exelastealer | 0a602136ae066c54d87a8d275fab10d34df115b49a3ea580b8c825a6c637a669

Analysis

max time kernel
1797s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bltools 2.9.1 [PRO].exe
Size

14.0MB
MD5

59fa48be8a4b93d5b6264b3f30a42c57
SHA1

35af02f02568cf21d954a79972a3e1b9a88c14c1
SHA256

0a602136ae066c54d87a8d275fab10d34df115b49a3ea580b8c825a6c637a669
SHA512

4ae4485a3daae4cfb703b46ef76b1f9979bdef8e9b21d7d8527a5dd73d88e34c36ec7d08230469cd98981a15ad72104d98acd5ed64ca906282770b141d406065
SSDEEP

393216:jehC8odGNhEge3fk76ni3DuAOTFbXkO/14:yhC9QOp06izuHTFb0O94

Score

10^/10

exelastealer monster collection defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detects Monster Stealer. 6 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b17-58.dat	family_monster
behavioral1/memory/1128-177-0x00007FF6B7D40000-0x00007FF6B8F76000-memory.dmp	family_monster
behavioral1/memory/1128-188-0x00007FF6B7D40000-0x00007FF6B8F76000-memory.dmp	family_monster
behavioral1/memory/5024-1083-0x00007FF73B2C0000-0x00007FF73C4F6000-memory.dmp	family_monster
behavioral1/memory/5024-1084-0x00007FF73B2C0000-0x00007FF73C4F6000-memory.dmp	family_monster
behavioral1/memory/4388-2077-0x00007FF6DF460000-0x00007FF6E0696000-memory.dmp	family_monster

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Monster family
monster
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 6 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3688	netsh.exe
3916	netsh.exe
2436	netsh.exe
5980	netsh.exe
4284	netsh.exe
3304	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Bltools 2.9.1 [PRO].exe

Clipboard Data 1 TTPs 6 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4376	powershell.exe
5780	cmd.exe
6116	powershell.exe
5540	cmd.exe
3216	powershell.exe
2120	cmd.exe

Deletes itself 1 IoCs

pid	Process
1128	stub.exe

Executes dropped EXE 9 IoCs

pid	Process
3768	XConfig.setup.exe
3336	Settings.exe
1128	stub.exe
6016	XConfig.setup.exe
1984	Settings.exe
5024	stub.exe
4364	Settings.exe
4388	stub.exe
4868	XConfig.setup.exe

Loads dropped DLL 64 IoCs

pid	Process
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
1128	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe
5024	stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
229	ip-api.com
760	ip-api.com

Network Service Discovery 1 TTPs 6 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
224	cmd.exe
4340	ARP.EXE
5996	cmd.exe
3012	ARP.EXE
4912	cmd.exe
2764	ARP.EXE

Enumerates processes with tasklist 1 TTPs 9 IoCs

discovery

Process Discovery

T1057

pid	Process
232	tasklist.exe
1104	tasklist.exe
3984	tasklist.exe
4976	tasklist.exe
2692	tasklist.exe
1132	tasklist.exe
4792	tasklist.exe
3020	tasklist.exe
5184	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1728	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
3768	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
4868	XConfig.setup.exe
4868	XConfig.setup.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4356	sc.exe
2300	sc.exe
624	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x000a000000023b3b-76.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XConfig.setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XConfig.setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XConfig.setup.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1948	netsh.exe
5000	cmd.exe
5932	netsh.exe
840	cmd.exe
772	netsh.exe
5188	cmd.exe

System Network Connections Discovery 1 TTPs 3 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2924	NETSTAT.EXE
1920	NETSTAT.EXE
3460	NETSTAT.EXE

Collects information from the system 1 TTPs 3 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4088	WMIC.exe
3132	WMIC.exe
5048	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2924	NETSTAT.EXE
2712	ipconfig.exe
1920	NETSTAT.EXE
3968	ipconfig.exe
3460	NETSTAT.EXE
3448	ipconfig.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3864	systeminfo.exe
860	systeminfo.exe
3080	systeminfo.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
4948	taskkill.exe
1500	taskkill.exe
768	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133832760847644957"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\4	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0200000004000000010000000300000000000000ffffffff	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0400000002000000010000000300000000000000ffffffff	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\4\0 = 5000310000000000465a3a081000737465616d003c0009000400efbe465a3a08465a3a082e000000063e020000000a0000000000000000000000000000001b6f1d0073007400650061006d00000014000000	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	XConfig.setup.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4376	powershell.exe
4376	powershell.exe
4376	powershell.exe
3952	chrome.exe
3952	chrome.exe
4628	msedge.exe
4628	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
5700	identity_helper.exe
5700	identity_helper.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
1792	chrome.exe
6016	msedge.exe
6016	msedge.exe
6116	powershell.exe
6116	powershell.exe
6116	powershell.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
4540	msedge.exe
2984	msedge.exe
2984	msedge.exe
5060	msedge.exe
5060	msedge.exe
5208	msedge.exe
5208	msedge.exe
3216	powershell.exe
3216	powershell.exe
3216	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6016	XConfig.setup.exe
4868	XConfig.setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	368	WMIC.exe
Token: SeSecurityPrivilege	368	WMIC.exe
Token: SeTakeOwnershipPrivilege	368	WMIC.exe
Token: SeLoadDriverPrivilege	368	WMIC.exe
Token: SeSystemProfilePrivilege	368	WMIC.exe
Token: SeSystemtimePrivilege	368	WMIC.exe
Token: SeProfSingleProcessPrivilege	368	WMIC.exe
Token: SeIncBasePriorityPrivilege	368	WMIC.exe
Token: SeCreatePagefilePrivilege	368	WMIC.exe
Token: SeBackupPrivilege	368	WMIC.exe
Token: SeRestorePrivilege	368	WMIC.exe
Token: SeShutdownPrivilege	368	WMIC.exe
Token: SeDebugPrivilege	368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	368	WMIC.exe
Token: SeRemoteShutdownPrivilege	368	WMIC.exe
Token: SeUndockPrivilege	368	WMIC.exe
Token: SeManageVolumePrivilege	368	WMIC.exe
Token: 33	368	WMIC.exe
Token: 34	368	WMIC.exe
Token: 35	368	WMIC.exe
Token: 36	368	WMIC.exe
Token: SeDebugPrivilege	1132	tasklist.exe
Token: SeIncreaseQuotaPrivilege	368	WMIC.exe
Token: SeSecurityPrivilege	368	WMIC.exe
Token: SeTakeOwnershipPrivilege	368	WMIC.exe
Token: SeLoadDriverPrivilege	368	WMIC.exe
Token: SeSystemProfilePrivilege	368	WMIC.exe
Token: SeSystemtimePrivilege	368	WMIC.exe
Token: SeProfSingleProcessPrivilege	368	WMIC.exe
Token: SeIncBasePriorityPrivilege	368	WMIC.exe
Token: SeCreatePagefilePrivilege	368	WMIC.exe
Token: SeBackupPrivilege	368	WMIC.exe
Token: SeRestorePrivilege	368	WMIC.exe
Token: SeShutdownPrivilege	368	WMIC.exe
Token: SeDebugPrivilege	368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	368	WMIC.exe
Token: SeRemoteShutdownPrivilege	368	WMIC.exe
Token: SeUndockPrivilege	368	WMIC.exe
Token: SeManageVolumePrivilege	368	WMIC.exe
Token: 33	368	WMIC.exe
Token: 34	368	WMIC.exe
Token: 35	368	WMIC.exe
Token: 36	368	WMIC.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	4792	tasklist.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe
Token: SeSecurityPrivilege	4088	WMIC.exe
Token: SeTakeOwnershipPrivilege	4088	WMIC.exe
Token: SeLoadDriverPrivilege	4088	WMIC.exe
Token: SeSystemProfilePrivilege	4088	WMIC.exe
Token: SeSystemtimePrivilege	4088	WMIC.exe
Token: SeProfSingleProcessPrivilege	4088	WMIC.exe
Token: SeIncBasePriorityPrivilege	4088	WMIC.exe
Token: SeCreatePagefilePrivilege	4088	WMIC.exe
Token: SeBackupPrivilege	4088	WMIC.exe
Token: SeRestorePrivilege	4088	WMIC.exe
Token: SeShutdownPrivilege	4088	WMIC.exe
Token: SeDebugPrivilege	4088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4088	WMIC.exe
Token: SeRemoteShutdownPrivilege	4088	WMIC.exe
Token: SeUndockPrivilege	4088	WMIC.exe
Token: SeManageVolumePrivilege	4088	WMIC.exe
Token: 33	4088	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe
2208	msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
6016	XConfig.setup.exe
4868	XConfig.setup.exe
4868	XConfig.setup.exe
4868	XConfig.setup.exe
4868	XConfig.setup.exe
4868	XConfig.setup.exe
4868	XConfig.setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 3768	4820	Bltools 2.9.1 [PRO].exe	84
PID 4820 wrote to memory of 3768	4820	Bltools 2.9.1 [PRO].exe	84
PID 4820 wrote to memory of 3768	4820	Bltools 2.9.1 [PRO].exe	84
PID 4820 wrote to memory of 3336	4820	Bltools 2.9.1 [PRO].exe	86
PID 4820 wrote to memory of 3336	4820	Bltools 2.9.1 [PRO].exe	86
PID 3336 wrote to memory of 1128	3336	Settings.exe	89
PID 3336 wrote to memory of 1128	3336	Settings.exe	89
PID 1128 wrote to memory of 2512	1128	stub.exe	90
PID 1128 wrote to memory of 2512	1128	stub.exe	90
PID 1128 wrote to memory of 2900	1128	stub.exe	92
PID 1128 wrote to memory of 2900	1128	stub.exe	92
PID 1128 wrote to memory of 2740	1128	stub.exe	93
PID 1128 wrote to memory of 2740	1128	stub.exe	93
PID 2900 wrote to memory of 368	2900	cmd.exe	96
PID 2900 wrote to memory of 368	2900	cmd.exe	96
PID 2740 wrote to memory of 1132	2740	cmd.exe	97
PID 2740 wrote to memory of 1132	2740	cmd.exe	97
PID 1128 wrote to memory of 1728	1128	stub.exe	99
PID 1128 wrote to memory of 1728	1128	stub.exe	99
PID 1728 wrote to memory of 3008	1728	cmd.exe	101
PID 1728 wrote to memory of 3008	1728	cmd.exe	101
PID 1128 wrote to memory of 4256	1128	stub.exe	102
PID 1128 wrote to memory of 4256	1128	stub.exe	102
PID 1128 wrote to memory of 3508	1128	stub.exe	103
PID 1128 wrote to memory of 3508	1128	stub.exe	103
PID 3508 wrote to memory of 4948	3508	cmd.exe	105
PID 3508 wrote to memory of 4948	3508	cmd.exe	105
PID 1128 wrote to memory of 2392	1128	stub.exe	106
PID 1128 wrote to memory of 2392	1128	stub.exe	106
PID 1128 wrote to memory of 2120	1128	stub.exe	107
PID 1128 wrote to memory of 2120	1128	stub.exe	107
PID 1128 wrote to memory of 2028	1128	stub.exe	108
PID 1128 wrote to memory of 2028	1128	stub.exe	108
PID 1128 wrote to memory of 2356	1128	stub.exe	109
PID 1128 wrote to memory of 2356	1128	stub.exe	109
PID 2392 wrote to memory of 4792	2392	cmd.exe	114
PID 2392 wrote to memory of 4792	2392	cmd.exe	114
PID 2356 wrote to memory of 2464	2356	cmd.exe	116
PID 2356 wrote to memory of 2464	2356	cmd.exe	116
PID 2028 wrote to memory of 1160	2028	cmd.exe	117
PID 2028 wrote to memory of 1160	2028	cmd.exe	117
PID 2120 wrote to memory of 4376	2120	cmd.exe	118
PID 2120 wrote to memory of 4376	2120	cmd.exe	118
PID 1128 wrote to memory of 840	1128	stub.exe	119
PID 1128 wrote to memory of 840	1128	stub.exe	119
PID 1128 wrote to memory of 224	1128	stub.exe	121
PID 1128 wrote to memory of 224	1128	stub.exe	121
PID 840 wrote to memory of 772	840	cmd.exe	123
PID 840 wrote to memory of 772	840	cmd.exe	123
PID 224 wrote to memory of 3864	224	cmd.exe	124
PID 224 wrote to memory of 3864	224	cmd.exe	124
PID 224 wrote to memory of 2984	224	cmd.exe	126
PID 224 wrote to memory of 2984	224	cmd.exe	126
PID 224 wrote to memory of 4088	224	cmd.exe	127
PID 224 wrote to memory of 4088	224	cmd.exe	127
PID 224 wrote to memory of 3344	224	cmd.exe	128
PID 224 wrote to memory of 3344	224	cmd.exe	128
PID 3344 wrote to memory of 1236	3344	net.exe	129
PID 3344 wrote to memory of 1236	3344	net.exe	129
PID 224 wrote to memory of 2900	224	cmd.exe	130
PID 224 wrote to memory of 2900	224	cmd.exe	130
PID 2900 wrote to memory of 2332	2900	query.exe	131
PID 2900 wrote to memory of 2332	2900	query.exe	131
PID 224 wrote to memory of 3132	224	cmd.exe	132

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3008	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1 [PRO].exe
"C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1 [PRO].exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Users\Admin\AppData\Local\Temp\XConfig.setup.exe
  "C:\Users\Admin\AppData\Local\Temp\XConfig.setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:3768
- C:\Users\Admin\AppData\Local\Temp\Settings.exe
  "C:\Users\Admin\AppData\Local\Temp\Settings.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3336
- - C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Settings.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      PID:4256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3864
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:2984
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3344
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:1236
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:2332
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:3132
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:3992
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:2432
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:2200
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:1132
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:3492
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:3676
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1224
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:4024
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:3020
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2712
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:3956
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:4340
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1920
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:4356
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3688
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4588
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4812
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:64

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bd64cc40,0x7ff8bd64cc4c,0x7ff8bd64cc58
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:3768
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff783784698,0x7ff7837846a4,0x7ff7837846b0
    3⤵
    - Drops file in Program Files directory
    PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4344,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3260,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3160,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3684,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3204,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4488,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3264,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3368 /prefetch:2
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3136,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4804,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5032,i,17405352958639007658,2774427928703292728,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1792

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8aec846f8,0x7ff8aec84708,0x7ff8aec84718
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:5580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1380 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,4518808310352605199,6998056933138418443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x514
1⤵
PID:3268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1404

C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Bltools 2.9.1 [PRO].exe
"C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Bltools 2.9.1 [PRO].exe"
1⤵
PID:184
- C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\XConfig.setup.exe
  "C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\XConfig.setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6016
- C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Settings.exe
  "C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Settings.exe"
  2⤵
  - Executes dropped EXE
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\onefile_1984_133832762438253106\stub.exe
    "C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Settings.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1848
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:956
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      PID:5204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
      4⤵
      PID:3124
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:1500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:4840
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:5780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:6116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "chcp"
      4⤵
      PID:3844
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "chcp"
      4⤵
      PID:1108
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5188
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:5996
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:860
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:3068
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:3132
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:332
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:3688
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:1920
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:3584
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:2572
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:3516
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:3988
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:2312
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:4800
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:5068
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:224
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1268
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:2640
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:3984
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:3968
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:3184
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:3012
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3460
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:2300
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2436
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5172
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3408
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x514
1⤵
PID:1648

C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Settings.exe
"C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Settings.exe"
1⤵
- Executes dropped EXE
PID:4364
- C:\Users\Admin\AppData\Local\Temp\onefile_4364_133832773497630949\stub.exe
  "C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Settings.exe"
  2⤵
  - Executes dropped EXE
  PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3284
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5716
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
    3⤵
    PID:6096
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:840
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "chcp"
    3⤵
    PID:5688
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "chcp"
    3⤵
    PID:4012
  - - C:\Windows\system32\chcp.com
      chcp
      4⤵
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5000
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4912
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3080
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2804
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:5048
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:5696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1160
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2200
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1948
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2108
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:5704
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4884
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:5500
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:5640
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:5984
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4428
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:5164
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2692
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3448
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4928
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2764
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:2924
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:624
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4284
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2872
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5884

C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\XConfig.setup.exe
"C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\XConfig.setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\steam\steam\Cookies 91.txt
1⤵
PID:1568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\r\@InfernoUrl [URL LOG PASS] FREE#116.txt
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3d3355fd75591a9ca1be4360f58da7a5

SHA1
84d7b1d0bb8eee827f883696c2abaa27603ff8ce

SHA256
671204dae86c7cb425fb73e004937ba0b7cbe7af9e6bad6103d84a2b5550a15f

SHA512
98e88a8ba46c7c9a98be8cfdda3276c62cbc8567c72c655a2732804cba789f4a1ee4855bf3b4125f499f4511c02202a8548b6cfbd6ec729729e816aa42feaff6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
7978a9e6312aeef2fb75a5184b971312

SHA1
312d46ef07ed60cb3c48cd586a5189d4a7cb030d

SHA256
bbb5da7e7ba55a3059a77cdbad6147129d94d7ad45fd15f10ebea2bc4537f649

SHA512
e738bbf00a4218607c1d13aa06792bb3245fa7999a844cfdb251caeefe0c2df0be42b9bc2aa8497927161fcee6593d9e9f9d69cd02ca9b213350223c78ae5e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\a8737ed058e1cbfd_0

Filesize
289B

MD5
08c2a61867a7f8f12e2b65557a469411

SHA1
70c90b1f1f17421af2e4219ccf68488758fbc8a1

SHA256
abc736149968fb39fb2dcefb10959cbb24f44a212340fc17ecb5295124605049

SHA512
387c0249b4064fe7124453a1814e954c869a0279829f438fa52c0d4541cd76af32cf098683e527a20ebff0b87821f66141ce84f608f3a57d5e8a2423414cc3c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c4fbdd444acfaa58_0

Filesize
377KB

MD5
abc567a1b9c48b8052282afdf2e51145

SHA1
7035b5ffe74434bf9a6c297573f1045c9c602dba

SHA256
15b9eae09f8370c857a570e42baf59846f228ee867353e1274793eb08d9fb3fe

SHA512
e53b8d5f66dd6ef36241964c1c2c1d328a69c2f42418ff9ee4b8f61f027ee784ac25542bcd444f1194c3456eb10ef3a8b1440e611d0c8b2436dbcd62e5d05de7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b7e180c495c3ab940c84ba133f9c390d

SHA1
7a801a1cb1000f86c650bb195ce80896a936920b

SHA256
f289346d6077042b3dabfd6b95cd972b4d97a7a71e210eeabd3ae953bb17de74

SHA512
a7d3b35cca4c78a357425414de9d9af313c5c246b76d016408523bf5ec3cc4d0fb6589f868e48682f9d6171169b6938adf016c3fe542d837bfa4042ad382c5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
8199a3908f9f1ac3371341b64eee5ddf

SHA1
c17a2c94a47f5118007b354929f75cc8e3a0925a

SHA256
a92e7bc44522b857c8dc19db926bde917e7f73d34ee274bb67be6146a6cf9662

SHA512
61e065f1a5f617ad3a7c88419ee642ca514eb02dd6759ac00cc3c5b1e6be23e75f95dbe4457b51cca446a6c02b8f9031f0ce2d290ac70fafb6ac96b6c6671d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
eb990560f729fe24a143f0f0b9357459

SHA1
b71ed51bde50bbf2fd6979e9ede988f23ea7823b

SHA256
de950014185b1b622376980dc78aab9d2542c34b654e94efb63eb0c283ed0cd7

SHA512
3c3d66b6ec9f31c090e416eeabdb2569a5de0f3028ea523041ba6766a6c332de873bd03bc99879505fc3f9679e36abe6ee5fcf43b639c2445bb8df2c17e29b3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
02403e3c079dc72800d296f0e0a4d875

SHA1
0f24e3c13a477fcd2a7abd7311708340988de409

SHA256
3875ebce6fce3bf8331fb20c8d91f30efcf28d239ebafd7210c8dfc97c4e27bd

SHA512
5ace367f1a946439b6032bcb6114d0dac965b6b30805cf05b90299f2caabdfdf26865375ee663f37d1bd43361aa42e216541c41a7c5c5df03c72c85a31edb706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
84f225722009ec08c1d75fc58bac4124

SHA1
7c5897cd4a85310089944a489e801597dad5ea69

SHA256
3024b6fadeb28425b1cba1c5f0867359baea8e3214eee0f87cf560f2bc2e5ac2

SHA512
518baabe8993ddb4d26b5c215bcb63967fadb9af07732af880f2cef260aff9b81e00c8b68c3b3e9dd13453a27d20f9f66b53c0aefdec8ad326a0d9dfb3b7cdf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
e9dd4276513ef22cac2d12bd63cbb40c

SHA1
9e2537a15e85fe022f7a1196f2e5f90f70c69e9c

SHA256
6703affca1cb78095fc5f4e06bf4a57b5bdb3c86234d7b3b248c4d4e8ee57013

SHA512
59c1fb08db9fcba00d671aa4132091f902506efbb5e0705db576d30eb6cfec92a887ac9b27a18b7b250851d1cd3e21acfea3f71318bae6da97beaed4818a2bbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c59363b3a22c7d24095c9eab5ea449f2

SHA1
dfc21541baa9324f6edc2a5a843b04c608a2ce4f

SHA256
82ac259fafb25e54232718c7b81e199d844034f25ff936698844ed7f02c831da

SHA512
499021ade275e3d3cefeed501f2cfbdf2c8e1df4caa7826041c9c4602807a3ebb0a2b23f29b3ac993d0b88138ecd17ad4204b1e1c5874a5bd10d2eb662dd8abd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
2c9936904cc5ba0dae891f941346a8d3

SHA1
af84c42155090efed32f7184e0753ce4e6cb9e24

SHA256
7a8eb259dd13ecbed0bdd181e0bc0a35ff79960d47b3338d18d64af3c6eefe66

SHA512
03ee43ccd7050dd947187ba38e7d737b0b4b3669112f3834e2bb797cf5cdae7a31bdbdc5f5bce10c6f3a99f5ad381185b585d2ce011203fe5a1c7ffe3a93b59d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b06a20f39e2bdead3fd16b185cf6a99a

SHA1
be6501023a12f90504a16b01f9385ce1c54cd4e7

SHA256
9d059624fa199752daff1217ed51f2a221484ab7a7caaf28d619ba10fb3c44e2

SHA512
d386196aff97a19e04263cb075f183bfc6237b7a0092674f88872ececf57734abe8deedbc5b49e9b541128aea81f32bc95a4e806c2904cf5b2683aca53544e90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc6ec688fb6c1465ce6e6805c2b032ad

SHA1
1b31b501b401a30694ef79bb0c684abee56b52a3

SHA256
73849140a5fab8bc196e8f5ad16063ead7c4fe8a8c84b77ceaa091db8f72107d

SHA512
dc63b93a95eb6fc3e9f27665004914e3f018f194c2afb3afa270c36b750b88136d4824c942b8052b6d263e76f5ff15a25831c8955d6bb2b1ca37ca66111894f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
713e43a4ef9c7cfec33444e99ab97737

SHA1
d6f503234e10fb63fc6e855b53ff9e4f99350ebc

SHA256
6cad850ce8de9532f45df96beb2376d33830e889a03dd94832b92d371e4f56a5

SHA512
ece6b35b4028a1150affe5c4a7256de4622b1819f61ba9ec84d31e7fbdc4416d2e8c1b6337e5b63148e67def57bef40df151f29f39718721cacb35a4c72d36b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6f321e4b5afda86332aa2d8d85007136

SHA1
3b735ed84c87f710d05d2def5c94636cfbccf9ed

SHA256
1e967a24a14952eafbdbe356da1e916fe071822f232373584b0b3f57879ae032

SHA512
1707ff29c23c15d0eacfab7f9338cbbd17e12a7b2e76b623d10aac1d0a72a9b165ea160158117661e5fe6cede076baf1f8597eade29596a42621eaa4ec80b638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d99b9a1be06a02063a68eff0daba050f

SHA1
4edd660bf9463a0a78a902999e11f85a0d8ae6b1

SHA256
ee579d4c60114fae40505f71103dfd851dec1ee6044c9e0f5ae615bd0f23d50f

SHA512
4364cfec83d29b180ecb077375c50e64bff35f769f786b8847004b37ff8ec0d5070da6425f710b632b10bee4746c6e365b80af1a356c8fc0a8a7f3a5d3eb36d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
82bf158b6f4f119680253c2d94e0c93e

SHA1
91c5737aec931d7a6e15843a4005745d888afba0

SHA256
dfcaf81d37dde61794cf9586f888a3728be4db9db90b7142c12ae4c267e68124

SHA512
548bbf9167112b083a52ad76c18470479eb6f339c105634cdf67e48a905f9a6171b14763356b9d1e153c3920dadf4695e0d3d21b33a18649e3071cbd6f36651a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e41052121066d4e49b91ba455665e73c

SHA1
b92657c810f7dfdef3302210247d75084bf7c862

SHA256
90f3c0fc7c22a3c14ecbeda4d93cde8e55b472fdca62fa806a88e08f4b004d2c

SHA512
c594290092d97a13de5fecd547f34ca1670d5be7c5e9735c6e3cd38ece3838f74ebb93748ab487b2b84f44645ba406c7f6a95b38d19a376a43befb7bcc8b2115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
096fdd0bf4bd278d6c05584415f853b8

SHA1
280a1268982665d2fbb4b21d0fc9ed7a04dcb1b6

SHA256
87a857afcd730558494d0c99f204fccc841eb1df77dd13559a204df20b7ce282

SHA512
2bf5817c29fbb40e0ba76a9d8f89eac5136e2279d53edf5c83ee1263371c8647d692b168b2b1a953ad523c4483ee4581ab0d4aa9b63864849f746e2dea596408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
54ed2e34525401be46336ae6eebd295e

SHA1
a39b9bda94d069e8ecc511151dd2786752beb73e

SHA256
30e9f6d1899d5d1942fc9b3ec746c6f710e855622ff635fd297a3b3d25c61e8a

SHA512
32062d8721f75355a4c58335465b6deca89ee634000c2e3d1dd35053b03b86702094fddccbd478cdc3c03a8814a5ad560711f5976e3732ae45708f4ebff9fbe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9ff699012bc33c4cabd21f2b7a668982

SHA1
ac3796a45d90aa992b948f0f64d65ae6b28ec463

SHA256
6c2ec1ababec9ef75b4f39d5dd5592654ee02688738d4368c94f47aa57dc0497

SHA512
8ee8ed3471a995f44ab305a1d61440021e1f7ab60ec06d3647fa6c6b7372f0bc7828f9230924e5a85be8c9f5c852f58a1ef73a849415885f1661952210380cc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
40eca762c7eb1f7f89a78a19ef857a37

SHA1
19592a5a1f765b9f658346ce65d79b521d83c3a5

SHA256
0ad76b1372895699fcff0b4f5a0bb7c1e329caad37ba7fc09a61ce88282a7d28

SHA512
4e2cb3735440d6120fcc9eb0199c7d68f7b074680117140fe08327321226b3f3a3a377a853cb2e80b24ba4970665f8337d8097499a42f171e885767f7e42b189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bec0c057-a251-4edc-962d-822e45ed0bdf.tmp

Filesize
9KB

MD5
e1e7950db579502669e6a75109e5abef

SHA1
60913dc5f68f2dc358444afbf8bc25a1a3b20e8d

SHA256
ff2c1f7e27ba494929601bc680ec94ad7e8585f12e5641b26e8340cc373c076a

SHA512
900ed128f7d484f188f95353aef26a9943b29c8a7f65aeb8ca822ff04c437831a7dd8b4af4f4767a0f02e036b9f207ce88b186d0afd1e717a12bd4dbfc9ccc08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
241KB

MD5
62ecda1737c2e8fa8918103e1c088b8c

SHA1
df73d855f8672f2cd47633f115c4fddbb4dc51ef

SHA256
1fd97098edb73684507ff3e4678ab31ea68d7a7a413f4a1bd1e668d1431b66fc

SHA512
9b9f54c04f996d68da86b61d36558558370527af70a1570c8d2a3b9fd3bfcb94e6aa953dfeb1f8b8c820a2e82990a5ad55f5fafb22202be130632471845d2aaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
241KB

MD5
e278a5102fa27de58b4c2290fb961b9e

SHA1
3f6fc9ed5cbbc0ce59cb89130d1871d8042e9a75

SHA256
1dc692a32c04f8b716b4cb59f742ab052e5c58bddcb683dd3a3a2635b8f2a936

SHA512
044642c35db6b1c51d0a71c6dcc5f9baada853e36bfaf63cbdfa0df1836185ffaf8754d4c600850953e8141f79b651097ccb67ca445684a95daade6038e32263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f222e55c-9048-42e6-b983-394a8f8f994d.tmp

Filesize
241KB

MD5
8baec7950d1a6e9a60aa21a15c07f00b

SHA1
d90eff15398de638f126313ce2cf2b73d69f61cb

SHA256
957dec01f20d3ba06ddcc1ea71ecb1b16354c4ca2e05f29a9eab40461928e272

SHA512
a8a2e51aa29dd40f551b7a12bed09f7d8c79f84bc8ed6baae72c8db4baa8cc02cf36876fbfc5599b098851cb786e2af3b863de59c6e5b99c2eec3fcb5195a455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
50236cd957789ed0d1b6564c7f0ecfae

SHA1
4c9e4dac57ab9ffb5bc55154d6ff89f1e6c1d5f4

SHA256
5820467c07d06249a1462b7c9deeb0801a8a6475ea19637397b9bbbc95f90fcd

SHA512
1cbf4be5224fecf811bf81361d6d282810de016194b17e2002d510287d384048272215b813838912eebcdddb1f657ade0aa3c122871c9d636b6a8fa8e74535d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0504c0d0b9c007a767de8a404f2ec484

SHA1
73b1066ce283079341bc94a3e5c65535f0523145

SHA256
3469f4679beea250ce59f3fa4721e48f81587735f44e0fa2b70638b78dbf8a2d

SHA512
c6c0c6edbaab3b92832c4140916e99ca6725b79e5d3a43ad59ebd94a567458ef79923e2236b43344ecb6fd75442d0c7779b024edbd1bf9035a2a86ba7e5ce606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
30KB

MD5
e64d579e14be3760f5a65c3a72f8adb3

SHA1
12c85b50ff003d832dab03db8624dc47aef30885

SHA256
f6089593b22ba303b1f11e5a15198c7b1394ce123717d611308a68519c22164b

SHA512
92845797cbbb89a11380bde3eecaa871f24f96d377e2792314a3799711822b929220b8fdd12caec1392d768268d2e53fad7f7bc01b336815a7105dbde4ad4758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
20KB

MD5
2ad72c7368127a1627b7b54d5224c801

SHA1
8b7acc8ad05dbe24f5ee2328ae9648832ddc3aa0

SHA256
f2708eda5a3d687d754d35edce72f0052b26726070ed9901fe14882717b1110f

SHA512
39465e4e889459aeb4a159c15bbf7c88c4798ac0cb532f6f38f57cbcbff873c3f7e66db4d8c2204b695d19a6dc59b55a3a8c69d758a543c6311d834bdb3e30c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
20KB

MD5
616162505562da6dd7d3fe8a88a6a1d9

SHA1
70dd3d073d70303067a5ebe333a4b5f2a127ce77

SHA256
44897b4874c9a361177e9422bf3f7436b096e9710d76a1b447e9ac54291fd906

SHA512
89727271f8082aebb47f74c07f0ff6939d204315d918bcfecdce7c45d275e78b885778a18f44c9d63e5fad96475620bc0706dcc173e9a97afb617b313fdd0bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
20KB

MD5
e33c42604152499bd05b70b7969ba1a1

SHA1
c45c45512da469bdefa0858d01a3d18e5d23d51b

SHA256
c4ddf75e9c8f38bdf3b676c81f8431578e9df591fa265558b4baa84dccda2696

SHA512
e8fa8eee7f85c4b5152d1542be13c723d1211ebaaaf4302aa363d14bd1ee650d6f8e95b8d547824762a47e930377470606e12faf67915d2b7c01e242f68885cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
83KB

MD5
08f06e82a4e38db355b781bc7f223655

SHA1
3b0c4e8d9de9070282f6c4711ae991e412f0db71

SHA256
14281c14a41de925bf189870d8de6f4fd6f128c5e19196abc3aa624aa09dc2f5

SHA512
4ef1acf7641217f26044e93e3b0bea85908f317468e9ab2c0609230ac49bb665d0253db10314ddc5001ba94a6b60d7868413461c911ebfeb320c0af2886943b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
55KB

MD5
92d854995d7e5df677befcd1083136c0

SHA1
77d1cc98499b3d169f39e5084619eb931ece7245

SHA256
0ee1df10d19c74a2e7fb8a8b374f8469cf103d071014e778301a5f8ddb85614d

SHA512
f51e555feebc70e27aa9efb66629fd34adb6b018f5eaf23af7463d89d32424b31fb2af71df966ff85f3b8c34584d0d6cfbcbc6a097701bd6b151e352ad50453b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
210KB

MD5
6ae4ca7087d15632985513d62ba10f62

SHA1
89b0a1c166bbd9c3d14fa471110a28a6287bf5ab

SHA256
d08abd6b3825bedcd754ffb24226a5319ce78fe6e1615e346509bfe11c66f8a8

SHA512
d5d7142bfd93264c9aa06b8493801cb039e23a78827344a9a166f0e0f3cda42257939cbe6a26f6c021ab72d52b0bb31f65fdece4d2322c3dfa17a62ca19fe5d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000074

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007b

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
e888f96e05e65c4d542e2da59ec56031

SHA1
833a7a794809b8c52218fe7cb4680a55c66ee915

SHA256
aa48b1f127481b75927ba79b2b612e0fd95886c145085e3ac927e01e63ca1589

SHA512
8cf4eaea028aac85eefcf3d99fd5d382b2b005d074ac7400f84fe38633a612013fed3f51f0450708f71d1afb8b1b29ece9641908cc994d5a45acf7367b9ec6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a946d24350af73f345591adf37ecbfdf

SHA1
3a78f43d3ac1d98abd070d0900864f220e472918

SHA256
6f982d7f8e8a8b865cb0235cf684ae4a8b0676a6ce35220c5a2a428420918f2c

SHA512
e7393bb73687c77b03d57e9b2f1b4f644319c91416767aeb719e0f382d125583b33e32eea2faa19bf1f38af7a61718addde084a93865e694a570b42dd98d23d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3fc267ae62990846e8f7aa7b8fc52f7a

SHA1
2b8fcfbb5f15a52a4b21bb1b39317cddec25b6ae

SHA256
18c63d7251569648cc13eec2a7f7e3a3a7e7330a4447512cbed1792cf469301a

SHA512
7fce4c6cc5b321cf3f869b19c94b953005833214eaf74a47133ad21cbdf0281ddf766aad48a79407e05d023876189f2ad2601f1cfb856c93d2356940e06e020d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
904a0047dcc2e9743bc438b5577b11bc

SHA1
bb4185bdc2d228b395fa2fe0302032b3f396c99a

SHA256
d996205f4f0b7650b0e8f150e7f635978ffc43973337f7c009cabd6d65ba4146

SHA512
c35ab6b81dabe3063e480265a3590ad93da34a87ef2399e10ba31a36511d7090d7f252e20b2b8471de1c9bcf7f227bbc19e88c7f4d1acd4d9a56b9535ce3b544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
4d011d92b344e6e58cdbb38869c18a1b

SHA1
d8f0ea25617f1897c4a53fa10c64e1ce6914100b

SHA256
3c4d1858d20cd0d43f2c16cd522966fa5ad1f102800878b16830a7eddfa3a4c0

SHA512
d3ca72ea21baee272b781785fedf929514b464d5c0ea686eeea9e8a058f0788664b9424c01ef5998d2ebc6e73a5995eaf79fc2673b0389b55549ea70022401cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
e26598985ba93d48475447de12190cae

SHA1
69b0db1f0ed0cf9e1127298ecb243ef355fb1f9b

SHA256
d549921d945fd3a07e1846785105e1f777fb1fa3eba48e4bd8c04d92f2cc99c5

SHA512
ae59987d92a6678663a94b636f4042bf3cb02815c6e5355c0060ebb3e1ab4e87698630f577fbb379129a3dbce1a93ca3665910aa6bb3b85869ab52660f04ec54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
791B

MD5
be0743c8303744cf6499b5058b2eb364

SHA1
44bda41a90512d187df3ad18d708eb1cfebeb33a

SHA256
66f27985cb9b5b4442ccb6107cbde7b45fe02904e2b06da63bbb5b62c8164e8f

SHA512
e66d09d35621adebdac9c494c6b4746bf31da89754aebeae612680a947ec6b7f2c01e021d61bc7147ba6231d6d575bf3d6c19d437f5b836a071217ee8bc0d7d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
37a58f93feeb01eb807ab51ca43118b8

SHA1
aeeb6d8c8e621b6d3c389fb8213a92d60d114c07

SHA256
92d8dde590aa421dea9f79afde524cea60041d88d49e29a816df27f081b8c098

SHA512
4373ccccb3709e89066363d29b3176e0be1f7341c89a372645a126f9a931e637bd9c1bd9df093b5e6f8b01b002242e2581d0c01832d5ed6fd9f43d74febbdba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
34f9cf7ae5d48d2f2d9e6340bb2cec87

SHA1
982544d0e0b44d79282050483b9fdd6e9eacbb7b

SHA256
ea8dff4cc66b5521d121390071b82f9e2dececa75792142de7956d31845484ff

SHA512
5e2074c33456494400fa93bb3e3a5b4c1d7da0299f1cb706b3144d1c4450e40ed915046daeed6ba1d950d8d15ff499c4f6d3d3dd7e3a47557e97ae39f749d582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
a44faf5d17c894c514810618d6461493

SHA1
4cd6800f2348bdae116ec26eed2a63e4435cfd6f

SHA256
dc9976a25e051ceb644f47116c24e48717d6791846090421194f7a692132c87b

SHA512
7e853115a0f29694f6a0d4fdb1c9acef92a46bb5f9e592c978afc6397a77af4a48b5c27875333658afc7c11dc3d3c6e0a0551b83a629679a72dc09cd23115c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e40cbcac3dcaf64c02076a2b54f8f5f0

SHA1
ae5dd97065f5ff0435879ea023095b662de90931

SHA256
54a4ec8e73f86914fde874615b801af3418a90c0cb3d38a71bda346651468b95

SHA512
19af8d3c9fbb1185ca36fecdf6b92b3ca35403ba84167a32a3017bedc3823b627604abd32f7b736a418697f5c2b09760b0bf77e9b4dde6b5b175600908cb531d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f67ee60879846dfc10f1adee93bdc940

SHA1
100557036bc809b11ef153542f3be2264bb46de9

SHA256
d45763993134f8dc066b73134e7d0082d650914b3e65ed4062c62abaaabf93f7

SHA512
c62386bc51d643c37750f07cbdc5f1dfd788af81219ebf1a651f73df56283b88bb557becd877cbb388f3dfaf3df55805d650f7daddfa937ccb8a5d72ad65565d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3246ca33a2fde87624940c9831a45876

SHA1
a224c6d8a585b0c680a318994608a97520e78b89

SHA256
8602cfe3efd65b941fb3119996ed5acef1247fc2d8faa25ebd9e89cb8aa62ecd

SHA512
d1f76b76473c9f7f9b663600bb25f952c920fe1eb881db4a4e1a8cca283fecb5096d2d8836bfb44b809f3f53aab27e362e2c3f361a3b942433a9407c1c55abc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ce766cbec876a4b445f0cb9a7db663ab

SHA1
f57a0a874f7a5208b1ad6b1fd6a654e6b106f6f2

SHA256
103a1c273761f137ddb2bd43d4225a534221b3ef652e553f03062fc26bd84735

SHA512
776ceda9545fc3d1e032c5112ffff61a81ba2aec8c4938564a93b152c0f73ebd76093d3257ed1a7b341867f0ddf6010f43d1e00c75441754dd3d0f36049dcf80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3b151f60a09c182adb071d4281da51af

SHA1
1a2b88997d5a805ef7edf724390309c10eca12bf

SHA256
e74296462e51f6ae69e80d2a66f3379078d04e08606a8dac4fe972e7d0df9340

SHA512
5cefb0276bddb15e7cbb567c2e6756d088b05e8744d013f1ec6fde4230788b264399f3abe45794e897ea11651703521e9690a81d398aafbc9bd26e65a98ceda4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb40e0d6f337317a8e66132f807abe4f

SHA1
e6fe7605a44e86513dbfed911008078a9acd008c

SHA256
07d9b1cbe13a4005f9847bfa8d1b1e927d184835c21f46c177ffb9a0b133795e

SHA512
d4f4dbc508a7136602c40bfe5416a5f47d2046a28ceabcb26b673dd70f7d4c4e9f4806aeae9a0a8e433bb2e3314aead2de6fb56d35aad57feaa7cc88ce8b4725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4df1fc13f63a756c3448dad6096cf6e2

SHA1
346be7e3e007b4643437a6c59bbf9c55a8c93ca2

SHA256
5026b5b8a1c8568e7cf369d9a8fb7af67ccf41e8781c43a960dfc748c4459ff5

SHA512
3b34186d241d11063c4ec1c6a042b269c3402cb5ffe963e2ee9a3d402c47a516699320e8bd4b329ba19bbed4999e7495712b288e0977b8159e7f69f625161e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e1a34005964f5e86d6179373eb25825e

SHA1
e855c8579cb152942c70fe9b275637eaa53afbda

SHA256
cc371f8fd752e96efdb43c3865c536989350191eba4dc8040747d1c8c5e777ee

SHA512
a5dd1a56390a1825f762e8fef04ad9cf8feacaafa3b4ff469170d816886bbb869da5ae5e5599e9e128e9d70cb8ef49503a0c3d2c0d1662e6a9287fd8438ee5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0c6d598e9fc9781036b42346c18eeb9c

SHA1
ef33038182035adfa69a89234eb688ed72e198a8

SHA256
15b685cbc5a03bc4efb63d8e0ccfe5e35837c2a3dce628fd6d936c73b7abdb54

SHA512
1234639b366385434936896c1ec930d5c44fe8f94dd8719e8e95a8417089395e2c3601b98fee9867885270c379911b8791e0da7fc434a59b6d877f98a8e1847a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
35f5127d2c640b0a425290ab10057a2f

SHA1
fd7c2dfdb2bf9fc975490d5a8afb6f2a9fa05c0c

SHA256
feb4adaa6dd1a6df3486e729a009a90cb29c9795c2dab6fc9b0a6b6bca5986a2

SHA512
e93015561d60b68d4c26a7bfba71cc6b6051fb23be05864b1ff9cd238ed45226d746a0bd901fd0f6e23e70b8619d3bd1ed26bbeba161b4370801a2385ceb72cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
df48cc29b4116577143b64af82b263e4

SHA1
1c03a575fbacecd7bcf8f33e82e087472593cc4a

SHA256
980103da3c9ce2f640a3d3fb825270499bbb3624ac4390137f2b209814c161f7

SHA512
8609d85e4b8f4e1c1a393f6edd66bcf0923fca3bdfcd4bd6183b6e0e07c9c4a90a6e9e6ae920474895bf54f66b94b9f164b1e15a82d11a2c68d87f38ea1fa38b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe607a64.TMP

Filesize
48B

MD5
40f200d4075b90892392d449f42523d3

SHA1
03e0250a19b17eadcfb77efbd2621e11efb86c56

SHA256
771b909bda46c4300c6b979bb5d46543ff86eba0e29446ed87fdae84b257af88

SHA512
2a112c55b9078e2a65b3ed38b31d52a40444317b33e56003b85a513808e1b103d931ba982fd30b1654f4a9dd86e65ff8302b1da422e42a1f5db7e7f0f4c493d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2134a41a52bdbf7d16326625fd4a0a9f

SHA1
0fb8352eb01fa73ed371c8afe7d391ae5b2cbfe8

SHA256
fc83036402407ed2abd24fe1d15e8fd9d79d26843b277b493be14c3949d8a434

SHA512
5f9d0c86249da5e65d8e316d1db7c92fdda8620dc494794e9ca0f4787e236fab232d7310dec2e93b874a2a5dfa190e1caad545e63f2b856a855bf8490dbaae2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9e41d6f18903e30a50fbd75f68a441c5

SHA1
5104fec0ad433d53ed9949f7d6ff1d0ee7f7beee

SHA256
955cfe257ee88f5423bd418e065c87897f327281deed000b4c00e1177520eb2b

SHA512
7a06e646a247c3aa085db900d13237a181533e2ffc8a582e9185617bcada6cfefd6ff7e3a527da6c86a20b9f1e989e372987e9a6d5d62f0487054e14d92bbec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7e84936ec9b75a54bc4ba7edff7590c7

SHA1
31bd897a115584a1cd4bd3745d11813aa5945ef5

SHA256
b8fb97176d9dadcdbdc0d27b3c6a0355a03525d1fcb2673d3c26d1b54c37387f

SHA512
bd2dad9984ad0c6fdd395fba83715aef3dc2f00a3b5c5f26127361623b32784ed4776b6025ca6afac8d65a560e62300917c6a9974a45e175d1f64338abb4fa70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
11904458562322c94e90d3cc01bc9ac4

SHA1
a7fdee215fd5069410a0296e0efbe007e564548c

SHA256
01e4f82686eb78ea7c63abe02abfec32e2cb047deb1b4f92d342b738a6aaea08

SHA512
1ff6c4cc876760544035c125f370a610e660ea457552869f8afd07aa500e33997f10228c9a4658f40dc979c5c09556608af00b13c827f5ca618f98d6256c8c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
768dd33bbb79af29f5e9dcaa492fd311

SHA1
6258fb76a4c463b13a963db817da172f60b19c08

SHA256
bbedc63c6e95aaac3f038ee62c3a4e9622cb6264e7750b0f6a40488e571b0026

SHA512
d95d0066077d63d53a52c265a7368dbd6d825f7fef721b68708d12aae80c19fe46952d4c958672719ab36da870b07e6551600a230899fd7df75e624a6ca9e73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
84a2dfc90dcbb71f56d401745f9860aa

SHA1
5795b2561d2550c0ca72178731c916be965ad895

SHA256
c412095ed229710b977076dd04043b86df5edd9c8e054ee766eaf4986b56023f

SHA512
06da54b59290a1e8b5ae07d5a6312735d382f673ffe434300943db38c67c382d294d24decafd0122c1838f50968f1e170b213ce8531190c1e685885325d15f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591592.TMP

Filesize
538B

MD5
fb0e32e8777b0389feecb217bb2abcf5

SHA1
e575de3b6cff321e595560f8997a84a0ee546e96

SHA256
fef626c923e8d3a2a0bafd04a1def1a4d006bae14a6dcadd244ff26e29f29f02

SHA512
6772886a3a40a6f6f1026af6583c959a85cec1af1a8c933c8a21f01ce5f0e4040855016c5ffa2f18ec60cafcaa21cca51f153dfe4ccab53a49330162f92d0022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b692876d-ef0b-4f7a-a1b2-a0fb253cfd8d.tmp

Filesize
1KB

MD5
8ff39626f6e950b3cb3a4441efae8168

SHA1
a47dec887124de05632118727dbee3818a761be3

SHA256
808dbbb0603d00aeba3fbd3453ce0bbb69b2d0b35a9f298f091705f9d845ca9d

SHA512
4cf0bbf1a8abbfe76f99f8e6168512e4830affe54cd132a45a0103ea943df7e4006e9771fc42f9033fdfbe59562fa5561e1f39f0a9e0621f47dd035a936e9297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fba61de5-8cd0-4609-86d1-66b427e7a9f1.tmp

Filesize
9KB

MD5
133eb617dacfae963812330547f3c46f

SHA1
9f22e9488b97d6132259bbfa5f535a52895531b2

SHA256
887ed2fc20e230af08842a845a64962c7d458b5771979866d657e7d23ee44075

SHA512
89b1dc5f3bd8ad1cea7ecdec126a8466901abe023ec2c85f6a8125d3784b5d4e5d32877956d888e856503b56189923413f71ab6d57d3bf8c90126c518b318205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b8f3f4a2209806f9ca8e7a7bd13a65a

SHA1
011003b192d0be4b6e90757828ed83209ee96f4e

SHA256
c620b8eddc911d8490af6e63d1d53cae2ae3d6a2fcd6166961427ec6323fd939

SHA512
5b48b77ed105a1b4c10205ac71abee670c43ffa7f834f6489f161e49421882c8ca079499370e8911fd8f05f44799e205c8c3a99902963e1f10fbc00ba6805007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
18019d938ae4c1766d66f1872764b1e8

SHA1
8cc8fbb0f2c5f888b04727c18d6553d9acbf39ac

SHA256
7f83ca4d9edb5e83c057fb0d303f9469c69b4d3143fe04e049668aab86ac6746

SHA512
f314b6c9aa7d8e6859709ed8b7acbc26d382f756f4474cbc84b9b68e6822d4a2a66cd7def34e6ce056c2c059c18d8ed256ae0926526fd6946cdb284645f1c77f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2cfce5e6d8e1fca6f414eef4ab88f091

SHA1
8c4f16640e01dd364a570cabf77211d0c63e8b10

SHA256
39f8f8628c5376736497a63ee7b80074483dd1fefe7c9f03f95965e4c0e14ee4

SHA512
ae3b05f76f0f27793c2aa96d5a782ef8f9c2991dffcb8cf7bb53a4a911fe13916b00db6bf5aa80207224ff2d335eeb7ae11fbb08fd28aa8a99d547260ca2c3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
64620562a9c797830f10c6d111b56b7b

SHA1
b09cc7ecbfd97ac56afded91c790d4c841f67cd6

SHA256
7066127417b199c67cda1e2379296a3fcee2fce4146cb3339d627abe1f77973d

SHA512
0e00ea422002e0bdd399265561484f04e1c67a6383af4d63535391784659e7703d2e2ecfe27f480192290fdbc29b719aa7744c3ecad44b8647f1d817c614d379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
92bd06b3ddaf4c1107e3f596c95b4fb0

SHA1
1ff2449f9f8a33436283dacf3c1fab555e68cd54

SHA256
eb6d670ff9b39e79a3deee362f926bdb2bdebdc2a712933257d32bd5993cf26b

SHA512
1c23902d13bdc23bb81961f3ac0bfb5721100185d2d4813eae00c29dd88db85a8d43323a3bac499c59df6e66bd049f482d5ff442855425fa300f358b34afa960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b1310de1073c92ca219f37b66bdeaf91

SHA1
3f727b35e08efb76f081df00ebd1fc72c573f4e1

SHA256
28b4f1be8c53279ead649832b528605de928d556500689a769f4ea1637c641f6

SHA512
845caf5bb5068292e6136ebe609b1cc0f12976a9282ff21a4924ed9aef52c14690517ee4ece351d9349a563e5ca63c05376c96d12f7f155eb53090ea4b19a4e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d78d0665e6eaa117723048338f168419

SHA1
faed6c2cef72a931b615ec507c20d66685af2e0f

SHA256
960320de0c88a01138c0fcd8b4a0025a2acf8e0636e068472cf9034f5cd02972

SHA512
857f3cef66b4d2685e595f462319fb972b2da628a330e2c8c53c95c9fa38fb8ba93a4e807eb75807f53c5a8c9d430be530886319ffa29d934ee86c7cc26bf23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
867b2436214397b28f15643da33b0d12

SHA1
6fdbcba9c904dfb32c7b3f9acbe60af0c7bbf966

SHA256
6eff2eab69c9fd9aa5659a1436938a04369fe8a385377b788d520e4e9d263096

SHA512
d285f2899c840a663dfa8daf6b4198d3da1d617730c31b3dbdbf4a827f47866694962f659660c05894f9ee4dd37bd794c8d2b005608f3d717b44ca66e60d037b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
95KB

MD5
7f61eacbbba2ecf6bf4acf498fa52ce1

SHA1
3174913f971d031929c310b5e51872597d613606

SHA256
85de6d0b08b5cc1f2c3225c07338c76e1cab43b4de66619824f7b06cb2284c9e

SHA512
a5f6f830c7a5fadc3349b42db0f3da1fddb160d7e488ea175bf9be4732a18e277d2978720c0e294107526561a7011fadab992c555d93e77d4411528e7c4e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_http_parser.pyd

Filesize
217KB

MD5
9642c0a5fb72dfe2921df28e31faa219

SHA1
67a963157ee7fc0c30d3807e8635a57750ca0862

SHA256
580a004e93bed99820b1584dffaf0c4caa9fbbf4852ccded3b2b99975299367b

SHA512
f84b7cde87186665a700c3017efcbcc6c19f5dc2c7b426d427dddbcbdec38b6189dd60ce03153fb14b6ea938d65aab99da33bda63b48e3e9ce9e5d3555b50a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\charset_normalizer\md.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
b364cecdba4b73c71116781b1c38d40f

SHA1
59ef6f46bd3f2ec17e78df8ee426d4648836255a

SHA256
10d009a3c97bf908961a19b4aaddc298d32959acc64bedf9d2a7f24c0261605b

SHA512
999c2da8e046c9f4103385c7d7dbb3bfdac883b6292dca9d67b36830b593f55ac14d6091eb15a41416c0bd65ac3d4a4a2b84f50d13906d36ed5574b275773ce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settings.exe

Filesize
10.7MB

MD5
f48d8f28e2b8138e30b5031ae90f79f9

SHA1
6c6e00d7a5a295f7814f082c5650070c25e868ab

SHA256
c0e7d1d19d8d48d10db4458cfee55d4926e3bbe72147c8d7e6c0fbd1c33e66ec

SHA512
ea066497681861fa7ce2e7234569415c2621f9a80ef3dc7c86ac8bb382f697025ec87003b28f389e164f64aaccefb950917978772cb6b5a21fd18bf766f1f6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
b20600a74cc1fb01b16a695748c357ae

SHA1
c3d172636f7d2fb56e4cf86091dc7caaec8671f4

SHA256
951b02fd76e425424c2f188a4ea725e17c7739c24524c31fcc6d5fc49f01b80f

SHA512
f63fe848b0dd43288fa7f8892f743b4bff213cf7f6ae1eb66ab8626151e42658ef3c30f8c38439e6e32776d1a78a11652733b62f539aeb0461fa55f297e419f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
116KB

MD5
c5230f55bad899a3ebfc5faa5c82cb58

SHA1
8b37510373c9ebf41e78bf75b192a028ac19ad5a

SHA256
3c7c9fd8afa9e50535d1921115aaa3409ade25f29b38544ce80ecbb3c1e90950

SHA512
28bead30e0808c05a207377c1a3b3d5b18530ee0d7a5c9b64ba63750612f1eb268c84831b3c939d49593ea81f1794d376e5106345a57379ce45098d2256814ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\XConfig.setup.exe

Filesize
3.2MB

MD5
025d637741b1b326ded2e99e6b54ed77

SHA1
5fb6a288559f54aeb42203cf5e44a072c74f942f

SHA256
d68b3cdca20f0b871a653a3203e4292846e766b45fb989856a2de0fb9e0c4860

SHA512
720f4f03febbe7fdd661c14349680f6511a69487b0bdf5cd47ab4594b1fad49edeb0bde8e287272d84e21efc916ba91ca71bfa2632eba76e379e07815163d26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpkquqpi.b04.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_asyncio.pyd

Filesize
62KB

MD5
6eb3c9fc8c216cea8981b12fd41fbdcd

SHA1
5f3787051f20514bb9e34f9d537d78c06e7a43e6

SHA256
3b0661ef2264d6566368b677c732ba062ac4688ef40c22476992a0f9536b0010

SHA512
2027707824d0948673443dd54b4f45bc44680c05c3c4a193c7c1803a1030124ad6c8fbe685cc7aaf15668d90c4cd9bfb93de51ea8db4af5abe742c1ef2dcd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_bz2.pyd

Filesize
81KB

MD5
a4b636201605067b676cc43784ae5570

SHA1
e9f49d0fc75f25743d04ce23c496eb5f89e72a9a

SHA256
f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c

SHA512
02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_cffi_backend.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_ctypes.pyd

Filesize
119KB

MD5
87596db63925dbfe4d5f0f36394d7ab0

SHA1
ad1dd48bbc078fe0a2354c28cb33f92a7e64907e

SHA256
92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4

SHA512
e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_hashlib.pyd

Filesize
60KB

MD5
49ce7a28e1c0eb65a9a583a6ba44fa3b

SHA1
dcfbee380e7d6c88128a807f381a831b6a752f10

SHA256
1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430

SHA512
cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_lzma.pyd

Filesize
154KB

MD5
b5fbc034ad7c70a2ad1eb34d08b36cf8

SHA1
4efe3f21be36095673d949cceac928e11522b29c

SHA256
80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6

SHA512
e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_overlapped.pyd

Filesize
47KB

MD5
7e6bd435c918e7c34336c7434404eedf

SHA1
f3a749ad1d7513ec41066ab143f97fa4d07559e1

SHA256
0606a0c5c4ab46c4a25ded5a2772e672016cac574503681841800f9059af21c4

SHA512
c8bf4b1ec6c8fa09c299a8418ee38cdccb04afa3a3c2e6d92625dbc2de41f81dd0df200fd37fcc41909c2851ac5ca936af632307115b9ac31ec020d9ed63f157

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_socket.pyd

Filesize
75KB

MD5
e137df498c120d6ac64ea1281bcab600

SHA1
b515e09868e9023d43991a05c113b2b662183cfe

SHA256
8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a

SHA512
cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_ssl.pyd

Filesize
155KB

MD5
35f66ad429cd636bcad858238c596828

SHA1
ad4534a266f77a9cdce7b97818531ce20364cb65

SHA256
58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc

SHA512
1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\_uuid.pyd

Filesize
23KB

MD5
13aa3af9aed86cc917177ae1f41acc9b

SHA1
f5d95679afda44a6689dbb45e93ebe0e9cd33d69

SHA256
51dd1ea5e8cacf7ec4cadefdf685334c7725ff85978390d0b3d67fc8c54fe1db

SHA512
e1f5dbd6c0afcf207de0100cba6f1344feb0006a5c12dc92768ab2d24e3312f0852f3cd31a416aafeb0471cd13a6c0408f0da62956f7870b2e22d174a8b23c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\aiohttp\_helpers.pyd

Filesize
38KB

MD5
d2bf6ca0df56379f1401efe347229dd2

SHA1
95c6a524a9b64ec112c32475f06a0821ff7e79c9

SHA256
04d56d6aa727665802283b8adf9b873c1dd76dfc7265a12c0f627528ba706040

SHA512
b4a2b9f71b156731aa071d13bf8dcffec4091d8d2fab47aea1ff47cd7abff13e28acf1d9456a97eb7a5723dbfa166fc63de11c63dc5cb63b13b4df9930390377

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\aiohttp\_http_writer.pyd

Filesize
34KB

MD5
e16a71fc322a3a718aeaeaef0eeeab76

SHA1
78872d54d016590df87208518e3e6515afce5f41

SHA256
51490359d8079232565187223517eca99e1ce55bc97b93cf966d2a5c1f2e5435

SHA512
a9a7877aa77d000ba2dd7d96cf88a0e9afb6f6decb9530c1d4e840c270dd1805e73401266b1c8e17c1418effb823c1bd91b13f82dbfc6dba455940e3e644de54

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\aiohttp\_websocket.pyd

Filesize
22KB

MD5
9358095a5dc2d4b25fc1c416eea48d2d

SHA1
faaee08c768e8eb27bc4b2b9d0bf63c416bb8406

SHA256
4a5c9f8c3bca865df94ac93355e3ad492de03ae5fea41c1fa82fa4360c592ba5

SHA512
c3d81ddbbe48a56530ea3e2500a78c396385f8ca820b3d71f8e5336ab0c6d484bc2b837ae0a2edb39d0fe24c37815f1b0ccfe25235197f1af19e936ddb41e594

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\frozenlist\_frozenlist.pyd

Filesize
84KB

MD5
911470750962640ceb3fd11e2aeecd14

SHA1
af797451d4028841d92f771885cb9d81afba3f96

SHA256
5c204f6966526af4dc0c0d6d29909b6f088c4fa781464f2948414d833b03094d

SHA512
637043c20dc17fbc472613c0e4f576f0a2211b7916b3488806aec30271cf1bd84bd790518335b88910662fd4844f8ed39fa75aa278577271a966756b8cd793f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\multidict\_multidict.pyd

Filesize
45KB

MD5
ddd4c0ae1e0d166c22449e9dcdca20d7

SHA1
ff0e3d889b4e8bc43b0f13aa1154776b0df95700

SHA256
74ec52418c5d38a63add94228c6f68cf49519666ae8bcb7ac199f7d539d8612c

SHA512
c8464a77ba8b504ba9c7873f76499174095393c42dc85a9c1be2875c3661cda928851e37013e4ac95ba539eed984bf71c0fcc2cb599f3f0c4c1588d4a692bdfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\python3.dll

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\select.pyd

Filesize
28KB

MD5
adc412384b7e1254d11e62e451def8e9

SHA1
04e6dff4a65234406b9bc9d9f2dcfe8e30481829

SHA256
68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1

SHA512
f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\sqlite3.dll

Filesize
1.4MB

MD5
926dc90bd9faf4efe1700564aa2a1700

SHA1
763e5af4be07444395c2ab11550c70ee59284e6d

SHA256
50825ea8b431d86ec228d9fa6b643e2c70044c709f5d9471d779be63ff18bcd0

SHA512
a8703ff97243aa3bc877f71c0514b47677b48834a0f2fee54e203c0889a79ce37c648243dbfe2ee9e1573b3ca4d49c334e9bfe62541653125861a5398e2fe556

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\stub.exe

Filesize
17.9MB

MD5
6670b9a06b5ab7fb49ca6d5e56f43be0

SHA1
8d5cf860b24a4b5a10e3b0fd431df823836c97c5

SHA256
17a9b376d9eeeb3bf20a25629f6724540c3f6dbbf24672204e1a8e50b79f45df

SHA512
30da6a2c4d98b4ca24f694030d33d5d8e252109f0c187d2a7482fc45747d6d1f24170643f4a414310f5f5fa71be3109b796338d376d880481c5316a4b0b87c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\unicodedata.pyd

Filesize
1.1MB

MD5
102bbbb1f33ce7c007aac08fe0a1a97e

SHA1
9a8601bea3e7d4c2fa6394611611cda4fc76e219

SHA256
2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758

SHA512
a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3336_133832760640262364\yarl\_quoting_c.pyd

Filesize
93KB

MD5
8b4cd87707f15f838b5db8ed5b5021d2

SHA1
bbc05580a181e1c03e0a53760c1559dc99b746fe

SHA256
eefb46501ef97baf29a93304f58674e70f5ccecafb183f230e5ce7872a852f56

SHA512
6768cff12fa22fe8540a3f6bdb350a5fcec0b2a0f01531458eb23f77b24460620cd400078fd1ec63738884c2b78920e428126833953c26b8dc8ad8b7c069415d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4364_133832773497630949\_decimal.pyd

Filesize
244KB

MD5
10f7b96c666f332ec512edade873eecb

SHA1
4f511c030d4517552979105a8bb8cccf3a56fcea

SHA256
6314c99a3efa15307e7bdbe18c0b49bc841c734f42923a0b44aab42ed7d4a62d

SHA512
cfe5538e3becbc3aa5540c627af7bf13ad8f5c160b581a304d1510e0cb2876d49801df76916dcda6b7e0654ce145bb66d6e31bd6174524ae681d5f2b49088419

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4364_133832773497630949\_multiprocessing.pyd

Filesize
32KB

MD5
71ac323c9f6e8a174f1b308b8c036e88

SHA1
0521df96b0d622544638c1903d32b1aff1f186b0

SHA256
be8269c83666eaa342788e62085a3db28f81512d2cfa6156bf137b13ebebe9e0

SHA512
014d73846f06e9608525a4b737b7fccbe2123d0e8eb17301244b9c1829498328f7bc839cc45a1563cf066668ea6e0c4e3a5a0821ab05c999a97c20aa669e9eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4364_133832773497630949\pyexpat.pyd

Filesize
193KB

MD5
6bc89ebc4014a8db39e468f54aaafa5e

SHA1
68d04e760365f18b20f50a78c60ccfde52f7fcd8

SHA256
dbe6e7be3a7418811bd5987b0766d8d660190d867cd42f8ed79e70d868e8aa43

SHA512
b7a6a383eb131deb83eee7cc134307f8545fb7d043130777a8a9a37311b64342e5a774898edd73d80230ab871c4d0aa0b776187fa4edec0ccde5b9486dbaa626

Download Submit
C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Settings.ini

Filesize
3KB

MD5
5b24ba2706632276b9c0b5e509a27823

SHA1
9f2ae452847156432dc186188b25825e0a698f01

SHA256
4f0b41c6486a469b75dd87e0e2931b34a523b45650ee363bda12819265d933ca

SHA512
2dc4a6d327d5ca86f9410b638f4c0e9b549de29c3c5b31cf3a0135bea61b1f1a1c8c354a58ab027671c16a2c557358b53da835cb94da2d345dabc83fd24d124c

Download Submit
C:\Users\Admin\Downloads\Bltools.2.9.1.PRO\Bltools 2.9.1[PRO]\Settings.ini

Filesize
3KB

MD5
03379072e6440f5a6856334e648ca10d

SHA1
b40f641f036006f55f4a3e8dbb1177d1fd4ff400

SHA256
0f89e24245beb845e304aed2300a226f265743690de4f0174aa51890f246be73

SHA512
ebcf0337af8b33aea25b9ee0cf422e327c3bcf45eeb3f96b26f5678d47ef876ffefee49a9416bca4acf23a0e5ef4f9f3bcb17cb22a55ffae096191cda364ae70

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 164415.crdownload

Filesize
21.0MB

MD5
b43e85eab69ea129111cb94f0e9a92df

SHA1
7cde2ae18716dd3d63dcd224957310b6c18c5388

SHA256
619df9f1ac9fbaaece2d578a715641e8ec03a2fb2f932a7d662c7592b4504e3a

SHA512
7cbba4bd6420d4ca74f321b363b8e1de68e0453ad333cdb29d2a224f70758d6d8a9eb08c3c97885568b05b5ad1b9a347ca04fdd1f875ef54c38b079ff67c36f9

Download Submit
C:\Users\Admin\Downloads\steam.zip

Filesize
381KB

MD5
15c924cfc1444cfc5492ab695bd27ee4

SHA1
04f0920a2e6b5975f9383af78fbc78315a9a1f6d

SHA256
50f2ce67d86de320091ae50af9922d343119cb5f1df446a1eb5f7c59ab63f699

SHA512
e0442ad57d650aa9d1eef8be3dc4f471524fbf6f48be7c87185e146af40f3dd8b4b81797ea64e9c0936d26565306d3711afab7df547ec88ba156fdb15889e415

Download Submit
memory/1128-188-0x00007FF6B7D40000-0x00007FF6B8F76000-memory.dmp

Filesize
18.2MB

Download
memory/1128-177-0x00007FF6B7D40000-0x00007FF6B8F76000-memory.dmp

Filesize
18.2MB

Download
memory/1984-1088-0x00007FF69C990000-0x00007FF69D465000-memory.dmp

Filesize
10.8MB

Download
memory/1984-1082-0x00007FF69C990000-0x00007FF69D465000-memory.dmp

Filesize
10.8MB

Download
memory/3336-176-0x00007FF788050000-0x00007FF788B25000-memory.dmp

Filesize
10.8MB

Download
memory/3336-190-0x00007FF788050000-0x00007FF788B25000-memory.dmp

Filesize
10.8MB

Download
memory/3768-178-0x000000007533E000-0x000000007533F000-memory.dmp

Filesize
4KB

Download
memory/3768-56-0x0000000000D90000-0x00000000014E0000-memory.dmp

Filesize
7.3MB

Download
memory/3768-20-0x000000007533E000-0x000000007533F000-memory.dmp

Filesize
4KB

Download
memory/3768-174-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/4364-2081-0x00007FF69C990000-0x00007FF69D465000-memory.dmp

Filesize
10.8MB

Download
memory/4376-166-0x000002A5F2FB0000-0x000002A5F2FD2000-memory.dmp

Filesize
136KB

Download
memory/4388-2077-0x00007FF6DF460000-0x00007FF6E0696000-memory.dmp

Filesize
18.2MB

Download
memory/5024-1083-0x00007FF73B2C0000-0x00007FF73C4F6000-memory.dmp

Filesize
18.2MB

Download
memory/5024-1084-0x00007FF73B2C0000-0x00007FF73C4F6000-memory.dmp

Filesize
18.2MB

Download
memory/6016-1009-0x00000000051E0000-0x0000000005204000-memory.dmp

Filesize
144KB

Download
memory/6016-1067-0x00000000087E0000-0x00000000087EE000-memory.dmp

Filesize
56KB

Download
memory/6016-1072-0x0000000008880000-0x0000000008888000-memory.dmp

Filesize
32KB

Download
memory/6016-1012-0x0000000005F60000-0x000000000688C000-memory.dmp

Filesize
9.2MB

Download
memory/6016-1019-0x00000000058F0000-0x0000000005A32000-memory.dmp

Filesize
1.3MB

Download
memory/6016-1013-0x00000000052D0000-0x0000000005320000-memory.dmp

Filesize
320KB

Download
memory/6016-1066-0x0000000008810000-0x0000000008848000-memory.dmp

Filesize
224KB

Download
memory/6016-1048-0x0000000005EA0000-0x0000000005F32000-memory.dmp

Filesize
584KB

Download
memory/6016-1014-0x0000000005690000-0x00000000056F0000-memory.dmp

Filesize
384KB

Download
memory/6016-1015-0x0000000005210000-0x0000000005230000-memory.dmp

Filesize
128KB

Download
memory/6016-1071-0x0000000009490000-0x00000000094A2000-memory.dmp

Filesize
72KB

Download
memory/6016-1045-0x0000000005DE0000-0x0000000005E9A000-memory.dmp

Filesize
744KB

Download
memory/6016-1017-0x0000000006890000-0x0000000006E34000-memory.dmp

Filesize
5.6MB

Download