033e2da1b53a975efbbd89910f62d

SHA1
0a6378abbf8ba77e8a3ea138f289afa224eb4bfe

SHA256
afc31e9f4c9a5cd5038d5b677a845ad591534fe882cea9b2480c823b8f62d6dd

SHA512
79b284b0b47e39bcd673f488e948505524c38d6f0049333dd508116eabe6583ee22e6902276471eac80f4335ab5d96d0baec1ff186803c6bfdeacb133008c5f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a383da5e434932919768d85d9ef79e8

SHA1
190b7ba9044266725b28f2b9807f0bf98ec0622d

SHA256
90300e20b2550741c2da27c55551feb5c3e6052f67734f7d85825425da315be9

SHA512
b341a22f4ccb1d9bc7e8de3c1c395beb688e286036c32a448020f9d3a996c4b598b04fcea46e64081f1f00b79cd9617c6a69fd81a6c84e65f6bcbd571cfe87c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe6f5d1673484038fea827c1704ea82d

SHA1
acee7ee07626a00ce630e74d75e8a8b1741b4895

SHA256
c7c6fbbb3f0ce691fc68f11ff3c80dd3c3ba8c05189f68d143ccc4d7cbd6c8ae

SHA512
ee77c1b8502d5a7b06a557161c34379008116e0075418439d80715be683c125e685d8515dddc029782932f2d270b51d6d8151246af83b869cb6b5fa047535b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47131b0993fc1b2bec1d906670956d93

SHA1
741eeb96b4f4693cb34c2b35e2ca69af4bb9b813

SHA256
706969d28a9d1431a0f638c583b9b9b1ab3f9200bd231bebec2b897237688112

SHA512
5b78734d79856baacd24e955e2519f6ba36e92dca3d20fefb7900b007d42af22f7cb1f760b346fad45066cd69b023afc9a4a341adc27392373c26cc522a21424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9845e0441b208fffa50d9fb24951dd9e

SHA1
69d0257aca889a45888ece14c86f63024b8d4707

SHA256
db053939e7d440e8bcf73c6a37c1d852083337b1a0c0d3e389f8a8cac4b3864a

SHA512
b104c4a182305cdaab5591852870a8ca83eaea49bfaf5bb9acb931c39f05fc291126afd7a640b14923457c696fb085fb274e4609d49516a10701ca702025059a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1bca8d88d0b12aed1ab2e6f17e22434

SHA1
adeaa48154dda20de93ffa2e452d179588d18f47

SHA256
62fe68c702ac864e155277b270216bf21f529f9c88f426acd70d10a3b2bb112f

SHA512
8c34f2dd34ba1fae3da1c14b914c8930204e7530214ad8ae8a87bc3ddc08bacce49337304a159aa982df9130a1bd1fe428834094aedc957e37340371877794bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a6046d35bc3200f85f54493ce75b9138

SHA1
b1e2f6596ad4f7bf3336b4e2327ce4b01af0258c

SHA256
d0b93bb68f2117362b630a6d207c687c311a5072068efa6f09dbf3f7d52e968f

SHA512
c0c8157ec7607f3607689cf2cd2bbfdbed20f1fb51c386ff148b95f6d34ab8e98333476df5f62da1ce363cb0d1aac08983df2e84c80b5e7e7c34566f7127dae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
e582d6da757438eb334950f332330749

SHA1
945ccfd2c35b8532983c3c3925c79813605eed25

SHA256
03cb6ed9df821a4291be81f50d1b9776c22ca5e2e49596960ea4350cfb41a048

SHA512
141bddec495772d446d94e1c4a53218251e2029e7249b1c577444c56dcb1b458c18481b5308c093b4f6ba66d388f27c5b01a9c950c9016f1dbab824fe13fca5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
a17f967ae2c2442e29f8cfbf73bdd8e5

SHA1
6f0ad22fa7546e742ea5ddfbc8b7e74d1fcd1c34

SHA256
a7158ef316beff74f02cbd1f256c43df0d6fde4fc7c2dbcba369540bb2b56fec

SHA512
a873dfc17cac216ccd5c7745ca5c775c395cce08efa5b029d713ce12948bf1bbda509a10c310743bb2647a7fd60d5c4f916e5a1cc9eaae297a9023b4928c4407

Download Submit
C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe

Filesize
38.2MB

MD5
28931075656fd1b8177124b7f995cdf8

SHA1
365ec5069a47acc352f55c13ca9802fd9533a088

SHA256
d018916535518e87158d763f5ccbf20e2c0e3d5ea0f482469751f35f46542931

SHA512
bed71d48520b5f83fabfa66873d14b24c323979bba8d7f4a9451edffff77dde43fc1194092b3bfa1fea966d2bf2e6c0f2b02eeb19a8fac422ea09718bd0f7b5d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
c99effef47f3fca632ad9389ab99d4b1

SHA1
f2330066dd771dc2d19aa1a229b17164c56f6366

SHA256
c969858e7a9994bc2704425700236cca8f9ab1d7de370878fd9933f2b09f049c

SHA512
89ac1620e389ed242dab041fdf4e5d2f92fe55774bfacc92d975bac93000051c2f7354cf0e7b40b2bf0614ecee1c76f7386830db4d448451750a4f4eb91a3672

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\0A644F36C60D19ED9660A7A8D02FD325E5DBC4E6

Filesize
49KB

MD5
fa3ab221631d83353a33e5d3caee1c87

SHA1
82629a1336c6e73f49c00ac642d00242db12cbe4

SHA256
0b43a0e5ae44c2b4be79a5677fcb8e72b365f0df70fae61f8fbb4ebdc9c03706

SHA512
44c8e6cfca28b3bf2d2a2ca22ae83cf7e8be93bf727fe1f6e86f491ab70f9b4807b3f7c623fb159c06c1353e0f6f7a920eff0cbe796a280d5e8718c1696068ca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\0E37458B8333B9B7262C1E9A576663B4BF32965E

Filesize
29KB

MD5
8e89741d1d7fe34b64d24c4af7a3d2de

SHA1
52e6f839e17834491844fb9246174d654062b373

SHA256
9ed217dd25979e2fa9b6b05c3da70f999dae49dbbea104a228d8e751a939cf4b

SHA512
45f33453bf833a22a606e3052b0d01275259fffd29359488b54d2dc07b2c64216eced7fe1a9675ecc38b857c09649d8889ec2b7c85a110dd20c2690d6634694e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\222FC51C8A008BB24BF96258A9EADD7DE0C310EC

Filesize
23KB

MD5
8cc23908e5e87846b5f553947729d8c6

SHA1
bc6a30eca92d47235a7c3577c0519fe3f84c3e33

SHA256
8220e515161fa47ff15a45c12d318368f805bae056598a070e03b8624b9357ea

SHA512
9a3add7e097fefd36b7aaf333b141452f0c92e2cd121a35117305697604364ef77ef608b05f851e1c0c4619c27a9846dd74fdca076b424f43aefb81c539b6cc3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\3A3D88328BEF39F2AE240A527C9D25A46C179B02

Filesize
206KB

MD5
4bbb377859b818cccc8cbc63378f4ecb

SHA1
981e7ec010c4114a3c89461eeaac038cd328c04c

SHA256
fcbfe11da64fb7201494d5a3842399ae980ae6c88da49b511dd16b076606feac

SHA512
b0c41e4071a40a93c5cc5f988c84ab3b6b264713f71364bb8109c4e3f9e6749816bc431b8cf796e134477f8b63b74dd54af94808a15e2d3534149cd35d1fe8a3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\585B82679B227DFE3792212DCC500F34834A8734

Filesize
147KB

MD5
72096859639b8c0edc54b2f4c760ff47

SHA1
2c628da2a3259782b58c7a1256edc9f52dc19b28

SHA256
e6d3b055404a4179ddf0a8755a2651081b117ba1651c36c4df4eb8363c57f2f0

SHA512
0d24b42ec7997fdfb8a5f10643120b16ccbf1a07381cf4e09eecc1811746ed9028e8c91615dbad69120cdb2296ffa807fc9917873f546296d0d81e71a29dcd43

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\9D880E08269E64D00AB21C9E9B4C202124D44635

Filesize
44KB

MD5
a222e65f5fcb8e5b533fa0550725ed8f

SHA1
49fc1af6d8fbf3fdb9ce3a1c2d50752b3c1ce87b

SHA256
08f4d12ad54450513589f7f6c4b368473dc863f8b522ac83bbdf1ab6e0b1ece0

SHA512
45a6c3ee759d9deda412d94c1fd5be629be39d7f7f509d900256f0ceeb6576d4be39aef2aba46243209a65ff9f298fd2c297ea7631ac479798b253a308ddc11f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\B5F211AB1F927664FD7A79083F62210DFFFEF7C1

Filesize
210KB

MD5
afbf862f7d3ae45b4648af649e961c71

SHA1
1b61e896cea034a068e30bdee2b05add7e43a2dc

SHA256
85d663bd40019e09b8a5b3078baff05725acb8beb05eddb5b1d86494ed29230c

SHA512
5b7c7a4f6ac408fa4c5292d1ab052a700dde3b0cfb6a8f3091474e6602da61dd6ffd65af45dc0a4bd81f1a748835028f99119d2bdba00d1677a6bcf42c838edc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\B655C26E512FC1EFF69D1620006188E4287BE3C6

Filesize
17KB

MD5
792587030920d3b498b5a81934df88c5

SHA1
0b3740871d90af1e54844960f793f6ea3b3e425e

SHA256
8044271e5ba51417b957e5fac6fe05933cf661fc9d689825d42a3f8f315b6ccb

SHA512
88f89677289f9adc8fcd56cd082266fa0daf8d553093fe7b9c2d7da29cdd1e4ce8fe3d888d818c59e4167d3aeea62eacf4eb3f16c534d9943f903734e40d7ec2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\CDD72CCA8AF7AD8A4380370939EBEF2B671B8499

Filesize
18KB

MD5
827231d3718f3b09731432e65848b2e6

SHA1
a1aa37d43da968241dc5d3e85c8c24d4b3b20fe8

SHA256
8ab6905d20472faa630378a6ef2a2668ec4ab641cdf1290ef3d6d2c63e1c9996

SHA512
965e1532b0144921d57ec1987398da0216239b64aa729e028813042bd1c89064c8896ccadf4c0f0de45444564f151370df1eee5c3f1b5ca8742f7e658939d713

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\F384E521F3796C0046EA9207D65667FB4B21A0DF

Filesize
8KB

MD5
d37ed61e9b5c949b40290608ad8439da

SHA1
11d632e1a92ee36a6a3cbeeb8151eab3e6fdf280

SHA256
dc4aed48cf4711fe9ecf42cf583101d9b2d9620cdbb63347bb972b97a732ab81

SHA512
8304a8f22eeff1156f46663d08f0ab1561a3385a627611901bbcc28356a0f747dc0ff5b45383cc4a0078922022d3f272a6d89935cf59535f364091453310dfaf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lz7hko67.default-release\cache2\entries\F7657EE11EBB52AFE15681C520ADA7F87CC99EAE

Filesize
76KB

MD5
06c31976bd60e71a8f19fa65ba766727

SHA1
77c570c87c3e6eb666087d74f346a881a4c9713f

SHA256
6fc651053170013c45abe76e679f840d8b9d585274b079f635885981ec545172

SHA512
1ebbe8d684c70880b5aa5dfcca635ed884f42ab817996832d033425ffabb443be21c58c062b198a2caa59d28d0be0d734babb566d7651a6ad7eeb5106c6fc20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\ConvertToHide.docx

Filesize
15KB

MD5
922cac7d7e30f18448166346e9cd5f5b

SHA1
e519fb3f506966ad0ee6bed0f2ad323c4a7301ad

SHA256
f75f4861f99aafbe8a4f8663a97df4cb7a9d2bd3a3dcb925bb64ec0e9063d362

SHA512
58f14d9b9ed6fa64e96f8fd574e9f236f59c127e1e3a5f3d2b38d9aa15aeb70e759ce471e2c255bc7b7e2f3d3e1fa8e7ff6ea95f83f137d09f2826d091077729

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\CopyUpdate.pdf

Filesize
1.4MB

MD5
e8c4ea7eac08d04424e4c0365acac0cb

SHA1
f857dc85e730ab961683925bc2c13a4ac4af6f0b

SHA256
2398fabfe9a43a7071b1d6088347c43513bfac5eaedd482244a4c8f23e91b06d

SHA512
02d66b22da1cde605ff8b59164ef7593185daa94c5e23e7ca13c7d52d402c628593d0392d3ba4bec27c40ed88bbb6981e65850fd9400bafca2861b409c67d9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\EnableDisable.docx

Filesize
18KB

MD5
48f04ca21cd871502225491eeba821ab

SHA1
b108fa32e4bcef9d29b36df2d9909bbe86a7232e

SHA256
241004964355ec7dde0b3f2306a599dfe5c7cdc779b1702591226d49607fbedd

SHA512
a77407d228b9a9c3f873f0cc7ad1637d3a6824e506eb85d6ad56a47477ecbc48574e67f73edcc99475c1d859619b3ad8880ba2054dffb43948fc5b727606b168

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\EnterStart.png

Filesize
813KB

MD5
4f00d1c715d9e697d998e11b9593a792

SHA1
0f997a90a17875b5462c8028e0c10ffb19e00974

SHA256
d8cbd922681e2e01d6207762cb9ca52bad141a84678023d5c039d6eaeb560a3b

SHA512
8e0fa4839b24365c1ed4a5bf795f434f16259c9b864f7e4e5e72bcdbb08d35a7fd88c5d14e950df5c1b545e6f6da8cb63833c2146ef375eef220889db940a175

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\InstallFind.xlsx

Filesize
12KB

MD5
2b250b92acc1955428e86af0f95c846b

SHA1
8ce8255ea880345843cc05c2f5964b41806b6671

SHA256
52f8e5d329e8f852db23c262e85d5e85ef2d8eecd6b4118271dd61be2af32e1b

SHA512
e5cf07381a3542a820bd1db5cfbd21a42f97f7542694cf0a17b8435631bd8a51e1afd0d116d0a2c91feedb14102ecd086ac6fd2b9a2dc69d420ad2a077f588a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\PublishGrant.xlsx

Filesize
11KB

MD5
1d37afcaa1bd90c92a43488cc0878b4b

SHA1
4f00bc026b9c881b3651673875314adce014aaed

SHA256
58132c88b929c6d887da561c20e9cac700cc1a0f323a79daa3b7e9657849d836

SHA512
9812ab8a02f2400681c512a2071d2723c7d21771a5c110d656f52a4a8c71f6faec4e73bbe6603ef484e8dae866d4db576f0268be90111f4f3a5f9ca602133148

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\SubmitSuspend.xlsx

Filesize
12KB

MD5
6473e276cd52d8207409035b34a8a520

SHA1
508550d9caa01ed5dcb31d993d5c1bdbae5b47c3

SHA256
bc3984508b67d83b47b3dabe10093160dbbb1a0668dd1e200a3db463ecdae697

SHA512
d73325149e54819f914ab2e39ba83134bacfcff7c19b054621c3b0fc611fde86fb443e3020b26f503b88d85782643a22b9e9db53dd0acc18178dced02463349a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\UnblockSwitch.docx

Filesize
13KB

MD5
88fe9ccabc757e77dcc51dba8c4e6041

SHA1
cb43b68bfd57afac18e7b927ea22c37a5f241e88

SHA256
1d867647a65fe9ce8d8bda2569f82f66cc96932a7243b8c7e4c9b7ed6f863b31

SHA512
ea12b8d79c5254d7a3f8585dab4971b06a4dcee7656e9922e0f396670a14e4c60011199ee8505aa80b26c5f2943cece0f888533ad0c01b9285b7c725aa220506

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\UninstallUse.png

Filesize
1.0MB

MD5
22f0e1cf9a43aee281aab14e21317b5e

SHA1
66e0625c4bf0175c6901b0adadea7ec3875876fb

SHA256
696ecfa8a9f06ab5c9a24aa05dcc57ac9cdf784942e4a7dba465c0b286c87d69

SHA512
560303077043f994a56efbc068da60f0b0f6985a9a4ecc9707f3a06b474b58a59ae3e131c4443960133dc10453f6cd3e90bfc7ecfc3f406a177c727c2f0a6ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\UseUpdate.docx

Filesize
21KB

MD5
de17725c7e2f04a18a759e9b04c10805

SHA1
9e26b975deb245bfbf636ffb8c71b5994b6846a7

SHA256
f6ea308b8207dcb637e9c033d8b60ed5a44da12028186e03871c883aefb76577

SHA512
4b4e59d38587de434d38ccbe269bc14b986a3e266f91de5218b654e8ac5c5c984b32046420d15664416236112152a303e9fccca597b79a06c69c29ea7fd1be0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\EditOptimize.xlsx

Filesize
13KB

MD5
50e8a46731b727fab0b2493829cfe28d

SHA1
770b529134a5e3fc805c081c01dbd9b2e5fab891

SHA256
6b4c047d587b58f7dc006c7bb78e4d86414a4366a6af35569203c002ef94c9cb

SHA512
3b6780965dfe4880bb1e368da62d3e3d481b66689e4068c805c3f8d6bd1e1fcbc0aaa87c91eec572d74cef452c630061def8d8ae0947afba4a03c9ac8e3880eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\EditSave.docx

Filesize
19KB

MD5
bfbff28c7c671d8782c64f9e5f601f83

SHA1
5fa42ef4053cd3ca0f6e5f643e7b386b5c92ff87

SHA256
5e6edc3533f1055b235f54afc4fb875e87661ba61de3f6ac61dfe606a274c496

SHA512
305e6d7f0c5890cc0a7e567b1581c901dbb02d9f5314ed5a62700917e7c8add0063c8781c35e0717d52e927dcb9577c33f4f9208cea7091a3dbbaa36aadf6c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\MergeUnregister.csv

Filesize
1.8MB

MD5
801ca7d10a92fd97e098ef5c907a69fb

SHA1
a29a837b24a9686aeb40f76908f9451a749f53d9

SHA256
e19a0884c041eb2d6e4e6e67a61d1035de16d26d7ae4b0a873f6ff93abd333de

SHA512
0c7fb30b5e07488c44db8170966980bbd5a133a88f7bb99bb416dff3b119170ff8b58d5c7b0d0ef6eed74dc259a6664d749b6651c9be658b472daf99af23c498

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\AssertRead.png

Filesize
575KB

MD5
941b9c77debe46df66bd51947078534d

SHA1
6630a595381aba5ad06425084cef3b4abf5db4b9

SHA256
83e171c7ae9a6d36376c480230ddf36edd2db851d175785029f7677b58889bde

SHA512
ee3957751cbcd486b286a45b5c91713d2f0a79c9a62ae5574a8ac0b670b7494c668e92e0690d41b3aefb7206656ff91c7edf84c57285f04921d0227904fc29e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\BackupDisconnect.odt

Filesize
858KB

MD5
b933fc18ebd1c4ffa13136b1738c8078

SHA1
d995b2294641d1217894b84dc4c66b5457634551

SHA256
1e3708674238dd6ff22042f0d3201d3824e29b43d72a6ffd856adda1244cd622

SHA512
6c6e4906716ec0dae54dbe319de88a8552f1fe8e4aea2bfd66585e6a24203d244d62cbd329905c04cbbf718cf8555527e29c4da7d7d305855735dbe6a2bed526

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\ImportClose.txt

Filesize
838KB

MD5
07167e623f004958c75179396b007d7a

SHA1
00de2411cb7af87776756312457b0eb5b62ca848

SHA256
0cca3b5fd8b3133cb7be96b6f359b0e98bbe13ecb88b1713a861be26db1bafc6

SHA512
de960700cbe739ece31d5c4418ad7ed772268e9e8f1309e0fd2e2933bc6b691c3cafe4e9b88da52cf0befa049a4af944cfe2a7a934486343b6415922b4068eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\PublishReset.xls

Filesize
656KB

MD5
bef35c5440acbbbdb2a891c2192e89e2

SHA1
05e7ac29499ece4b890da429756b2a664b344510

SHA256
69a654632368b54788e0bc498c1dcfce216e1eeeaa985305c3cb845df898bcea

SHA512
e26f42e1cc0c137033d757aeb9c67e4ad86efb52594493350eb9a851344262755b6e2e39c4c3b56196696ecd0fdca9ac2fe5449bf4836e61b79b683f43b29779

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\ReadExpand.mp3

Filesize
898KB

MD5
185d28113fd54128ff38258f319ed958

SHA1
5f515c4853fc93f05e70b81f586a1469b3ed08bd

SHA256
2f761f7be8edbc02a6e8972ca19531b519e7719cc175d72e43dbf8a2f5be6748

SHA512
f091e763bb3e4f54e7961e068b7867758ce198952773fddd956b6cdf6fee6c4d20ee3f96d9452544575942371a7825974a423bdc3fbf58a52fd0803c8a56a1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\ResumeUnlock.docx

Filesize
1.0MB

MD5
881f8386496087399db292a9ff30ff06

SHA1
1adac23bba9d6d70d3f644eb34d2ce8b33e00d55

SHA256
8243bfc5dedf77926f2a1e59fe627f3a94684226ec2393937c95b780b82ef440

SHA512
45e56fe03f62aede5ae4e2a97981979a65596ad3d85d99852dc3118a89837026899bbbfd51ff667e2faf1925ad4163700a7bf03694e3ef05c7a95382a9e0091d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\SaveConvertTo.pdf

Filesize
918KB

MD5
882ea95e52f021715810eadeb57e21a1

SHA1
ea15e69e020dd4b8af19a7290cac3324db4e248f

SHA256
92a1040a71ebfe3e2615b7921c80e6451c65d281f2b44af3f22ba5bec7288516

SHA512
aa9254297d1e60b76df21b37c4098de2f03659f8794655f358a86d8192996c4a1a17e5cac7033993cba36756da7fdf2f8326fe3e222bad91b362e3307491da52

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\BackupConvert.jpeg

Filesize
316KB

MD5
2cbb979b9b979a66a417d4297f130310

SHA1
b5157a68d3b4b414d6a9a03b6e9622da30e1aa16

SHA256
ef517f4dbd4775a899c32fb0227d854d4d8d6b7f95092c59cf124ce1aaf2f46c

SHA512
692d26c6d6a3591257f9ca1b792df06685752e7d05f8f79c9a0d03e9197bd0dcd82ba6c6c954503d7f9d1ca5ee11ab2893d611da7f21bfdb451a2bf4f6508d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\ConfirmUnregister.xlsx

Filesize
325KB

MD5
fc6709071fc95ea695cc2787c7ca23f3

SHA1
0a9e0641a53ae743e2bbb394533cb8c859a15437

SHA256
2832b6bf09b43203a84dff1d34d0e42660a132e838adb2d55256cec379e79ed9

SHA512
77ad48954b905db9a498d1f19903df4cb41ec7fb36fc66ee2ce2d11b0ac8e02fea061aa594ec05d410db618508a834be63a509893ca2420e9f01582b62c082fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\ConvertUnlock.docx

Filesize
471KB

MD5
ce406330cf5992e73e7b2ac57d31c83d

SHA1
0e72a4ba7824ff7a250b314bb163fe452a83cec4

SHA256
ddc061c0744d7d53ec534b025943245e4e56f16d66c8946ea616d23091445ed4

SHA512
82c9297ae59edeebd47b79d82e0bdd434384b59f44b0e91956bc42c80ba42b5566932d6c58883f9a3ed6430dd3fe575c1630291d3a431430798897a46126a2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\PopDisable.mp3

Filesize
710KB

MD5
bf2b1f01a50a1da6707a4bb9723c4a2d

SHA1
bbca79f210d9fa45010c53f241a4c7bf5eb1e9a1

SHA256
9ff043a6745feda5ae5f1ecdb1887ecab0545309020a17b0c6dcb7034700845c

SHA512
d50f9c273141b90b35669fa6b808c801d747c72bf4b2236fdf855de90798576870917ee1ce254ee4a3388b57abe0acdf9fa7840f41705c50c9f256e350299351

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\UnlockRemove.pdf

Filesize
452KB

MD5
f446dd3cabec2362bcc879ec5a2f68da

SHA1
8c3fcc66d2dbbf40d534a5ec1d6e804a65af3f2b

SHA256
cf7d18ceb55c2af86e60eb211133271ac86c08c66cee3ae52f7047c5e66a73b2

SHA512
daf662e7ed1266fc8bd9f0038686af6b0869c949a8ba74bb4583e30209afb46cabfa4bd32acf498240c2c621c158e7c0b9e740ecbe5f45f5b4ec23f5179b0c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\UpdateUnpublish.xls

Filesize
442KB

MD5
eaf815d448e1e3bbeeb46af286f4ffc2

SHA1
ef4e7b2131c2d92535d6c87ad812841e08f50829

SHA256
19548b06557e018233c800048563c21e1c88432def994608122548db00feaee5

SHA512
7359110c76fdc78dcfe53d0cfdc8496084f07efd863f02f693b7c1ad07dafad18b58da511029372edecfbf4e109e5163ec4683df24644976cebb312967797981

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\CompareSet.jpeg

Filesize
218KB

MD5
fd21d6aa28a0b487ba442a43dbf1a857

SHA1
81b1420495452060307055c288a7c31be03c1cc1

SHA256
1b8aecc198295d139d6bf5f52db1ecb57fd1d2036f47dff7dc6164ae55e9a2cf

SHA512
13f65ab7a2c866b2d5748f5193a281b090fe47c262544a8e68e585cff5fb7d111b2f3ae9ccd3b5053a455dbc929493e47300b9c1222bd93e20f077df4130208d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\OpenExport.jpeg

Filesize
137KB

MD5
b46c8b998739d56339bd03c45841683a

SHA1
6a6671f6b4d6af329dbee27e195fa06b356a8d9b

SHA256
1bda6d0a5f0292434fe282c0f919a7070b7949dade91970e2e450581dde0ce47

SHA512
0eb9fa8d80beb01e69beada325611d8a0cf1f471a6cafe620edd4596e735e8eb798519356c91d112d707e3f70bf1c96df80066593ad9c2d378d7202711a3e01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\ReadDebug.jpeg

Filesize
131KB

MD5
974bfcdcd5412fdb946c841e67af556a

SHA1
2e35a7e5984855910a28da29c890e06846394230

SHA256
9adfd5f3dca0e7a36bf8797e13ffa70cfc41fe1e74eeb04985cff8ac2c362d81

SHA512
62dc5d370859cd38782e5fda2b36741d45bf0eba6da4819b82677ac37f238689755134080a7df62d43e27e469af24b30dd6f3eed313a2ebe34673f17e90c5346

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\SelectCheckpoint.png

Filesize
282KB

MD5
5362d4203f0af7bf806b6347af2a4848

SHA1
23c166bf58d7974cd19e18ea4e0125652670f30f

SHA256
bde8c7286626817ce318045c2b8f119fef9d87686b0a2cde4777bc023ad0f82e

SHA512
efbe68a906fd3c406f408a38831e389a186125a47cfdf5426475c6c969403d4961f61197d5d52b2a40c28d752e3d3b9866b3496b44bba71cba8a09ba1c3de8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd

Filesize
48KB

MD5
a5bd529290006ef1ebc8d32ffe501ca5

SHA1
c59ef2157358fb8f79b5a37ee9abba802ae915ba

SHA256
eeaa26addf211b37e689d46cfac6b7fad0d5421adc4c0113872dac1347aff130

SHA512
6b026e62b0b37445a480599175161cf6a60284ef881e0f0d1da643ac80013c2005f790f099733d76cfcf855e2ecd3a0e6c8bfc19dbabff67869119676ee03b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
30KB

MD5
60dec90862b996e56aedafb2774c3475

SHA1
ce6ff24b2cc03aff2e825e1cf953cba10c139c9d

SHA256
9568ef8bae36edae7347b6573407c312ce3b19bbd899713551a1819d6632da46

SHA512
c4b2066975f5d204a7659a2c7c6bc6dfc9a2fc83d7614dbbc0396f3dcc8b142df9a803f001768bfd44ca6bfa61622836b20a9d68871954009435449ae6d76720

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
96KB

MD5
98228631212a443781d0ac72e4656b97

SHA1
7e87e1fb891439cf466648b37abdbd4053a5da66

SHA256
fab3440d88376c9c334333b80b50f20a273a08f1d319bf0a9a6eb8bd04d35250

SHA512
5d41384b0280415f581c13b4b47de3de845fd60fc0373613dc9a73d4e0ecf9e855cb0e4aaa1c88fdc2d98e973ca083a48c129529141a8fd65c74c104ad9015f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
156KB

MD5
7c7223f28c0c27c85a979ad222d19288

SHA1
4185e671b1dc56b22134c97cd8a4a67747887b87

SHA256
4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986

SHA512
f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_uuid.pyd

Filesize
24KB

MD5
ecf3d9de103ba77730ed021fe69a2804

SHA1
ce7eae927712fda0c70267f7db6bcb8406d83815

SHA256
7cf37a10023ebf6705963822a46f238395b1fbe8cb898899b3645c92d61b48ea

SHA512
c2bf0e2ba6080e03eca22d74ea7022fb9581036ce46055ea244773d26d8e5b07caf6ed2c44c479fda317000a9fa08ca6913c23fa4f54b08ee6d3427b9603dfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.5MB

MD5
fcc7a468d46c90f5a71e3e9c99b1d50e

SHA1
91070cac3cdde28905a7bc695f8c0fd1290fd0d0

SHA256
215c02ac57378e48428d4b013f7bcedd2b58d73e83c54eca17a8c9bd7f3bdf55

SHA512
95bff194696436e590a5df8f18987ce6e5c20b6e50e552e7d049fec8da834c71cdbd87418fc85be73aaea4176aeb672d44e89256cd64bfade5959f3aabb0884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yarl\_quoting_c.pyd

Filesize
93KB

MD5
6809491f7b8ad46a7281e222ca71745a

SHA1
138c75bfb03b1d54cd62fe14c3dc4501cb418397

SHA256
80660605ae26882225d02d130d0a84927635a79c78055c2eede010a28e84eb32

SHA512
97b498e3f69de6ccc4f3373683d9e2aae67cbe2532508a7677738702bbaf02ebd7c05c26e53cebb076f9943eea59b1ac4b9f7ee71a1626b8e31e539d009b39e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
e4c8b41ad81dd4a2cff961338c7a74a3

SHA1
5a7403e9a90cb409e4a2b5aa99d56657ba65c904

SHA256
04778ded87fb0814b982336e4e356646e6553830af6cad46b247a9ae56d7e218

SHA512
7223ccaa3392a007e6338d40fe4eeaa1b55c5539a45ba1646615e60222ac97f1050f8141045b56cd99bbba429f8f3abd1d9d1a03885e45a214623ab2837b1882

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxhlyjxn.uck.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\_asyncio.pyd

Filesize
63KB

MD5
686262283ba69cce7f3eaba7cdeb0372

SHA1
5b771e444ee97b246545affcdc8fa910c8f591ea

SHA256
02ec5cd22543c0ca298c598b7e13949a4e8247cec288d0bca0a1269059b548ef

SHA512
dca7403cfe2bfe14cf51f747a893f49db52d4d43691dbccecaa83796351b6f7e644cf8e455a0b9c38c6c006f481d5c45d32ae789756250a2b29978e9feb839d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\_cffi_backend.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\_decimal.pyd

Filesize
246KB

MD5
709613d7d7bc30abdaee015c331664b6

SHA1
84278fd8acc53c50b4e2ffa3f47b9ddad7dd7a70

SHA256
8600cae4f34cc64c406198e19539d0d4f5a574fc60b32b8aa8f32fd64c981da5

SHA512
4eb48bbcdf7cd9ebb9909e5269d4663bf14906a282a1f1418cc7e137f2be1c792019d78446d4d8bea63024cbf01bec14e28633d6e4ebbd85d7d074b948cab211

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\_hashlib.pyd

Filesize
63KB

MD5
7a74284813386818ada7bf55c8d8acf9

SHA1
380c4184eec7ca266e4c2b96bb92a504dfd8fe5f

SHA256
21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2

SHA512
f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\_multiprocessing.pyd

Filesize
33KB

MD5
b3c8414bbcae9bcc3377a4df72a4aed7

SHA1
cf754caff33c158ef6377b6cb2dc11ab96a27678

SHA256
65413d49d81e5b939226a211fd40c9b7c6d61366651639446273988930f4a6fd

SHA512
3a1a85ff177d5521043a7a84b3aa56f567b9d1e0fb5b72441d50d0234e50519c86dfc24f6432be32460cbc63226ff3e4bc2d86e3154cdcd7a3d9b8d87b32b035

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\multidict\_multidict.pyd

Filesize
46KB

MD5
95463f615865a472f75ddb365644a571

SHA1
91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b

SHA256
9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8

SHA512
e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\pyexpat.pyd

Filesize
194KB

MD5
ea36d6df8ab58a22421f01d6d673adf2

SHA1
6a22ea1f37e8655d1602823f18ac87727110a1b5

SHA256
32e8c601259ec029e44824116ad911426157ceeae55f9fdd15387af40660dd5a

SHA512
d23b7b4f46e99fa4c93e6adba24e30d09c445e85c7b2eae93a6efbffc5d8be166908f7ba7edf7b3e5089e712a4ce8e5bcdc32610f59bda94b90dd01aa3601035

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\python3.dll

Filesize
64KB

MD5
24f4d5a96cd4110744766ea2da1b8ffa

SHA1
b12a2205d3f70f5c636418811ab2f8431247da15

SHA256
73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53

SHA512
bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\unicodedata.pyd

Filesize
1.1MB

MD5
d4964a28a22078c30064c65e968f9e1f

SHA1
b9b95975bea97a55c888da66148d54bdb38b609b

SHA256
b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703

SHA512
bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4456_133824260616700611\yarl\_helpers_c.pyd

Filesize
53KB

MD5
6fb550ddaee31afedd29bdb97e2525f2

SHA1
b58257f37c581f143176d0c7abd3a98fec75a12f

SHA256
33a9b6f1caede0dbc9ee83097dea21c6db0a5cabff27f2917ea94cf47688e9df

SHA512
dbeb69892c63238aea76422815e45b7b1e12a7d2a0bcc6170f690b68eb56bc04c071413885fce81cc6ce435d9c60c36d9b97c792c75c21541db612c48124df38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\AlternateServices.bin

Filesize
8KB

MD5
f260f66486ef3b30d1c7a91c02b18321

SHA1
fd6e8d27425c53e298fbd8fd1223963c325da261

SHA256
8f7f8b26a4d3789b2cf96defb3d538bc023c97411d9bd0d592f64d950dbbe254

SHA512
077cc995ec3036927c5c48e6615c3cac7cce885506fc3a12c5291952faffa2e1a5145985d846ec16158bfada889b88e48f03da107665afbbe3091a5cc37826cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\AlternateServices.bin

Filesize
12KB

MD5
9b5d99327f8f5f4808c8d6e95b9fc533

SHA1
50e95676365b374985538bddc089f883ae48ea90

SHA256
066d94341ae05579b6c56c98a33e5c52532a0232c7606e25d005ccad0fb4ba36

SHA512
b438f03f6153d4c01fb656b4d7b303ade905c0a96db4e4d6b3e815a82c484755371002f50add1b666bf28fdd751ea25f7ab2e96387e16b550f9ebc20fd397643

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4fa71d2af9613a4d8b7860f9653e6764

SHA1
3d337a67d0500d0976eaab72eacc044ce192f8bc

SHA256
815b8695af88b5f53eeab169c7dc69293a0657cd6f74b2f72c5268ca33b82c06

SHA512
02825d51a120fd47367b9bf1ccb9e0fd23717936dcaa7a908cbb89cde4f4627f1dcc33906f237ac6a1b82569bc5ed9a8f6d565abfa748148c64121a4750d084d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
776fac1b826a486ae323609467670a3c

SHA1
68e4a933bddfb94b8ecf02192b4fa86391462d6f

SHA256
d2d9d1e545cd5f2b70617f21c24663d81f853e488904be4a6eeedf1bb95502f0

SHA512
9a45e1d45c7bf84679b0ed0652f4c63ae27de222728d1f0cc3833ef74c34644889c75f27f10a81d792f03c7cbde84e46bf8683d432e498521a2565d802a7bb4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
d776717d9b5207f4e377a8b8e55108b4

SHA1
26e01f0cebc6d5ee70bef357a85b8d308e1efc1c

SHA256
22f6b1fe9e3f3d93ce893e9441f865b16b2c95905c97968ece2d44497152996a

SHA512
7910a255bdccb9f190a084a08dcf1ca0450aefa5e1447875e8abf6d2e4637b3dc384a76d8158526e6a532daeaf2b483f13c4b5cee0f3dbfc31b1fb642de2c4fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
4529c766047f762dd0c07d5e229e38a0

SHA1
d405a4931ca13de39d12fc1f5ce4b799d7164f9c

SHA256
aba4e67606e658d5871b5eaa8c598e7c4c93408a73200119702a72edf08b4a06

SHA512
eb68627910c9a14747ff8d32c45485925e4e26509c03a4ff2577a6bef29fbae32aa6033bc419f70d34a7eece8fa7121689334dfedcb6e47a306aa17848012bb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\116adebe-948d-4306-b0ce-52246d15b221

Filesize
27KB

MD5
8440442452db5f22b8a42f2dc55f2cfa

SHA1
9ead231a75cca8fda3a301f7bfbd5c57071e37c1

SHA256
dec208602245f442ec5f2907c0beeabcbdce5c9356e6208f6f2a5a59f9d0247c

SHA512
34f2be384d0d629649a85d05bf6265db35407f8a53e82fc9e4d482d4aea756dd0ccde5e7c547a3036165de60e00df0c56d45b2c4c57124571496f6238fe08336

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\258d2a9e-0580-4d71-9e49-afcc509ecbd9

Filesize
847B

MD5
d2dbb2f02a9272ccea03e59cb6b50ff0

SHA1
9efde151648be9186a35caf2b56a272291a11ab1

SHA256
f6d274a8f6d9fb71c0411c828fd4702a7e5deaa911212fbdfbda72dbfebf6bcb

SHA512
2181190d7b41f3c52793c0ebb943541f9d89eaddef71574b268e4ecfb6324890182efd5fce188de62b36e79954ff58d56693c654349ab2b2555dea59f9845062

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\28ec8003-3abe-4c24-a4b0-67e28d8cbc3e

Filesize
766B

MD5
f5f94604a4a60ee006fe4b37bdec2bc5

SHA1
84985c4d73d7e71853b29f27eae5f163f515be36

SHA256
6aa2e76f2bb1a3c726e31bb415fa83d8c53938550d46e175671d81ba7de32d36

SHA512
2edfec07b7ff003a9435e524bc277ddb083b0f21167965e1aa675dbd75e29af6c60e33fa2910c3de85b77621c6ddf37b0ff44d0329c1e75a81e2bd796a90a49e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\64a580ef-14b3-45cc-9709-3535d94b53d7

Filesize
653B

MD5
c0656c2fe8404882791e4ff18593392f

SHA1
2a7a58b1ff6920d868b21bf6c72e8e6c48ab326d

SHA256
c5181df9efc185df77da992456bf99abad7472ce52c7740647dac963b930311e

SHA512
6a566a36c0f0a1d61d206707a1d370b911ba131c15222c6b7bdb75ddb58836de35e2e291f989e9459a94d88c265971739d1b58f4374ffde39c68be47c9cc2f1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\64b7d4f6-631a-40c2-b473-2107e1520f13

Filesize
3KB

MD5
f5335d3f4a36cb6f6e7f372b16acf597

SHA1
4a1dd195f46595d5998bf6c83a000fec1360d3ee

SHA256
dd648918d71a549542975968b2c36baddc9fe5a2d05485b9d4e47aee3c4a42f4

SHA512
534d9612ba2f8736100ca48d527a5100e9e5b6daa44bd45dbbf16635bfeab99a0e4ee0496858c3584ff14e1addd7af76375ee1f8073ef907281ecbe463d74818

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\92e98daf-fbfa-4042-b35b-0f8a6cb7bc50

Filesize
982B

MD5
db14300269a483e532a82eb077544516

SHA1
a3a4a53205c202d965d0ba61da6757e9c485b084

SHA256
8357a756f2835bee8ebe043f190e8d20bcf1ad3fdd040e88c43ef3eb29b1d4e0

SHA512
838da6c903c0b7bab0d945e09b1fcbdd409a253f7fa34efdb36c8f40b7b8f08c48866f6650cb320017350fb34b48849279dc627c3bd1411e264289db2bdd5876

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\a7e3c88f-bbd5-4646-a4aa-f2ffedb4bacf

Filesize
661B

MD5
2cc76409289101745584988e435aa9c8

SHA1
777199600ddaa14fa3d22383ae228933cedaad26

SHA256
e7d5fb0e873e60c965db122923dd60d9f4674f00e8e95ab4e6903fd4e4c8468a

SHA512
dc6d414ff7a8a84022834e6c4d692045555433c6d79e1b492e332ba9a392845404d5e152609fc4378b7df7e04c6bdcf4b3498f59bf5334fc4a62a5dc49ac9219

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\c737d676-0319-4215-acb6-63562cfbed38

Filesize
671B

MD5
393dece01fa77fea2817d6ecf0cbefa7

SHA1
1427c5ca781a532a22371a14ab5d77154d75e6a7

SHA256
a049d894a0001ae78fd92b5839f4af35e6f38da8a82cecf5ff56067e7d167938

SHA512
32a99602f55bf994188c1247090e092617c1244eb2c4472ac5b65346d5ee64fe6d641467ea6ed8b3f20f72e479fa5de9304a8bba3a6f803522aa27d0cb5e9885

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\datareporting\glean\pending_pings\c9826c31-7708-49f5-82a8-3256ce14de10

Filesize
905B

MD5
24a2f373542ecc37c51075034c9a2498

SHA1
07a09ef60aff0d0bc0592e8feee259174e146b66

SHA256
7cce2be3ec9474633f7adc8650a3262f43e226a034976acc83acd7b39c8846cb

SHA512
c36315f110cf054d989edfeb1c6691378baf89a3b0f9755e6a0f3046b50b6f0a46e670dbef1c7c0154016e0ce49a054e4be18705e20e299eb70ecfec96e5b6fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\prefs-1.js

Filesize
10KB

MD5
6db764360fef33f73957e8664927d3c4

SHA1
dea61103f71f7d9d40f6f8ea531d5facf49f91e9

SHA256
9b1043e516a8f1bb5750ff697f21505365417881796fdb94d854808112fd966c

SHA512
77ea50cb74625092cadbe34b1649602a0d8a8b42aaee458c231a1ebce38eff67875551ce93d4833749f159d27aebc8013dca46f8d5f0b83a8bbc01783a49754d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\prefs.js

Filesize
9KB

MD5
084dab73abf7c4bc9ff8a725ecd57601

SHA1
764a4712e77f829f4df9f4a332236c2e08df2e3b

SHA256
4a87888ed91b47ddc820dd279a6523aaba612b4e2b9690e7e1cb68ec5af42fa4

SHA512
a83db50575fa99e27b02e31d8e7a25f1b24208ffaa14716e5302a011fccd752d5b8a529ad4b1bcd43506d68a49a627b833010c7719800fb8e633ba2ba2834387

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
2d1b56b76230f4182cb02563da9f455c

SHA1
edaced22be191aef6754ce1346a70675347ad9c6

SHA256
97d4350698e76d55755ff9757f3bbeb5975f4b2fa947a9a8617a755dd4ccee87

SHA512
f1759070fa433b59df8beb9a15c2d9839d631a2b5b67167509dcc11f7d64965faaa30e04bbacdb382d2571f79c9895b954ecdf20869f560fa8134948a746157f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
63aa96beacf67c54c615e0cc2cd54fd1

SHA1
856fbf9bf62b7fb97dbcf0e941c82f8862a1cbf4

SHA256
86623e4a7c1935296639ef179edf6a515e8b58e4b646488e283e9da7b0adeb28

SHA512
4252c14dc74606a84788ed101be0550a1fbe887c6ccc3b518d5892916c5aaa417e1a7f43b248a19248bb7d4b8e1dc45839b2e5abc2e4127fa31729c7e0432e94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionstore-backups\recovery.baklz4

Filesize
13KB

MD5
853f1aef9f0a2b786adad951cf9cee83

SHA1
66a5e00a0afa510f0a3797e91b3b175291ea52c6

SHA256
fd69984bc40adc6a422a9700bbe1c7b2d6282010d82e5ff3e58b84501bd57fac

SHA512
0775498fb43aa2f253f1baa3358180749ac82850414f1374273f93c001e3258a5f36ba94727ad5c56cfb31bb36937841451fd00ac473ada2e70c5dd373507ce7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
7b4306ff3743fd6dba1a15d59871865e

SHA1
546384b05cfef6987a44d1a7151784be641a29fe

SHA256
5d03110984de8b66988d1e0d39fccee9e4a095a77656297e57414f914c88aa1a

SHA512
d652a8b9be078db73fd1dff1f927b1c43bf7ddc869ed74181665efdccfb677eb46caf3943fb58bcf45e25aac9ab3cdcfa79c6aa9ff23f8c42f8ddc9b76fc9669

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
aa89c11acba5f74f38d057f605ac9338

SHA1
d47e79457ef322193a0489c817a46d31c0b36374

SHA256
fe5ca30153de4fe8be8ea41b00645acac15d58a2732f958752338cd1dd02d250

SHA512
0927e9918dbd6a55727f856612fd406e56be35ed8b91e509990642fe0811cbea542de6b201a9df273015326780d65cc105a23032d9a3e861379ab416dc443314

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
c8864f40af2db893f0a463211cec8849

SHA1
f9c5c61c72bf736ddff3b0431683777fefa3406c

SHA256
6f8d575c52c0a03182c736e38414d5e85eaa8a4e5eda10b2c259714e121f290d

SHA512
13e886fd1448b61805d901031b1e9da689ed6cdba1cfa56555c4be4e8d9badb4b0165601a282b6d0df2f92e7508653c3622d1eabdc121b8545b98e4d3c27509d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
d2ffcb08bd25e9dc1f69809c86475e42

SHA1
81d62f2c7b0a54c74bef36bb9bce3236893ccf6c

SHA256
7a65156051e6a9d414972b8bcf3a995d9c8f031b8f4bfcf60703634b257374e5

SHA512
04405eea748e6e2a2cd40c49ede3d164902994f3057424debccbde2671d38a70adfcf4d7d764f8f3a357573b6b458781486e26664aa401fd670a45dbd6e86d61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lz7hko67.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
0edf70f71d27b0aa303a9ce25ea85b36

SHA1
d700cca2c76557f4f4f480d6c63aa6d1a3755aac

SHA256
e13fd284c12f6de9a9057ed34d7ebadebd505c2e935f3d53388d44fd37e28a1c

SHA512
ca3645632811962b2ed346f4fd428075c1d7f182a477297ca3a36e60b569e1f86eea9a9589c4bb15f0e38b198cc820011bf330eff44faf9046351dfe79c8ac68

Download Submit
C:\Users\Admin\Downloads\1kKQGVle.zip.part

Filesize
6KB

MD5
a003e87598801f723db6a2471f0820de

SHA1
eea86e62ca932d1ca79695fa561322661dfbbb9b

SHA256
e9184337cfa22667bcd36a9b7b4c6e31485fa583955ebda1726135c1bb2a207d

SHA512
ffe557e468e7f634d8a25ddcbc9437f4a8fb8311be86314170e31099733d7af645d0a64a394cb2372f983d7dbe7fe84c59b68e620116b58ecf424465879c2bde

Download Submit
C:\Users\Admin\Downloads\vc_redist.fmthPo0i.x64.exe.part

Filesize
13.9MB

MD5
27b141aacc2777a82bb3fa9f6e5e5c1c

SHA1
3155cb0f146b927fcc30647c1a904cd162548c8c

SHA256
5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3

SHA512
7789eabb6dd4a159bb899d2e6d6df70addb3df239bda6f9ead8c1d2a2ac2062fce3a495814b48a3c2bec12f13800ad0703e2c61c35158b0912011b914f098011

Download Submit
memory/1308-134-0x0000010C70B70000-0x0000010C70B92000-memory.dmp

Filesize
136KB

Download
memory/1308-147-0x0000010C709E0000-0x0000010C709F5000-memory.dmp

Filesize
84KB

Download