remcos | d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b

max time kernel
1028s
max time network
1028s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2025, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.txt
Size

18B
MD5

5b3f97d48c8751bd031b7ea53545bdb6
SHA1

88be3374c62f23406ec83bb11279f8423bd3f88d
SHA256

d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
SHA512

ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6

Score

10^/10

remcos discovery motw persistence phishing privilege_escalation rat

Malware Config

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\Version = "1"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\IsInstalled = "1"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\DontAsk = "2"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\StubPath = "reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v OPENVPN-GUI /t REG_SZ /d \"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\""	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>OpenVPN_UserSetup\ = "OpenVPN 2.6.13-I002 amd64"	MsiExec.exe

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\SET1799.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\wintun.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET1B33.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET1B33.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET1DF2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\ovpn-dco.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET1799.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\SET1DF2.tmp	DrvInst.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 34 IoCs

pid	Process
5416	remcos_a.exe
932	remc.exe
6172	remcos_a.exe
1804	remcos_a.exe
3196	remc.exe
5268	1.exe
6708	2.exe
5048	remcos_a.exe
5924	remc.exe
2092	1.exe
6556	2.exe
2812	remcos_a.exe
4472	remc.exe
2436	1.exe
1892	2.exe
5028	remcos_a.exe
1576	remc.exe
6916	1.exe
4364	2.exe
7812	3.exe
2084	2.exe
2184	1.exe
4660	remc.exe
1484	remcos_a.exe
9716	openvpnserv.exe
9900	openvpnserv2.exe
10180	openvpn-gui.exe
10228	openvpn.exe
6012	openvpn.exe
8816	3.exe
9940	2.exe
9652	1.exe
9876	remc.exe
10096	remcos_a.exe

Loads dropped DLL 27 IoCs

pid	Process
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
9020	MsiExec.exe
9020	MsiExec.exe
7924	MsiExec.exe
7924	MsiExec.exe
7924	MsiExec.exe
7924	MsiExec.exe
8544	MsiExec.exe
8544	MsiExec.exe
8544	MsiExec.exe
8544	MsiExec.exe
8544	MsiExec.exe
9716	openvpnserv.exe
8544	MsiExec.exe
8544	MsiExec.exe
7924	MsiExec.exe
9020	MsiExec.exe
10228	openvpn.exe
10228	openvpn.exe
10228	openvpn.exe
10228	openvpn.exe
10228	openvpn.exe
6012	openvpn.exe
6012	openvpn.exe
6012	openvpn.exe
6012	openvpn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Windows\CurrentVersion\Run\OpenVPN-GUI = "C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe"	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 35 IoCs

Web Service

T1102

flow	ioc
1029	portmap.io
1035	portmap.io
1519	portmap.io
1630	portmap.io
1692	camo.githubusercontent.com
1226	portmap.io
1236	portmap.io
1521	portmap.io
1579	portmap.io
1580	portmap.io
1586	portmap.io
1237	portmap.io
1039	portmap.io
1218	portmap.io
1693	camo.githubusercontent.com
1695	camo.githubusercontent.com
1040	portmap.io
1023	portmap.io
1034	portmap.io
1036	portmap.io
1301	portmap.io
1691	camo.githubusercontent.com
1239	portmap.io
1510	portmap.io
1690	camo.githubusercontent.com
1228	portmap.io
1031	portmap.io
1238	portmap.io
1581	portmap.io
1629	portmap.io
1030	portmap.io
1501	portmap.io
1502	portmap.io
1503	portmap.io
1517	portmap.io

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc	pid	Process
276	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html	488	firefox.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\netbc63a.inf_amd64_7ba6c9cea77dd549\netbc63a.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwtw06.inf_amd64_2edd50e7a54d503b\netwtw06.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bc4ce57f-9afc-9343-ab65-9b87c28baba6}\SET1634.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl260a.inf_amd64_783312763f8749c7\netl260a.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane.inf_amd64_35c52a008b0fba12\netrtwlane.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a59616cc-40b6-6943-afea-cef86510fb12}\SET15C7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_04b60d124553a40f\rndiscmp.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e9457eee-e90e-e448-9b07-0f7761272471}\wintun.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_5229ee1dac1c624e\usbnet.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rtcx21x64.inf_amd64_d2a498d51a4f7bec\rtcx21x64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_3aba8686305c0121\msdri.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4\netrtwlane_13.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mrvlpcie8897.inf_amd64_07fc330c5a5730ca\mrvlpcie8897.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_310ee0bc0af86ba3\netr7364.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_7aeb3e6bfcb2f0f1\netmlx5.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{e9457eee-e90e-e448-9b07-0f7761272471}\SET1075.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e9457eee-e90e-e448-9b07-0f7761272471}\SET1077.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e9457eee-e90e-e448-9b07-0f7761272471}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bc4ce57f-9afc-9343-ab65-9b87c28baba6}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_1fab0fd8cb4d7dee\netwmbclass.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbxnd0a.inf_amd64_777881a2c4c0272c\netbxnd0a.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\kdnic.inf_amd64_49825a4c00258135\kdnic.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e9457eee-e90e-e448-9b07-0f7761272471}\wintun.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a59616cc-40b6-6943-afea-cef86510fb12}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\OemVista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwlv64.inf_amd64_0b9818131664d91e\netwlv64.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e9457eee-e90e-e448-9b07-0f7761272471}\SET1076.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ovpn-dco.inf_amd64_b737bb7e846ccda6\ovpn-dco.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_2518575b045d267b\wnetvsc.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_749854ac3f28f846\msux64w10.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_d823e3edc27ae17c\netk57a.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_def3401515466414\wintun.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_def3401515466414\wintun.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a59616cc-40b6-6943-afea-cef86510fb12}\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1ed57daf97af7063\netrasa.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\c_net.inf_amd64_cf2766005585f6cd\c_net.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a59616cc-40b6-6943-afea-cef86510fb12}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bc4ce57f-9afc-9343-ab65-9b87c28baba6}\ovpn-dco.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{bc4ce57f-9afc-9343-ab65-9b87c28baba6}\ovpn-dco.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_def3401515466414\wintun.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wintun.inf_amd64_def3401515466414\wintun.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_ba3e477187f1080b\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_a8bb8a6e92764769\netax88179_178a.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_0bbd8466b526ef26\ykinx64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_e92c5a65e41993f9\net9500-x64-n650f.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_7080f6b8ea1744fb\netnvma.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_23bc3dc6d91eebdc\mwlu97w8x64.PNF	MsiExec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF	MsiExec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files\OpenVPN\bin\libpkcs11-helper-1.dll	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv2.exe	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\openvpn-plap-uninstall.reg	msiexec.exe
File created	C:\Program Files\OpenVPN\sample-config\server.ovpn	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\libopenvpn_plap.dll	msiexec.exe
File created	C:\Program Files\OpenVPN\ssl\modules\legacy.dll	msiexec.exe
File created	C:\Program Files\Common Files\ovpn-dco\Win11\ovpn-dco.inf	msiexec.exe
File created	C:\Program Files\Common Files\ovpn-dco\Win11\ovpn-dco.sys	msiexec.exe
File created	C:\Program Files\OpenVPN\res\ovpn.ico	msiexec.exe
File created	C:\Program Files\OpenVPN\config\README.txt	msiexec.exe
File created	C:\Program Files\OpenVPN\license.txt	msiexec.exe
File created	C:\Program Files\OpenVPN\log\README.txt	msiexec.exe
File created	C:\Program Files\OpenVPN\doc\openvpn.8.html	msiexec.exe
File created	C:\Program Files\OpenVPN\include\tap-windows.h	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\libssl-3-x64.dll	msiexec.exe
File created	C:\Program Files\Common Files\ovpn-dco\Win11\ovpn-dco.cat	msiexec.exe
File created	C:\Program Files\OpenVPN\config-auto\README.txt	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\tapctl.exe	msiexec.exe
File created	C:\Program Files\OpenVPN\doc\INSTALL-win32.txt	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\libcrypto-3-x64.dll	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\openvpnserv.exe	msiexec.exe
File opened for modification	\??\c:\program files\openvpn\res\ovpn.ico	firefox.exe
File opened for modification	\??\c:\program files\openvpn\res\ovpn.ico	openvpn-gui.exe
File created	C:\Program Files\OpenVPN\bin\openvpn-gui.exe	msiexec.exe
File created	C:\Program Files\OpenVPN\sample-config\client.ovpn	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\openvpn-plap-install-new.reg	MsiExec.exe
File created	C:\Program Files\OpenVPN\bin\openvpn.exe	msiexec.exe
File created	C:\Program Files\OpenVPN\bin\openvpn-plap-install.reg	msiexec.exe

Drops file in Windows directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7FB.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\inf\oem4.inf	DrvInst.exe
File created	C:\Windows\Installer\e620358.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7AC.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1716.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI2679.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA99A9B9769ECA116.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI996.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1157.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI161B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81D.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBE4846AFA75554D3.TMP	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\SystemTemp\~DF46B7FA83DEDB2966.TMP	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\{2A683384-562D-422F-8116-FA60F70C3740}\openvpn.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2659.tmp	msiexec.exe
File created	C:\Windows\Installer\e620356.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E9.tmp	msiexec.exe
File created	C:\Windows\Installer\{2A683384-562D-422F-8116-FA60F70C3740}\openvpn.ico	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\Installer\SourceHash{2A683384-562D-422F-8116-FA60F70C3740}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\{2A683384-562D-422F-8116-FA60F70C3740}\tapctl_create.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\e620356.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47F.tmp	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem5.inf	DrvInst.exe
File created	C:\Windows\Installer\{2A683384-562D-422F-8116-FA60F70C3740}\tapctl_create.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI268A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF341B40DEF4234A3F.TMP	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
9804	sc.exe
9856	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 29 IoCs

pid	pid_target	Process	procid_target
6296	5416	WerFault.exe	156
1824	932	WerFault.exe	164
6280	6172	WerFault.exe	167
6860	1804	WerFault.exe	174
2864	5268	WerFault.exe	176
2052	3196	WerFault.exe
4440	6708	WerFault.exe	184
1372	5924	WerFault.exe
5128	5048	WerFault.exe	187
1516	6556	WerFault.exe	190
2168	2092	WerFault.exe
5900	4472	WerFault.exe
6456	2436	WerFault.exe	207
856	1892	WerFault.exe	208
748	2812	WerFault.exe	205
7008	5028	WerFault.exe	217
3544	6916	WerFault.exe	219
4984	4364	WerFault.exe	220
6936	1576	WerFault.exe	218
4040	7812	WerFault.exe	262
8148	2084	WerFault.exe	266
2200	2184	WerFault.exe	269
7596	4660	WerFault.exe	272
6428	1484	WerFault.exe	275
3684	8816	WerFault.exe	353
9680	9940	WerFault.exe	357
9676	9652	WerFault.exe	360
2088	9876	WerFault.exe	363
3348	10096	WerFault.exe	366

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos v6.1.0 Light.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000bed4eeaabca0fec20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000bed4eeaa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900bed4eeaa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dbed4eeaa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000bed4eeaa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	MsiExec.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6188	ipconfig.exe
4568	ipconfig.exe
5756	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe\JScriptSetScriptStateStarted = "241309328"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RAS AutoDial\Default	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133858356478707892"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Remcos v6.1.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Remcos v6.1.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Remcos v6.1.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Remcos v6.1.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Remcos v6.1.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Remcos v6.1.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	openvpn-gui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	openvpn-gui.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Remcos v6.1.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Remcos v6.1.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Remcos v6.1.0 Light.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\483386A2D265F2241861AF067FC07304\ProductName = "OpenVPN 2.6.13-I002 amd64"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\483386A2D265F2241861AF067FC07304\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	openvpn-gui.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	openvpn-gui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "5"	openvpn-gui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\ = "Import into OpenVPN-GUI"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\483386A2D265F2241861AF067FC07304\OpenVPN.SampleCfg = "OpenVPN"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	openvpn-gui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	openvpn-gui.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	openvpn-gui.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Remcos v6.1.0 Light.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\DefaultIcon\ = "C:\\Program Files\\OpenVPN\\res\\ovpn.ico,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\import\command\ = "\"C:\\Program Files\\OpenVPN\\bin\\openvpn-gui.exe\" --command import \"%1\""	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\483386A2D265F2241861AF067FC07304\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	openvpn-gui.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Remcos v6.1.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Remcos v6.1.0 Light.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\483386A2D265F2241861AF067FC07304\Drivers.OvpnDco = "Drivers"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings	openvpn-gui.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	openvpn-gui.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Remcos v6.1.0 Light.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.ovpn	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\483386A2D265F2241861AF067FC07304\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	openvpn-gui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	openvpn-gui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	openvpn-gui.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	openvpn-gui.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Remcos v6.1.0 Light.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\OpenVPNFile\shell\import	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\483386A2D265F2241861AF067FC07304\EasyRSA = "\x06OpenSSL"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	openvpn-gui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	openvpn-gui.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Remcos v6.1.0 Light.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Remcos v6.1.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Remcos v6.1.0 Light.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Remcos v6.1.0 Light.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenVPNFile\shell\ = "import"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\483386A2D265F2241861AF067FC07304\Drivers	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	openvpn-gui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	openvpn-gui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Remcos v6.1.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 14002e80922b16d365937a46956b92703aca08af0000	openvpn-gui.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	openvpn-gui.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings	Remcos v6.1.0 Light.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Remcos v6.1.0 Light.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Remcos v6.1.0 Light.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Remcos v6.1.0 Light.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\483386A2D265F2241861AF067FC07304\OpenVPN.Documentation = "OpenVPN"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\483386A2D265F2241861AF067FC07304\OpenSSL = "\x06"	msiexec.exe

NTFS ADS 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Remcos-v6.1.0-Light(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\OpenVPN-2.6.13-I002-amd64.msi:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\dwddwasd45.first.ovpn:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\OpenVPN\config\dwddwasd45.first\dwddwasd45.first.ovpn\:Zone.Identifier:$DATA	openvpn-gui.exe
File created	C:\Users\Admin\Downloads\COMPILED.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Remcos-v6.1.0-Light.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3152	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
1616	msedge.exe
1616	msedge.exe
1444	msedge.exe
1444	msedge.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
1540	msedge.exe
1540	msedge.exe
724	msedge.exe
724	msedge.exe
7184	identity_helper.exe
7184	identity_helper.exe
7816	msedge.exe
7816	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
8964	msiexec.exe
8964	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
6840	Remcos v6.1.0 Light.exe
7676	OpenWith.exe
10180	openvpn-gui.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid
4

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
1444	msedge.exe
1444	msedge.exe
5068	chrome.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe
Token: SeShutdownPrivilege	5068	chrome.exe
Token: SeCreatePagefilePrivilege	5068	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
5068	chrome.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
1444	msedge.exe
488	firefox.exe
488	firefox.exe
6840	Remcos v6.1.0 Light.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
724	msedge.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
10180	openvpn-gui.exe
6840	Remcos v6.1.0 Light.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
6840	Remcos v6.1.0 Light.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
7676	OpenWith.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
6840	Remcos v6.1.0 Light.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe
488	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 3152	3408	cmd.exe	82
PID 3408 wrote to memory of 3152	3408	cmd.exe	82
PID 5068 wrote to memory of 5000	5068	chrome.exe	87
PID 5068 wrote to memory of 5000	5068	chrome.exe	87
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 3684	5068	chrome.exe	88
PID 5068 wrote to memory of 4620	5068	chrome.exe	89
PID 5068 wrote to memory of 4620	5068	chrome.exe	89
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90
PID 5068 wrote to memory of 2344	5068	chrome.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.txt
1⤵
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6aadcc40,0x7ffe6aadcc4c,0x7ffe6aadcc58
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4972,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5296,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5164,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4324,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3404,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4564,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3308,i,11379257337334852912,89404837222066181,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:5620

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe6a553cb8,0x7ffe6a553cc8,0x7ffe6a553cd8
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,15952761694252703464,15330908257665747419,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,15952761694252703464,15330908257665747419,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,15952761694252703464,15330908257665747419,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15952761694252703464,15330908257665747419,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,15952761694252703464,15330908257665747419,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1488
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Mark of the Web detected: This indicates that the page was originally saved or cloned.
  - Drops file in Program Files directory
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 27211 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d116f396-41ad-409e-8838-367ae4d77eb9} 488 "\\.\pipe\gecko-crash-server-pipe.488" gpu
    3⤵
    PID:2752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 27089 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba2c9e40-de59-494a-a525-4714705ed975} 488 "\\.\pipe\gecko-crash-server-pipe.488" socket
    3⤵
    PID:1428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 3180 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0e0488c-700f-4543-919a-92d0739c42a9} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:3852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3704 -prefsLen 32463 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aef888e9-e819-4384-9460-dd78db795f9e} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4728 -prefsLen 32463 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ed73edc-8360-41ea-b4c2-6f6bc7de6dc7} 488 "\\.\pipe\gecko-crash-server-pipe.488" utility
    3⤵
    - Checks processor information in registry
    PID:5380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5460 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfbd8087-a47c-41c2-aa57-3c79db454eab} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:3992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5752 -childID 4 -isForBrowser -prefsHandle 5672 -prefMapHandle 5676 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f47e673-0455-4c2a-8505-813f7243679d} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5652 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cfdcb23-d714-41a0-bead-584eebeee3d3} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6188 -childID 6 -isForBrowser -prefsHandle 5136 -prefMapHandle 6184 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76bf7d33-9a5e-4199-9e8b-c1faa072382c} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6432 -childID 7 -isForBrowser -prefsHandle 6424 -prefMapHandle 6428 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af11f3ff-a309-4f5d-8caa-10e466660c14} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:2116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6712 -childID 8 -isForBrowser -prefsHandle 6720 -prefMapHandle 6700 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25eb6ee8-ee12-4310-b0d9-dc2e64e2db90} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6756 -childID 9 -isForBrowser -prefsHandle 6844 -prefMapHandle 6848 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4faaecb-fb9e-4da3-957a-55faf163806d} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6328 -childID 10 -isForBrowser -prefsHandle 5996 -prefMapHandle 6012 -prefsLen 27297 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa7e8f6e-2d89-4848-986c-57e55082e34b} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5112 -childID 11 -isForBrowser -prefsHandle 5276 -prefMapHandle 5992 -prefsLen 27863 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58b30f70-e05b-473d-b03d-51faf82ef931} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:1260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7368 -childID 12 -isForBrowser -prefsHandle 7360 -prefMapHandle 7292 -prefsLen 27863 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfc5e7db-83ab-4cbc-8ff3-9fe879a3db89} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7484 -childID 13 -isForBrowser -prefsHandle 7492 -prefMapHandle 7496 -prefsLen 27863 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08387ecf-06cc-4044-bd00-7655fdede78e} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7476 -childID 14 -isForBrowser -prefsHandle 7672 -prefMapHandle 7676 -prefsLen 27863 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a6b953d-583b-4c66-8c5c-b29d7089f598} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7704 -childID 15 -isForBrowser -prefsHandle 7708 -prefMapHandle 7712 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afe0f1ad-821a-4a4c-a529-b4caa0a1820f} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8380 -childID 16 -isForBrowser -prefsHandle 8488 -prefMapHandle 7708 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e6d7990-edcc-4a70-af59-52e3595fafe2} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8628 -childID 17 -isForBrowser -prefsHandle 8632 -prefMapHandle 8636 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6b7b398-356c-4c45-bfd5-ea5d10707bf1} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8604 -childID 18 -isForBrowser -prefsHandle 8616 -prefMapHandle 8620 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {597bb4e8-086e-446f-ae85-42d3e228a1a0} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8724 -childID 19 -isForBrowser -prefsHandle 8716 -prefMapHandle 8712 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e51fa027-1569-478d-8de5-97c7370624a8} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:2764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8752 -childID 20 -isForBrowser -prefsHandle 8744 -prefMapHandle 8728 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b90cd9f-23f5-4262-8c63-1376d293c670} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8772 -childID 21 -isForBrowser -prefsHandle 8764 -prefMapHandle 8760 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20e252b6-9a3e-40e0-80cb-a3b419252a40} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8792 -childID 22 -isForBrowser -prefsHandle 8780 -prefMapHandle 8776 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a41619e5-0611-4b06-aa0a-3812a74a264e} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9572 -childID 23 -isForBrowser -prefsHandle 9736 -prefMapHandle 9716 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7c9c4d5-5da5-4b83-bc77-b86613b42b79} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8632 -childID 24 -isForBrowser -prefsHandle 9656 -prefMapHandle 9652 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f3d8b94-ecc7-4242-a66d-15074f41bd20} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10156 -childID 25 -isForBrowser -prefsHandle 10076 -prefMapHandle 10080 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e90e9b2-519a-497d-b92e-642e336305ff} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9716 -childID 26 -isForBrowser -prefsHandle 8760 -prefMapHandle 7112 -prefsLen 28084 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e24f9e24-1f22-4c4d-b12c-973f0aa5c43f} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10032 -childID 27 -isForBrowser -prefsHandle 10036 -prefMapHandle 10080 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e327226-bc84-4c18-a895-2aae1a8755fb} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7200 -childID 28 -isForBrowser -prefsHandle 6952 -prefMapHandle 4704 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88bf638a-1faf-407a-8771-f97259587a76} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:1936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2844 -childID 29 -isForBrowser -prefsHandle 2832 -prefMapHandle 5740 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b239e3b-5b3f-4a86-bd94-655950b91e98} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:2548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3612 -childID 30 -isForBrowser -prefsHandle 10104 -prefMapHandle 2652 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b852727c-0f03-4991-8936-1658dc77f9e9} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5196 -parentBuildID 20240401114208 -prefsHandle 5996 -prefMapHandle 3116 -prefsLen 34217 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d45a69f-d4b2-47cf-b83b-2a9341dec937} 488 "\\.\pipe\gecko-crash-server-pipe.488" rdd
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10468 -childID 31 -isForBrowser -prefsHandle 4468 -prefMapHandle 7048 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb20bf1c-5bfb-4fa1-a21e-4ef9003011e4} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:7520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10264 -childID 32 -isForBrowser -prefsHandle 2656 -prefMapHandle 8656 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c060c665-f040-418c-9545-6cf40538adb9} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8644 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 10596 -prefMapHandle 10604 -prefsLen 34217 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {147fdc85-5593-429a-ac12-d2b143012140} 488 "\\.\pipe\gecko-crash-server-pipe.488" utility
    3⤵
    - Checks processor information in registry
    PID:5988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11000 -childID 33 -isForBrowser -prefsHandle 10992 -prefMapHandle 10988 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a9985ee-f5d0-4833-990f-8c199c4f09fe} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 34 -isForBrowser -prefsHandle 10036 -prefMapHandle 5532 -prefsLen 28140 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24704af3-9e51-45ea-b8d6-0d3954f8c0b6} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:8028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10580 -childID 35 -isForBrowser -prefsHandle 6212 -prefMapHandle 7052 -prefsLen 34595 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75ae633a-183b-424a-8ef0-dbf58177f9a6} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10988 -childID 36 -isForBrowser -prefsHandle 7192 -prefMapHandle 6936 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3c824ea-2a3c-4b96-a247-fb00478355ce} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:1644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10900 -childID 37 -isForBrowser -prefsHandle 11260 -prefMapHandle 10892 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6facca7-62d2-474f-8520-1d43f74c23e8} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:7780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7228 -childID 38 -isForBrowser -prefsHandle 10924 -prefMapHandle 10928 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b393f799-2cc0-4c55-83da-95f3634eb989} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11472 -childID 39 -isForBrowser -prefsHandle 11544 -prefMapHandle 11540 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24713620-888a-4b78-b668-3ae40b385f15} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11696 -childID 40 -isForBrowser -prefsHandle 2732 -prefMapHandle 10936 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bd638f0-47d5-429d-a60d-26230d035cd0} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2760 -childID 41 -isForBrowser -prefsHandle 10948 -prefMapHandle 10912 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0690ed6d-d1a1-4f49-9aec-a91e13050d64} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:1536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12016 -childID 42 -isForBrowser -prefsHandle 11956 -prefMapHandle 11960 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {214dc7e6-0666-4b01-8750-1970eb4f74fb} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12204 -childID 43 -isForBrowser -prefsHandle 11988 -prefMapHandle 12072 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4236c472-31a9-4915-8056-545af35f0340} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12412 -childID 44 -isForBrowser -prefsHandle 12332 -prefMapHandle 12340 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6005d55e-f052-436c-9862-5d8d738f8abf} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:7292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12664 -childID 45 -isForBrowser -prefsHandle 12248 -prefMapHandle 12252 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4cf9c87-7848-411c-83c0-3517e71f8c8f} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12024 -childID 46 -isForBrowser -prefsHandle 12664 -prefMapHandle 12252 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ca8b213-2b9e-4bb9-a7fe-ef62cde5cc98} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:7192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12080 -childID 47 -isForBrowser -prefsHandle 12868 -prefMapHandle 12680 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1037643f-c560-4edd-8bed-ea30a973f72c} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:3932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13048 -childID 48 -isForBrowser -prefsHandle 13060 -prefMapHandle 13076 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e28f4ee2-e017-463e-9764-62995f84cacb} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:2780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13360 -childID 49 -isForBrowser -prefsHandle 13324 -prefMapHandle 13336 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6f5d48c-604b-44e5-831d-c3c5ea7cb500} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13984 -childID 50 -isForBrowser -prefsHandle 13992 -prefMapHandle 14000 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58204684-be0c-4b39-ab4d-723b82ba82ce} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:8836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13012 -childID 51 -isForBrowser -prefsHandle 12244 -prefMapHandle 12672 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99e4201f-b424-41fa-9703-adbed9150dc8} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13284 -childID 52 -isForBrowser -prefsHandle 14044 -prefMapHandle 14040 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71900b65-e4db-4e70-a857-96f2eb57084b} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14192 -childID 53 -isForBrowser -prefsHandle 12432 -prefMapHandle 13280 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9a7aeaa-25ab-4cfa-8feb-9e66bc6986ea} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:9740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7504 -childID 54 -isForBrowser -prefsHandle 9000 -prefMapHandle 8996 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c503af9-e07e-4c44-80a9-074aab277c78} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:9488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8828 -childID 55 -isForBrowser -prefsHandle 7580 -prefMapHandle 7592 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0602097e-3099-40c0-a97c-3d47e5a3b2e0} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:9992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 56 -isForBrowser -prefsHandle 9020 -prefMapHandle 9024 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3b3450a-edbe-40b0-9792-5994495d3e1e} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:9960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9368 -childID 57 -isForBrowser -prefsHandle 9792 -prefMapHandle 9788 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87cdd45c-ca39-4275-9195-f10082891b06} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:10072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7392 -childID 58 -isForBrowser -prefsHandle 7508 -prefMapHandle 9200 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f97e9187-0eb9-4ed8-97ac-a902cde52f0e} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:7824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8596 -childID 59 -isForBrowser -prefsHandle 9620 -prefMapHandle 7456 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69a4ea3d-270d-415d-9a31-70c3fdc228aa} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:10232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9156 -childID 60 -isForBrowser -prefsHandle 8508 -prefMapHandle 10008 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ecc0883-2b8d-4b2a-a7d7-06296afe933d} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8908 -childID 61 -isForBrowser -prefsHandle 8988 -prefMapHandle 8976 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71ca418c-634e-437e-9b33-a489c1f70b42} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8572 -childID 62 -isForBrowser -prefsHandle 8268 -prefMapHandle 8264 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceb1b9af-9856-412b-9611-f81ae7f6f489} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7880 -childID 63 -isForBrowser -prefsHandle 9512 -prefMapHandle 8916 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5250ca7-dd0a-4f15-b310-4143585891ec} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8440 -childID 64 -isForBrowser -prefsHandle 9580 -prefMapHandle 12484 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc1f94b5-4932-437e-ab3f-99f12ed91f5b} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:9544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8976 -childID 65 -isForBrowser -prefsHandle 8604 -prefMapHandle 9904 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c93c905f-d8d9-42ed-9829-be396ce92494} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:3548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10348 -childID 66 -isForBrowser -prefsHandle 9268 -prefMapHandle 9828 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96d7e97d-f7a1-4a44-960d-3c6d87b81a40} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:6108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10336 -childID 67 -isForBrowser -prefsHandle 9552 -prefMapHandle 9540 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73c91a50-7a1c-4126-aff7-e4abe3bfa1bb} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13164 -childID 68 -isForBrowser -prefsHandle 5780 -prefMapHandle 5080 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e92f78f-a9c8-4d13-a40f-6466f0f03fc2} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:2876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6960 -childID 69 -isForBrowser -prefsHandle 11416 -prefMapHandle 11516 -prefsLen 28384 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3475bc7-cba3-4fc4-a9bb-1f13db3f47b7} 488 "\\.\pipe\gecko-crash-server-pipe.488" tab
    3⤵
    PID:9760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6716

C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\Remcos v6.1.0 Light.exe
"C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\Remcos v6.1.0 Light.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /K ipconfig
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:6188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /K ipconfig
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /K ipconfig
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5032
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://breaking-security.net/remcos/manual
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe6a553cb8,0x7ffe6a553cc8,0x7ffe6a553cd8
    3⤵
    PID:5352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:3400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
    3⤵
    PID:1228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
    3⤵
    PID:5444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
    3⤵
    PID:5940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
    3⤵
    PID:7440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
    3⤵
    PID:7780
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
    3⤵
    PID:8188
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:8156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:8168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:7776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
    3⤵
    PID:2588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,14543066916742051836,7574281105403372882,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1748 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3532

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 568
  2⤵
  - Program crash
  PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5416 -ip 5416
1⤵
PID:1040

C:\Users\Admin\Desktop\remc.exe
"C:\Users\Admin\Desktop\remc.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 568
  2⤵
  - Program crash
  PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 932 -ip 932
1⤵
PID:4868

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:6172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6172 -s 536
  2⤵
  - Program crash
  PID:6280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6172 -ip 6172
1⤵
PID:328

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:1804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 540
  2⤵
  - Program crash
  PID:6860

C:\Users\Admin\Desktop\remc.exe
"C:\Users\Admin\Desktop\remc.exe"
1⤵
- Executes dropped EXE
PID:3196
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 536
  2⤵
  - Program crash
  PID:2052

C:\Users\Admin\Desktop\1.exe
"C:\Users\Admin\Desktop\1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 568
  2⤵
  - Program crash
  PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1804 -ip 1804
1⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3196 -ip 3196
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5268 -ip 5268
1⤵
PID:3312

C:\Users\Admin\Desktop\2.exe
"C:\Users\Admin\Desktop\2.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 568
  2⤵
  - Program crash
  PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 6708 -ip 6708
1⤵
PID:5428

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:5048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 536
  2⤵
  - Program crash
  PID:5128

C:\Users\Admin\Desktop\remc.exe
"C:\Users\Admin\Desktop\remc.exe"
1⤵
- Executes dropped EXE
PID:5924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 536
  2⤵
  - Program crash
  PID:1372

C:\Users\Admin\Desktop\1.exe
"C:\Users\Admin\Desktop\1.exe"
1⤵
- Executes dropped EXE
PID:2092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 536
  2⤵
  - Program crash
  PID:2168

C:\Users\Admin\Desktop\2.exe
"C:\Users\Admin\Desktop\2.exe"
1⤵
- Executes dropped EXE
PID:6556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 552
  2⤵
  - Program crash
  PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5048 -ip 5048
1⤵
PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5924 -ip 5924
1⤵
PID:6952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2092 -ip 2092
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6556 -ip 6556
1⤵
PID:1164

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:2812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 536
  2⤵
  - Program crash
  PID:748

C:\Users\Admin\Desktop\remc.exe
"C:\Users\Admin\Desktop\remc.exe"
1⤵
- Executes dropped EXE
PID:4472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 540
  2⤵
  - Program crash
  PID:5900

C:\Users\Admin\Desktop\1.exe
"C:\Users\Admin\Desktop\1.exe"
1⤵
- Executes dropped EXE
PID:2436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 536
  2⤵
  - Program crash
  PID:6456

C:\Users\Admin\Desktop\2.exe
"C:\Users\Admin\Desktop\2.exe"
1⤵
- Executes dropped EXE
PID:1892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 544
  2⤵
  - Program crash
  PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2812 -ip 2812
1⤵
PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4472 -ip 4472
1⤵
PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2436 -ip 2436
1⤵
PID:6464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1892 -ip 1892
1⤵
PID:6472

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 540
  2⤵
  - Program crash
  PID:7008

C:\Users\Admin\Desktop\remc.exe
"C:\Users\Admin\Desktop\remc.exe"
1⤵
- Executes dropped EXE
PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 536
  2⤵
  - Program crash
  PID:6936

C:\Users\Admin\Desktop\1.exe
"C:\Users\Admin\Desktop\1.exe"
1⤵
- Executes dropped EXE
PID:6916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 536
  2⤵
  - Program crash
  PID:3544

C:\Users\Admin\Desktop\2.exe
"C:\Users\Admin\Desktop\2.exe"
1⤵
- Executes dropped EXE
PID:4364
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 536
  2⤵
  - Program crash
  PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5028 -ip 5028
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1576 -ip 1576
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6916 -ip 6916
1⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4364 -ip 4364
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7676
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "mailto:[email protected]"
  2⤵
  PID:6540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url mailto:[email protected]
    3⤵
    - Checks processor information in registry
    PID:6624

C:\Users\Admin\Desktop\3.exe
"C:\Users\Admin\Desktop\3.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 7812 -s 568
  2⤵
  - Program crash
  PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7812 -ip 7812
1⤵
PID:2808

C:\Users\Admin\Desktop\2.exe
"C:\Users\Admin\Desktop\2.exe"
1⤵
- Executes dropped EXE
PID:2084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 556
  2⤵
  - Program crash
  PID:8148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2084 -ip 2084
1⤵
PID:6876

C:\Users\Admin\Desktop\1.exe
"C:\Users\Admin\Desktop\1.exe"
1⤵
- Executes dropped EXE
PID:2184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 536
  2⤵
  - Program crash
  PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2184 -ip 2184
1⤵
PID:7424

C:\Users\Admin\Desktop\remc.exe
"C:\Users\Admin\Desktop\remc.exe"
1⤵
- Executes dropped EXE
PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 556
  2⤵
  - Program crash
  PID:7596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4660 -ip 4660
1⤵
PID:4952

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:1484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 536
  2⤵
  - Program crash
  PID:6428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1484 -ip 1484
1⤵
PID:7876

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\OpenVPN-2.6.13-I002-amd64.msi"
1⤵
- Enumerates connected drives
PID:8824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:8964
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0316A6DD9AED7E918E946575F73ECEB9 C
  2⤵
  - Loads dropped DLL
  PID:9020
- - C:\Program Files\OpenVPN\bin\openvpn-gui.exe
    "C:\Program Files\OpenVPN\bin\openvpn-gui.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SendNotifyMessage
    PID:10180
  - - C:\Program Files\OpenVPN\bin\openvpn.exe
      openvpn --version
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:10228
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2184
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding EB80015D3C9AF6AFA05185742D20D355
  2⤵
  - Loads dropped DLL
  PID:7924
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 1A417E668CEC3C9A1F1B18F2661B6B45 E Global\MSI0000
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:8544
- - C:\Windows\System32\netsh.exe
    netsh interface set interface name="Local Area Connection" newname="OpenVPN Wintun"
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:7700
- - C:\Windows\System32\netsh.exe
    netsh interface set interface name="Local Area Connection" newname="OpenVPN TAP-Windows6"
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:9476
- - C:\Windows\System32\netsh.exe
    netsh interface set interface name="Local Area Connection" newname="OpenVPN Data Channel Offload"
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:9632
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config OpenVPNService start= auto
    3⤵
    - Launches sc.exe
    PID:9804
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" start OpenVPNService
    3⤵
    - Launches sc.exe
    PID:9856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:9136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:8688
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Windows\Temp\6a571dfddd2dff2b6b3e22f9b330c0a635339042fb846246b09488f33f7bd408\wintun.inf" "9" "4c76fdaab" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "C:\Windows\Temp\6a571dfddd2dff2b6b3e22f9b330c0a635339042fb846246b09488f33f7bd408"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:7284
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Windows\Temp\d835039e7ec08ad04d30f33ef461e295b95e0dc200022dec1de0aa93faca913a\OemVista.inf" "9" "4c8a3e94f" "000000000000012C" "WinSta0\Default" "0000000000000158" "208" "C:\Windows\Temp\d835039e7ec08ad04d30f33ef461e295b95e0dc200022dec1de0aa93faca913a"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4828
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "C:\Program Files\Common Files\ovpn-dco\Win11\ovpn-dco.inf" "9" "4e746adf3" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files\Common Files\ovpn-dco\Win11"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:5800
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "11" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:9ef34515d755ec66:Wintun.Install:0.8.0.0:wintun," "42b53aaff" "000000000000010C" "a017"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:8676
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "11" "ROOT\NET\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.27.0.0:root\tap0901," "433338203" "0000000000000180" "a017"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:9416
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "11" "ROOT\NET\0002" "C:\Windows\INF\oem5.inf" "oem5.inf:c695c3de07ba2b5d:ovpn-dco_Device:1.2.1.0:ovpn-dco," "43b135903" "000000000000012C" "a017"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:9584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:9300

C:\Program Files\OpenVPN\bin\openvpnserv.exe
"C:\Program Files\OpenVPN\bin\openvpnserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9716
- C:\Program Files\OpenVPN\bin\openvpn.exe
  openvpn --log "C:\Users\Admin\OpenVPN\log\dwddwasd45.first.log" --config "dwddwasd45.first.ovpn" --setenv IV_GUI_VER "OpenVPN GUI 11.51.0.0" --setenv IV_SSO openurl,webauth,crtext --service 27c400000a7c 0 --auth-retry interact --management 127.0.0.1 25340 stdin --management-query-passwords --management-hold --pull-filter ignore route-method --msg-channel 516
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6012

C:\Program Files\OpenVPN\bin\openvpnserv2.exe
"C:\Program Files\OpenVPN\bin\openvpnserv2.exe"
1⤵
- Executes dropped EXE
PID:9900

C:\Users\Admin\Desktop\3.exe
"C:\Users\Admin\Desktop\3.exe"
1⤵
- Executes dropped EXE
PID:8816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8816 -s 544
  2⤵
  - Program crash
  PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 8816 -ip 8816
1⤵
PID:4888

C:\Users\Admin\Desktop\2.exe
"C:\Users\Admin\Desktop\2.exe"
1⤵
- Executes dropped EXE
PID:9940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 9940 -s 536
  2⤵
  - Program crash
  PID:9680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 9940 -ip 9940
1⤵
PID:9328

C:\Users\Admin\Desktop\1.exe
"C:\Users\Admin\Desktop\1.exe"
1⤵
- Executes dropped EXE
PID:9652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 9652 -s 552
  2⤵
  - Program crash
  PID:9676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 9652 -ip 9652
1⤵
PID:10100

C:\Users\Admin\Desktop\remc.exe
"C:\Users\Admin\Desktop\remc.exe"
1⤵
- Executes dropped EXE
PID:9876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 9876 -s 548
  2⤵
  - Program crash
  PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 9876 -ip 9876
1⤵
PID:10104

C:\Users\Admin\Desktop\remcos_a.exe
"C:\Users\Admin\Desktop\remcos_a.exe"
1⤵
- Executes dropped EXE
PID:10096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 10096 -s 536
  2⤵
  - Program crash
  PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 10096 -ip 10096
1⤵
PID:6644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e620357.rbs

Filesize
917KB

MD5
debf03baee8063a81623d48faa1b856a

SHA1
85a04cc0c3527735f69c8580f145c971d23f233b

SHA256
1177a13ea74aa96208e7737d59e22206f292c5c6ee55bae85f77dc7df957ea8f

SHA512
b7924a9408a8c47c089601dc0f18396210580ed776f1b714284fdef193029dfe73f09d61efcc50151e58a3570c528c21c04260995ef562caffe53e272e91b999

Download Submit
C:\Program Files\OpenVPN\bin\openvpn-gui.exe

Filesize
1.1MB

MD5
0cee566f2c2d798b4097f6914f57d5c8

SHA1
c6a188d52c06516d5fa483cab93f8578b01c524a

SHA256
ea1285ae791f1fd9c17d6e217dc06b1bfa9337f265e87192cc076b7ccaf09aaa

SHA512
aa7008ee4be9d048abb50bd546d3c454f9af53cb7122f6ec77fc4f948cabbd7379684c03c89f269e94d15e417ca10c801aebb5d23aa9e65d1dad42af5f833bdb

Download Submit
C:\Program Files\OpenVPN\bin\tapctl.exe

Filesize
52KB

MD5
f8a8e9bd330996b3d2672c3a15f92f9c

SHA1
9269ace4cbc58387bae86a800a16eea312812ce1

SHA256
74ac4e4a9a1aa4e4836ffc075829cbd6922d464849722f136894a02f5739ebf6

SHA512
c4782a7f5bad197051e1deca0b3578d1a4e60800fcadea07664f6b07c0785a549f10baef98b46923b8b03230bcf70cae2e7db7be13cebe5910897905294fcdc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e5cb4ab4dc5cdb4d0c58d9ea5c385414

SHA1
f8de9cbd491dd314d08d5b404ee416aecc8e5394

SHA256
2fadbb2b92738430500170b4f6817d9917371961a918f0d955e5b69045fd4380

SHA512
c193e1f52113b3fe2e07de1f542b84858293d197f4fc236736895beafe79bf7859a9b32fd6510191008f360386d49789f23000ef52609c326850af2dca90471e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3b5ae11e146ee24b0cb8c0a0397d0281

SHA1
cbb1b23807b69ea814364bbfc3b790ed71a3563f

SHA256
6f50a39e517f3ad91120e9dbbdc705143b0089fcb9a79e1661cfb3feca19b92a

SHA512
4169e7bff8dbac80260c5c2e903956fbf9a631896f1a7f0c707acd7a09e2aae79646883ecbbc570492c73f96324df858f0d3b47f67dde87feeb35ef8d2d17966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
cae958499c022b20711a377706c4004f

SHA1
bb72e651473c8f9e7ddbed104a62b7c229a64da2

SHA256
d6c6388dee5d7ed3968f07c4281b086d1d3010a79cbc978a0a4970cb87f6cce7

SHA512
064876f9e3628532ce52d975ad9dc68abcfa2b28263eeb0a27e1fd8d4a9cea257714a5b878af42234ac0c46c08112b3931698fa61766a3a28287435f71a47856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c2ee1ee674cd32f2684c06247db0389f

SHA1
b2b835f51e43a9bebcb9eb5b77d4f0878c6cee7b

SHA256
a91c710cb6ba2ee86ff3dd01586a57a290f54cf4d0fc3d8fd2ab1ad3985fead3

SHA512
8bfcaaa36828f33ab2c03feb366d2633d59653668a8349a659e5e9e50716296a2f7e6070eb5640fc6acfa39d95c93f2edb0a78a05f7dcabc5e4d2263d64fa7fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
71ac14dcbeefb027ece4e42545c5f6bd

SHA1
86e436c3e084da73b6f4a86dcddffe37a5360d91

SHA256
c2c73fe07782a8a8ebddc8e800f3c6f24cc01bd89e36bfddf002fa0e626a50ec

SHA512
33afa9d6997a895d5ba2665c3ce81850c49d6e00702c15cd2cd63ef3e831189d86d5124c9c08d86e15438dad8048fcf1cadb96253aebbe310c79f0f50e3e0ede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
7b3842a2658d807c7dda629afe2094f3

SHA1
2848989f48f9354c0ffc7855c401fb7bca3eb9c2

SHA256
6b93af10e4e0daa0783ba169397d9696abb273714f7a4ad42856e1c638b58f58

SHA512
97cd03fb5e9436c78958abfbd4d2d125d3ef6d8946fdaea7ab5deb470a442e4e1bcc7e658f62e98748d88db59412fc1e1de42c0743c6a82901bebb18b0c4f54c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d241bd1df4147449a5b8c7a7d158f3a2

SHA1
1df4f177a5dbe638b701a655ac84c5d8c9f4dd5a

SHA256
725aa6684e138f7f5d736369c723a1cb65b324b6bea5032bff663cbabc502206

SHA512
7105938e3727b45c5765dbb9914dde2150020d7d0c71a67be20acdb915e9f1a99c131694a4a0e528a84e9a4dce4f8d0394311693f92cbb61e045e098a32a95a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3e1241aaefa941337c11cfc7834f539f

SHA1
b1983d7e320aa28f96311a3bc849d32cccf7e016

SHA256
98251e9f39d36ad3adddf83ed689e01a0cfd3884ec52f9f490ab1e4d43ca8611

SHA512
47f15f5b089daee2bcb95c18ac73a68a5608e44d064dd834c33c1d31c42ab38adcd374340d6987b0ed5901b14acb8529f35dc13efead5fcd530be64c62572549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7cdfb397deccc61a0914cdd917fa64b

SHA1
e353e8c7cd933ccdc7252e1b783e10fd445e7a0d

SHA256
3c419903cb0900499c9ecabfe885548f64c6986aa2421a370adf878de79a4884

SHA512
6eff028794ed3e4f1d629c7962d534ad7133be69819e414df2734efc3bdb70ce2951c5b043f8e7d4364ff4a6c2872ba939bd2a490aa6429e528033568e21d754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
937b4f3300c43c3552fd4be2794a2403

SHA1
36428b9ddebd9ead48529335ae57588abfafd1c8

SHA256
b8f5f4a3065bc440120dba5f49665b4a748dd7633167763b77b69e51fdb39456

SHA512
30e4f85f54ac70f66ddb1be5c3ad743694e4b735e57f6490f6740dbe81f055612f33dc33f6ae5ebef192a21a40a2f7be14837d422d686fea3aa97a8a8c5760f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
daf77d8aa849b3b1cff14e39a61f5ab8

SHA1
653f6bd034d169c1a447669fbab857771da2d71f

SHA256
d2f6eb8b1076aa66c1a8462dbaa41dfa573a45122189068475df4edc611ea1ee

SHA512
f195aa804131050b461190d2c14358a7e990df420170af4a0c876b2eeb1be382e8bd0d4e6b28af31211893d93b49ce36893f8591f65ab1ece750e37ffca62c28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a5a95f63dd751b046e16f4940b566959

SHA1
d73c571bb2c7e0031e9453495557daed185b7639

SHA256
5f5edbb2723b44d11e7b9aaeef58bd361035536a034e1ea54d6335b5c55f7449

SHA512
58009049cc6fa891eab36fe336cf58119d75da8548f5ed3717be62dce91d67b8b503fd4e8591095dd26f3877a58b0ff923d54cb8c979560aeb4fcfc61a21996c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
43c3090845e45b508ad183d59d1034dd

SHA1
4f54cbe38c249e8a392611d24e0874d53856f75d

SHA256
276f545302bf7608e01d18225ccb51595948d95b90beda9d9a6aaf50c33c114c

SHA512
9746404ce42dc9984b77f3f5f3f86bffc3364c59d2d990ca6f4177235ae0df647d805354a065a4859f8fdbef5f37ed909262bf02d6fe083c5a778645cfd957a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d9af040b294b0e779d2d5283a7ed216a

SHA1
252ac5b829b53deb93aff0a541c8ea3236170e9b

SHA256
818d2105f6e3579fa08bf9c439a379ec82a04257caf7a4ff70c19a2e7084dba1

SHA512
0c0a33432083ebba2a938ef43417866d254b25ffe659a5802204e3346fd918d5f09d83f990248653e8facc95ac295ee813df132c6adb7df0754364662a4b6b05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
c76c62111b680571fd03c73a71c9d8d5

SHA1
fff641ef1ce51453e7894be9cba0d63e80ed475b

SHA256
1a60c6b2a6950263ff93b1b8593a2bdd80fc52498e499642a8f5be614aee2d0c

SHA512
1b98a2357f21551e931385fde458b8354170f25e8eebd5fefbe8b707bfeeac40a0cc279acaddb2114d1dddd2955ee5bfb9db9fb60750edaf750fd3612cbd9e27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
249dbcbeec2445f3a408c4695784659c

SHA1
d8d7d7bdfe0af268aa535332a6f7c91b497182ff

SHA256
1d3c21a4a4283931ffd846d328fbf9b3d09dd7bd97e7155edf7d353b1027e60e

SHA512
7e4adf06cff757e15cc44b00e5b08aab7fbc857404dc8225b8bc081f10cfe0495688fed2dfd10019037cd3432b2b12001f7bed64f0eb70189729e6a23f148032

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
a436b0958aeaa32678109bd1c0966079

SHA1
7bcbc9737bf1a2f8b56696e5a586af8a4f59f598

SHA256
00014be80672424faa4f28eaa339a4ffd64a9ae9d18e2bed3625cad0c8313fac

SHA512
e47c4148c13666b5cf6e2c1dde66aea60ddb0f73101c82d4282df558e03d7d4f6a611c4c61aaefa22f1d525b6d76505d969bed6f57695fd8c68d3f2cae90eb07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
245KB

MD5
7d9e2004f07d30efaf7fe4fcdef55c7d

SHA1
33f3345ec4ad3c8a9da3dd31b57160547dd8f5b2

SHA256
6e85c35d0c6efdc0cb973b688612fb967134e751c7484ed78f840dd103e3f294

SHA512
f3f1726dc25b324b28b9ef4762cd247a94120e2e88c7a26994089b235b766f2fd52ede9f3961c5b58d3649c00621c1e6737b7c44587f30959ba2f7708a014087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a1ea058d6231b47f5bb8557adba13351

SHA1
111dbb6ffff6517e11719a20683fd7f4ef0579d2

SHA256
f5a91a0770c54a1601557b8babfcc7813972275da171c384cc8929d2910a851f

SHA512
e613f481c50b5a7022a763d13ac1b1ebb6a9d4d973de95108d95d23844d9d526d8c90f391493f043e86e22e9a5abd8a3a4cab5f2def248033d0eb9421091889b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
915f31500a875a010f1d65f72a106ee0

SHA1
4d3e35bd9eea48b6cfaee0bd51281af9cc6e667d

SHA256
94e333834ac7032c041ce91d26026e8581ab0c1e0007346052307e1b44798e01

SHA512
9ea4ca73b6edf066f11c21c51be190188e2d09fe074f41163842d3fe7392da625a50d6d866779aed08fc4f25f9885af5124f76e401334c648a3ce31276123b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46ec2d399c9d10a0545cb514e47de14e

SHA1
98fc6f3f34f4082b8d81cc50dc571ec06eb454ca

SHA256
f50fff32b15e4b61c3cb18655c3daf46a83556aef1f3ff8d9ed074f298f247a5

SHA512
993b723da7b0ffcaa731a1f06057bf2ebdc2fd518ef8765b4f625b9fd0094cc6abdccfe998d0e6cb760a3e5d6c411b197a47e67c1de5a6ec4315d017a552a2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0e557607-5273-4372-a5b4-ae929c2aea66.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6bcb683d-3b41-49ea-98e3-d34592869e59.tmp

Filesize
6KB

MD5
c6e557a8eab5f42e4b8981b0f0e59022

SHA1
52e4e962ed6d6074d84aad95cc9b525dc07d1374

SHA256
b09fa6c3ec6628a98d6fc5339e548718fde941bc13767a5b99b6014ede070ca9

SHA512
a098fbb7218357febc9964b4d23a276d75251a5424df97cf47993e6cdd435f7be4946c6edd76d38a03e144a844753f663d02812f89a3f7d6f9ee38cf1b4afa35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
215KB

MD5
786c4894e2393c2a6df8fe0fd6aeee3f

SHA1
2242cd681f699ef3d642ed9ed1f202dbf6b0c1b0

SHA256
258ce3bda497a9ddf8e00e70ab2b08608c3f3211aecc90348179eea95be084a4

SHA512
73751c1624a8a7e8141c387159a700f637e4fed6f5974d7402fc4faf4dd72c0779eae74049746098ad2c05765fa97329c51e9cc5f422c02abaaa92035aa991db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
41KB

MD5
0aea3df744bd8aec677dd4777a6c570b

SHA1
41dc951a8a2bd2fcfb3dc81c196c8828ada7c4e1

SHA256
bb15265a5766a6351a8673cfa79d8622332f9a5ba175e1c09ae99a49d6deadd0

SHA512
d6d8a1f873e4e328332854545d0ef268fc7c92666f7412549f76340cdf0dec3634cc809da6eb4a8c0902cc5720d1a778c344cf199d4f250daf61184f0a405785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
f81d2a69adc705ad26e8e4a93f16fa01

SHA1
d07a340bdc3984427327e55d9c2160cc241fbf82

SHA256
a47c9d3c7f1cb3749ebbe68c6d0ae9e579e7d4feeb757ef4c2d987ac6fa6a16f

SHA512
9573db5f51224c7e3e9f9d7f5883588e80fab49ab9d59b8624e5758437eeb7a99063887cc83c8c755258de98b747e6deedfd42d552cad0a7b5bbdb7a7df9431f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
59bb09df09272c1dfcc07373d5c1a716

SHA1
4a2fb7a02756b107aa7194ca5574f6d29bab0bf2

SHA256
a9b6fbe65290a8c92dfafc0164664228b8ba9fbc7083b7ae5df0a493cdc4174a

SHA512
5d9769bad118f0eec7ea8eb40ab8c0601a67473a573bd65cc6e403400cf3e8d8ede2cfff9079447fe234c46e9a19df35c390d25bc6e36373f15d20ebeb8a134a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab795fedd19ac98a718ec9a98a5b45ac

SHA1
bd154a2961472c048a7e6ec2e566b503a96a99e7

SHA256
8def0b72172e72de6db7560891617236ab5d78ed2adcc3ef0a49069b27e1423c

SHA512
2123801fcac23d8e10eaa677baafdcafb1468b6bf5341b00ee358ca523ed99ba1be7c9e4e6572997aa546141ff76862fb508d183590c1be99824fd8f1d6cbd78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e5d555ffdabef3bdaeedefb8c8bd5e8

SHA1
d1857128fe193b0d8d9ed535449cffdca8d688de

SHA256
ca0d9c0ea0c722f1532e7024c7fff5cb74b6dc512482c522b83e9ffa9bb41bc0

SHA512
dcd4ca473fa3f7fd0e9a7085b8cbd5a1de1a2f9010ff3b3c40b9ac66a076eecdc4bb4e73b411b193ae4df61a4da273e36cc213b6e7398ecd45e86bdbcfb5ff02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
646810f2844bf7c8438d8795121118f1

SHA1
ebfc2810c481f0da52cd7209bc8c9a066786e3e9

SHA256
69404fae90686cc7b8b4cf61aaf736675504a44917101a3bd7c2f59f9fa0d525

SHA512
6c8872cb01c42dec9fa26b4676b0f71a9216d0e77736965292930de2eb025c234a40ed67e783f09563ffc96db5dab45960abbce6a2848026c78a2c791d21620f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1cab9b0d5d02aed4fce366131c424871

SHA1
516d9dc38bd99a583d671a90295d316d935d364f

SHA256
2688f3deea82a48ddb4a46abc0197c54b3584b771b881d2c9b65404a7518d530

SHA512
adcb8d9f07fd5b9b8caa939836b542b0071f36b38029b62daaa52a954da540c47150b436bf205f0c89f7476918f305a8e25a77ee5903f2898722aeb00db124b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27557373bf4af9d0b3ba92f14f1882b9

SHA1
a5943c87cb91b9690b44ef4a36d4d91dd3e2b949

SHA256
909596242ce449325c99fe7989a5497d535edc08dbf39f5bbbfd24b66099fd67

SHA512
a6a59b661cf5aeaafa76498d9b30256b23848be147a7588812bc5f120278d51e7836fdede0bfbd8e870eefe6ef1257cab48a8179c70fa419c30d7b101ce75f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
132209a7f384c3774be4b24fca4c79e9

SHA1
93271d467d3c9cfa770a55154c2f205844784c2f

SHA256
8138b0882d2652be4969b4a3b51031b7cf16b701e2f8bf43138aa5dfc1217716

SHA512
09a042b6a80cede86bdd77233b78139839fe44fbe7c5a21f76ad830caa0979919db80a68a7ccca46e0e3b91ba17b28fddce0a57f6013d17e2ec80a67d5ae629b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
d5ece5ee54a35737fb47395f944f1567

SHA1
64a93b9e736cc6dc943afe35fc52c05c4ccefca3

SHA256
68e55f233c3277995b6b55271c8c9091fda7232bbe798cca2e10d0741fc5d097

SHA512
2504034d506f164f68eb6ce8337973c5b15cbd936c3cfc07602499a94cc2f505cb5780462e529d30120c51132fec91ed26beddf44b8f8a33280ee05abd45e942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
2de1f2419258fd7c4af75a03b67b9190

SHA1
c031e09eb39252c1f85915737b376a264ce135fe

SHA256
3c01104997edb54373d930bd40e627340c927bfad681fcc7be44cf38b93093d5

SHA512
c410f8fbef10b83da370291260bb2d2e24142098417753f72f23a1a404325583281ceb0b8601a720398260a7e0597f9b564431cc547ac4f03a0c538fdce3bc22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5e5eb8.TMP

Filesize
201B

MD5
574688a570f8f44a017a35cb185459a1

SHA1
0955075fd925de4efadc73837781401dd9975ab8

SHA256
a60c899648a142b3bf8e9282abd9ddb946cfdb2fe69b71926e45353c74bfbf5d

SHA512
4fa81a5879a4f64247be7735f831d86ec550ba2c683704eecf6e9da9869df83e8ce1297f229ca5b22484ae4f3a3e8d8c7bb0a76086afaa2aabc0ce7e12c89dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f3dac05ee1094ca30490a839e2641990

SHA1
3e056e82575a7ce48e07e093633be4632127a0c5

SHA256
5d2c6f3ef53b54834ce2b6d89edbcb90ad4f0e3fd971faccf35810c45dfa4a44

SHA512
6f16459669c00d4639786b2aab27c8cf2364db3bef4b21956e74b5d23d652033cebce28b694ee5b38374b8c39c9cf7d0d0e8c877736993b2344b85cd811235a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2e464b7c8c572591c4b2444cc81155fb

SHA1
909697ea251ce03495ef4f2a6de527ac017bc8aa

SHA256
185acc5179e6e8c5ccbbb25007d160782e0e5177920b0192ee1d3c8e7a1b4527

SHA512
7510bf3165b56cbdad55d3b0121556e0ce2ec8683d3dac3c39f4675f0c1a053ee06fd963fd1c04858aeb5912d0fa95dd88d7bb0696bb6f586abf17734718f245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
50d1e8f3359674b23b5c284a9a085a93

SHA1
d6a472e832014dc100f6935eb0fd0850c775ac04

SHA256
0911adadb8e7ebe38ee34725a1dcc70e20c839472ed184432a3e8052ff19d3cc

SHA512
84cf6d232e79269c8e06d5b144e9daec131ebd3d476e5b626e0671196c8335bc54192a50e9d90a0029f17804da6a6f4decab9628290c8b0f302969eb6666a05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
039ba872b3aa5ccdc2193e238ef73f6f

SHA1
bafe4d31efb0d50004516b306eee229c32fcef2c

SHA256
dfb531e209dcc43f2e92d967a5a604b8255de5e33eed03aebee4239eb741fb2f

SHA512
8bb01bb018ec611707c7e0ced464e7b1e8c93541c7460cc281775d9be983dba2a16862f56d0276cfb9ab2b5112939814ac1f32b8bba71fefcc3dcd8fa934e4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e703ca957bc6a8e068a3bf3e3ea8ac38

SHA1
83b6919ab0c74a7df11af8fe985909a98ccd4c77

SHA256
12c962befb25810676b4b921e922dbafd635596edfa45c4933d561f182742a08

SHA512
faf6309d9f4145b923803b055a8d506cb2e528381cb9a6e1e79f40e1b5a878b40480401a612fe37bf35b64d70210a8d1e63334d81af77c7c3899a3dc9ff5ff4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
bb7fc8a61d46bc74fd84a864c8f9cd93

SHA1
9e97309f214358bfb267d669514d5082db365c4d

SHA256
aad6d8b7a297aac83b9bfde3666bb9d426a468abcb5f4efca9347bce64a2ac3f

SHA512
4fe164c526bf42b324e9bb85dcd0ebc3f1d5b557077018b749e6546407028cee44a45aea210e4409d1a3c6de2c006758dfc5b334d237e72511770c145b8c258b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\doomed\11360

Filesize
58KB

MD5
14eff51621086bd74f900b9deae7c4b9

SHA1
706f6a7a275a6f04fb8581852e1fbb9058c95c6c

SHA256
f097fde4b629b54213ac15a6c88d37720d144edd20ce28083811538273040a45

SHA512
6b50fb6f56002254100514460bbe254ec97821a54942ba5e2237ff2e76cc7e60244d311f3ea5c3c649abebe0d609cd8bead8e88697fe0b18d5fe48f60089119c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\doomed\21813

Filesize
8KB

MD5
9afc5e4f8f20494aa1dc94a1f6f56678

SHA1
05f01a0ff6e6a027312806aa75d5e85f98258abb

SHA256
92c3dfec59f5d9117e50162cbbf2dfc30ab20129da1b7bb3edca426108b5051f

SHA512
e45021bb7bc1d8ce5ce7b2550cf5958272349fd7cd285c3d793db19054fccfc121039cec61bbf150a148b39195add917a6c60c34298a24c0ac5954021c5a5348

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\doomed\2672

Filesize
6KB

MD5
40fb115132b629e8d75810414f35231d

SHA1
098224cac571f15b5781bbf07cb7ea9b21b2cd1a

SHA256
7ee19c9e41c3d4426015a2dc33b129ad3ca96a5b446086da8e91e4d1386dd5e7

SHA512
c9dfb28d056496a6e3a20924e40496250157e73820b43aa13459493888b9b731bd7fecb320c2bcf4617df80dc0a67d1a54d867139b569ef5163a67e4fd21a65c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\doomed\27199

Filesize
21KB

MD5
97698aa647fb8cc43e59dec1f7577ca0

SHA1
872a74df9904d363bb9900204379032ed95ecb6f

SHA256
d86135368454145dea289b88c5db178f47c0377d2b1708a5f40e8d64918a2449

SHA512
04212a71178a0f44359a3926f37033e44f9f31aa7e3435c93e813c6dc71e9bf7870f1cbc80e11d12a29399af3070b516cd4d63fc82dc3ac2d7a4190f9a4e7d29

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\doomed\30864

Filesize
15KB

MD5
44b5bba8e95460ec5a86b948c4c476e5

SHA1
ac324e407b7106a05b95f1b1b0a985f49023991f

SHA256
a6131c3f4508b275937bda692d9f9449277ff0b8522ed2e58f8e8d8221b11e1b

SHA512
acb093ca5fe55f1ccd6dcb87fecb7ebd44fbbe22bc33b4a915a8a5cfdf492e2524f53c61d8a78f9821c59c50e166c35062dad017549665860e23d1c194f1871c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\doomed\6967

Filesize
8KB

MD5
ba854b2d3367f59e15db0cdce5297c63

SHA1
c045630fc92cda8b543f69dfc0c31192fcba068b

SHA256
1d89210e07aad8dab2dc769883fa2992700ef72deb83780424defb01e37474ec

SHA512
26cfe7704ebc1934e4d3780f0079e633f0b1a7e2d8a7f8eda86ccc1b1dc29c5660888bf28842b75e820bd1e237ed3de52e3f6476762aa0b70dd23446359ef889

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\doomed\7744

Filesize
15KB

MD5
b4cb436562ed3b786ca048ab622ff0f7

SHA1
0b8706e9f5cb7a38b5cfdd821c0834dfc0922128

SHA256
0d08e8f1136fce1528945f6cdfb660b71ac0cbe2c58f917b47d153477d7520b0

SHA512
694db1a654613084fd1b9eca4831fab07b2dda1ea12b39091eeeb3e73048f9cadc437008f20edba6bfbde602a0cb2407bfbda37027d6b9cb869cf933509d52b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\0594D20F322E88265C0D547AD4EF5F45B49EF9C8

Filesize
144KB

MD5
079f69ea268d6e26e562c971b8c4aeae

SHA1
ca5b615af790a2a6cfddaef63b26f07d9ae699a1

SHA256
ef68c93ead2c21b014716befefbe3a09754318ca1b4f37a0ead96eb720f77803

SHA512
25e68393215512f7c76564eedba77bdc9745f3f4f1e8213425ad474e76c9e314492cedec5b61441043bce4576517718a022534fef09959dfd069c4b794b1e9a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\114DFD4106A63BEFAD5F64535B36F397D22FB1B1

Filesize
35KB

MD5
350726dd019a27a3b0164a7fd128c0a4

SHA1
746dd000a5da9436539b9c95f8f0f016950a3eb7

SHA256
9f90ece9d42975dff85e20d46375443fc65f05595ed1e81393e5508bea76c381

SHA512
07e19993f08d7e3469c6dd09c0390772e76e2f5ac7a3472d249520533e2e46707e808b778962f1d5c402f72aefd4cd920129bfb664b2b140dcd9e7ede7b0f2c1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\116E76732731941A285B78AE969B0E84EB76F35F

Filesize
25KB

MD5
aff9566130e29e4474683174d5d93c32

SHA1
96512104d6c0f5d586c4547e496310abe9a106d7

SHA256
c00bc2554ba532cc47211ba9114872270c05fc8f8e691071bc73250a76fd70c0

SHA512
9c7d65127facc54047ee2cc0d5f4a3b0200915797111aa17f04ede1a9776ba29db022ec9a7bcf6a206214b34a912b25b541f4d764006e12341af860e4915bb09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\12559D64E9A178EC3FD0C963DE0AE4C6A32D0EF6

Filesize
66KB

MD5
5a1f0824b16903bccc3db2d9716a12c2

SHA1
e78df992d35cfbc8f27e09005d2c35baf4f37903

SHA256
45c77465ff786b867c646d8cd05605f59cb42ae55877b0e8020d6e8b281984e3

SHA512
a79beb75f625245b8e9fe9e7a58f80b0b2aa28db088b14e42a07a34c4aee056a19bbdb671e66232c7be4720acc7349ff4aca82ddc2f19a44cbfacc2e7d19f7ae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\15E11363257C068CC7BC17C7E32EE7865CDFB1E2

Filesize
114KB

MD5
dba812e6932fdd7647f489dd8392056d

SHA1
4b42a3f2c4e4a4c0398f10e3c0ae3212419dd883

SHA256
705b80782ecfe90f5dfde637f7f4b05b2a7099a2c347cfe64f7c30639ce82f4e

SHA512
654107f72f73f6819116e51a728153e04691da598e93ad3e2791a11d9a9ec4e7c361778e777914723a2db2b669a99a71cd5ced7d480ec2e2f91f2a0b6004e831

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\1836A91F84DFE2731DD6BC61962D53BA566B7621

Filesize
8KB

MD5
85a7b576fa9322063c4eb6af2e8b6675

SHA1
c26265a7b37aab5960040fb46e0841760d4d0ebf

SHA256
9db4478099fa784f032a167856299b439709fc00f141b488d415640c446f7314

SHA512
c06913921109a344c7029ebd8bb6fc7437382e3c66995ff93bfa07b98dd9e61bbbc27d5f35574cccbef5e8d11441ae56d8e0cdb78c16f85b3a36c257da007cb4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\1BD32A2227BEFB27210CA45CC11DFF04F8CBD40C

Filesize
349KB

MD5
6ce89d28e79ab73d08b50ead5b03c7ea

SHA1
d2163253c92287609ce8be41b98176fab7e697b6

SHA256
56aef5ffdf3d3916a12616152485ba457e8ae21abaf09281fa94595171056f01

SHA512
dcdafbdebaadae7ca05bfd0a62be50d73c52f5eaf1839911c6391f3c3c86a0070869c5467a23fae00ce635b2797eedb5f52dd3b148b912ee6d1bc7feb7f1dd3c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\2214607B5A1A8992797A3CD8887144283A1DE40F

Filesize
41KB

MD5
eb98d94593424e49b3d4f06962085046

SHA1
bb7b4745304cd82ae03c12d7f1e63877e93c0f85

SHA256
2265d0ef9cad5dc0679817ae61c29bd976f9b8bef7da1b3e06323fe2ff90ec03

SHA512
ab3848c44d57eae13f0276686a79d7e60f15c1c543af92453609752becf739869844af721ffdfef2174e3e7508936664aade9c46bb1ca50953354cb1ba2cd61c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\262F908BB66C7DA19BB0E7F520C1FAC280894643

Filesize
368KB

MD5
d8b5b6c86e40d9d36e6c1bb5b5fc273a

SHA1
5dc0a7789b8afd5840e74e331c053625893eaf97

SHA256
7cf8d98779e71105b6a50425daa70ca3ccb1169de0e37d469c138db2f4b98235

SHA512
271f935374e6994534b3fee9c6e27ac8b79c9afd2cb92cd820d5566520a064a24075c8510a2f312d1a91e14bcd329b62afc5670c51dd6cdce9acdc738b2247ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\2AD509D45E759D0CA52ABABDF68D4042278342BF

Filesize
146KB

MD5
ea43afb29a0d96ba46494a0de1b81660

SHA1
e9e3041f3009b9680a0f2dc233f71ae9d2411b28

SHA256
a5e416381a82f4950555c8654fa480cebb75532888ee46a565e477fa623a5f7d

SHA512
84b314dc82638de51bc57247fe5ca231d58aabd6076771d440f0569512b19860fb4df5e3eaa2db44ba864cd1ee64277b0b93f1ec42781cd1e616f82943b3216c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\3A37EED3D1E6B3845C02BF0570CEDAEFF93A93F5

Filesize
75KB

MD5
08b7bae6f516951f7050182106b28b0a

SHA1
fb5423478d85faecb976aca98c454a56cb51af45

SHA256
d2191b6be8511d7ba30c39088889a9cc783e236fcc30c42313f852674b717b0d

SHA512
dce2414ad1e904bb4143ef75a11a3e5a5465a112c8ce3192185978fad50c45835b9a2bf8d0236bfacdae74030a622195606125a8305a0f449cbb0d9fa8b1eefa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\3A8E73145A0F79B76AEBBC3E37176AF88740610F

Filesize
55KB

MD5
7f180312c3fb99d8a9c4c6a92c5adf46

SHA1
8ac54be64947be81f2635b1d9383539f0b193f55

SHA256
d5077c229ddb58855edf251f79b08fe5b457e4285d22be9f431c85e7a4fca552

SHA512
32ba796f95e274183413839bd2a994d196df5f94f179d4bcb6bc93e105cedf9e52cb66ae714742cf2bc8301c2a1245e340ce4e5623ed35bdc49e3b8c6cc19c18

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\3C80F993DC63949D4D82EC3113BE18EB705BB5CB

Filesize
510KB

MD5
c9a2de684734087320c9f17f40e3e6d3

SHA1
b134d5fdb249c974d5198d8af998e758eb6bc8e7

SHA256
9430d9b8bfe747cb65cc7cc32d09ac4327de720784646cb38b6360b61d759a89

SHA512
6593bba763e9d20df9d6cf5e612865ecf71f1efaa9ddc4170e9ce1627dea096da83ae428fcab1ce274577bf67823af3e1037614b1913d2babeaa4c1b8b035038

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\473B05FD75318777628C540D443145FDE2BF946D

Filesize
15KB

MD5
245d40380b04c456de0a374434695f34

SHA1
45f9728ba103a9370023d7fb63d1bbe527bcbaf8

SHA256
4bf7b0200a80505b2784a0548867659cc9b2ff7f4a537895892879c367c0e637

SHA512
41f7875479d1c4a82f2d61ce63c0d90726330266a8c31689c3e06b87dd40b118ab2bbf19fcbe1d97a479feac229239373f8619a6d7e260bf34a40c89e1f0f5c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\58AEB49DA1AEF943E858DD10D97B12C8EE41B193

Filesize
75KB

MD5
09ea78dfb2d1a334da8a00de1c175b53

SHA1
8315f8e5910843ef17a0f2d1d52bad61d50bda2b

SHA256
842cbbcb0f3c908056890e3f4bea697f246a5de93be8ebe07ab12880227ab5d2

SHA512
27016bdb1b2ea4f5306e784860fbf4c2ec9b6a24efb632d952d3f686d3df3cf1eb4c65f51074d8dc66c5c373fd1c86be0fedbfe2c1899e656c1de9de4422dab4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\67CEEFB4683873A101CE5094770AB8CCE460D246

Filesize
510KB

MD5
bb07f74387c1c6f8572af17882117c29

SHA1
3d29f209bd354346d71fd917c50fc4f4415f1517

SHA256
656d669b85977e6476f32474f781f4dfd1ae80aa4d06691d02a1c3910fa2882c

SHA512
f9569d45b20f6b03b836e53701b098ff4698a408443910e0d0c28a9ea993557e805332446eb8395c5cd4315c905baa2d3fef36bf37dea08054d5414522f9e00e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\6B2FFF9D5F1B61AC89203B7C41DC7E14E67AC203

Filesize
82KB

MD5
378e49837b4d9ff7adfbe8b521d9391e

SHA1
4748da168d8a8e7c618ba529161e057a334e7e9b

SHA256
ac1ebe4bc527a7a87e4760252795fcc09c66e126ee1a8f9af0e14ace76244bf4

SHA512
62daedade773b3fb2fdde45439c6f1efdc05cc4a7288d78a8030d0c4b1e5e5ecfc79c01689c43e81687f2cfe72eecabb1f937ab3e445c9df9c547cad0ff88b32

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\72BC9234828975C57D6B1BA2A43C31BBB2A78845

Filesize
53KB

MD5
7741a9b3ab6339afa9f7043c67acf804

SHA1
e5420ada77a0e06f607dba1ce0e7ad75ab3d48fb

SHA256
b2d0c2187c88eb0f85eb7f03ba8c06ca7596ec47877af1bd9b98a1a9fad2070d

SHA512
f9874e1f93433aa56aeb55d732730ac14ec0d6a832a1519983e034f03fafcde2c9551579d570a2950472e3ef0a570f1392185d8c790faa8eea48f12c345e2905

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\75F4AC2F3942FF8706D495CF12C8746D4DADA1C4

Filesize
219KB

MD5
3fb1be69cff7bbe72ef4a040eb6fbd8c

SHA1
28a9e03e6f8f725d91d138f874a65d944e70d284

SHA256
6455e2cc52a1356aa61a4dfcaf07145f266f27560494d061f40f348229812bde

SHA512
d8018e78e9771935f2ecb29cd6bf49ae7d7172e53b6cb339e471baf9bf76983df38407665a52ed13a5c10a0bcebb193149c5b8c8b3a149682ce42a1edaed596a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\7A43435BF07F7FBC937645C8AB9117BFD47A5C1F

Filesize
24KB

MD5
e873af04e7920d2b962e576efb80d002

SHA1
2ef63d371dfe603d371382871aee402226718bd5

SHA256
d7e42166fe337036162b41016451afebf50f4735e1741104007f88977e74a933

SHA512
eb0cfa6fdeb5cf9f533efab825170b0844dcd3e37f3e9d7c6c893a2ac75ed1767ca11f043958e33a7f4f3ea150843f796d6e0d8ebb7fd018b13059e4797c98e1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\7CE87540B3BCDFABEFD4BEFB6B7CF85FC786C092

Filesize
16KB

MD5
2e7e5fd53d90631410c7fd5abe46b54c

SHA1
076d520a49515cef6cceff46025c29830a7a7153

SHA256
b574135dee4bdd17d00375b0eb7b96bf4826cf1896c7bc666aec0d8fad1c7be8

SHA512
807586dea200b5e8c5a985307eac782774748ab0b8d60448bf23fdb47c9e1cfbd9c65a282bdfe37cc615abcf10fe764521290c090ce00c0cbff982e0128a2343

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\82B81BB61EA899155C10FC08A7DA18BAFCB4B348

Filesize
129KB

MD5
fab7e6473375f63dd386636272330101

SHA1
3dc75103b9437a93d41f6ff6c80f0eb49a3f82ff

SHA256
725a00da517c40fb986209b881010d5e82b2debf12e2a9092a09f3627f4691aa

SHA512
a1ce4e67f8a4c8a601e99395cfc8175fac3535026fa774700ed5fbe1c2f0ee0804825c3465abdf791c714f2e1d42b2b51fd2b47bc97b37d18f7a26630b76c20b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\841D79DB9BE024C63F8E8F26950401558E9F9F0A

Filesize
15KB

MD5
a87bb52921d2a0c09427e422cacdc0f6

SHA1
ec79bf4f727630bc751e7ee47c455fa536ab97c3

SHA256
5408c2ca022ad1398cd044e55d375bd3de7c6662d76977d82e69f95a1e8bf0a9

SHA512
dc5069f00488829b8a7f2bbcf088a41dbf34fc40cf98ca70ef04649a0bf5a47ebcc82bd70d3a628f8ba2059435f6b0aec05ced906253ed09672f4585b4b386f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\8C980843E8A28E73356B390C9EBA8762F3C5BC76

Filesize
15KB

MD5
f2c300df7cb9a9baed799c03f1a34ec8

SHA1
61ba0fec140f468f50deda4396680697ddc368d5

SHA256
79acfa8cc2a80d1129b411a93d3b57485bf235db121252fb098115ccde9dadb6

SHA512
bca2da0e873ca639413118cbb9b2551092eaf7b335ddc73a875454f9e97ad72309ea8ff1b2f6a47eef3bc83ef8245ef809172e774c0c1bcfe690093f67bfa385

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\8C9EAF2AD7BD9B5A71422CC3D8D195BC6F138043

Filesize
58KB

MD5
5c6d5e96748506e3c7e412c38ebf2b3a

SHA1
58689188a3caaa06d0a822222b6b53661e3394f5

SHA256
f3c5a3a586e9f57d42100169787be3aa22361ba8ce2b2d2c37863d1130787497

SHA512
67114a0bf589fef0ed43f26aeabbf32e57cbcbe31f7c97008cf1b372c716a6cd2b5d9754a77d63a4d0edf3fcd58626b98ee98ee7560841f57c3dd1ceb6f0924f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\9067C5E00B24C0E37982778309ADC0E329D1168D

Filesize
104KB

MD5
dbfe8834edd4221df65b3b4ccfc38580

SHA1
a7868c9c729586dcc57b5ea5fe93ea849f2aa637

SHA256
2a86454b4ef34af06a57a3881ee7f60bf044d5903f4c5a1203238a9f2b4ea38f

SHA512
bfe67418658879f3cc5bf6ba5a577219aec6286424b23638c532e9a7a0a316d2ad1e66c1ef816b75cca4b14d513a29071bca683c9148605f75a3e12a2a9b7d88

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\92BEA6FA7D6D9FC0B47AF86DBC49A73E514F4B18

Filesize
16KB

MD5
79acdfa719dcf130fcf832cdc20f2c6c

SHA1
9a80229b6c8d659d671a098714136beba1c1b6fb

SHA256
f57b49253b4a0cbc0aef26af7edb610e1bd9a729e6b82aab3e3856f50a3f86d5

SHA512
46ae6cc63f3001db092e6167e993a522d16d93f52ead4b3d95a51d15f92f38dfdf9b5e99e0e3d05b42d0e86e0149c0fe2dfc93c65e01a89987eebba4916a81c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\95001269B040B2CBB6F8D604A740CD028259B1B6

Filesize
46KB

MD5
e73eeed510348131a818b0be84ca2a9a

SHA1
46b1804a50b481829a688f0c56a1b6ba24870f60

SHA256
972288413b19dd8eb28ee514db069221fd10674cb520410a12da7f884438463c

SHA512
77570e9e5bfa6929b6df1e8ee58673f6dc79d160a50f8640b05a36db098c376d24ac8485f45791b6166c8b8a54674168f95943baf96119538c4186d8dd5d4689

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\958297A83CC39CFB212C7BA6459D94C9BB992B7D

Filesize
17KB

MD5
83308b7470dcf0e0c8c4d5eea30970b1

SHA1
271a55ff227dceb940f0f474a0ef28ada9c3cf28

SHA256
8dc0ac68719e05bc8eb0465990c4e188f21ac55054bd324189d69c48ac4e4ae4

SHA512
5a779e0bc74c6731483fbf35801df82ffba4fae87cfe554342ef4d8dd8b99a2b14f77692c5cce2dd287a16abec39d323f5677613d1f8ffe09bb7154f5305d3b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\A464CFDAA5AA9F027AD990ED5A30A2FAF51BD253

Filesize
1.0MB

MD5
7e4a615b3a0e73eb54c8a7d4cbff208c

SHA1
39e50238a3a0666e3d12b49e183211c74c11ec8a

SHA256
3c4d29422cbae3678c45a41b39f62548df1897859ac86f735232940845ff4a00

SHA512
987206ed73f9aef987c1bfa56790912f648aced15390617e2198ad766efd225366743a87f30af95e36a788836e5d5cf0d7c54b152b03ff957e628b0ce48e3c75

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\B35F13E1B7A60BC026320967724B19553F261EC0

Filesize
29KB

MD5
a408d21cc824cbd60cc951db7ef910df

SHA1
dff0b09d787a490c936469f11437898cd02c11ec

SHA256
0a5c6b05bfa4a95a122a1a228b33738880049f732f6a98b3bf39f0bc3abcada6

SHA512
0fbd1fb93c52a4ef86e967ae0f3533f0d5100ec0a92e26dda2611aff202ea6246fe87cf80b17f8e9e4dfd2776d772fe19bc2e3d684b7e6a2a23e67f9def8ca38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\BC96E3B57D4FA937B0D91323B8435ED456A97BA1

Filesize
4.3MB

MD5
8d13226079d37ae11912f8f9ce63dfe8

SHA1
8c9e9a91f24c89a60990819126fb4079053f4897

SHA256
058325bac80de84fff414fb61e6f1282c21dfe395b0c877b0864c7236f69dfa5

SHA512
724b893acc5e689af9a03a20e887867e6ec0ed05a00819a97521788022fb223420bbfce2415426ae74111fd07a9db39d34f7cf0c642fb06e08f5531c4daf317b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\C0509486060D51D069C2377FC41322B6671B568C

Filesize
32KB

MD5
01a4c04606aa6bfba910640ac812cfce

SHA1
b89b947745078dcb48053a4f4cee09bd7c15d3d1

SHA256
b0d875bb17f2e13063aecbd68f9348a7ab0fc3309d9000f7296683dd5f33b2b2

SHA512
1d48bfccf0e0ea8edddc26c8ec434cc6915cbe24114ccd4f7bf0593b9e797bcaabefa1e0cc147193ddc43fc31ed13d53f7758dae0d7cc09aa2cad7398af645a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\C06EEE54A13642913D4813DA5D8ABA829406DB72

Filesize
23KB

MD5
d7ef89d15842db1ff297656e61b95120

SHA1
133d71f31507b0ce7590904ce18005884f07eda9

SHA256
93d89ad761fb68c5feb81352e02bbc05543c11e792857ba92616f05edc4faf3e

SHA512
db37281805f2521df7f10097df3c8137dbb2f1d0ddd3cbe044c72ea07285a37a9394f47e124904e0c8e003dc6fcc662bde704e9188c2154406301723ac64dad8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\C36E43DF9807B3F32DC671F07F603574753FF4D1

Filesize
13KB

MD5
6e41aee3d3343345754db76965091b54

SHA1
fbfd4da99fe74242bbfbe88874afb2f1103a3194

SHA256
f1f2b20fa915904ef2dcbc8b50adff3655edfbba3a1f01fdf2493d2edb54ab34

SHA512
f220d3623bed41a43b900ee32b5415916ee0bcd6fcd4ba6e84b62ae05857f97f92b8152c950d8dadfbb5cd614d572f694d0eeaa83412c03bdd586367899cae8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\E8A958EF9F5CEE78830B36504C93663151918603

Filesize
1.4MB

MD5
abb9a75c44486eb4e89be75040a07f65

SHA1
4b5f4cd602b21be37635ea2947d2f293604636b6

SHA256
5c13a19ee370222a6bb5bc80df1cbe95531ef8274fdd5e8bc7d0199cd7104ea1

SHA512
0856063b2a080dce9d70a9ae6adb96bebf4609352c8d47dd81b5fac76c6632c8b8510217869ab6c1f83689ff3aa270b436e7191447dd9eed26bb5266c0394a9a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\EE78DD60493EC7D9A89B564153BB4C24EE69C9D7

Filesize
363KB

MD5
1e6b61a68417f033d7fbfbc9cd888370

SHA1
c3e4d5a74c88b13f9446d5551e0bb158f51476bb

SHA256
9a212d191ad6046505fba169a2a922f2c707c8f352e2413a57f281ea3371b367

SHA512
7d81351823e254774139bb2174a9a50df5bdaf3dc4bb3e68568910ae406af8ae6f14ebceb424cc053dfe10bb9bec100f230378a2aa2fb542101f00be67c89eb6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\F44AF5F07A3E64BC6EDA6F57323354F5374EB5E6

Filesize
277KB

MD5
77b766a7ddacd0fdff306c19548ec6cb

SHA1
1da460cabd1167a20afdbad7e034e02399ec8d8f

SHA256
3cbb7fa86e946fc4a53d4a622d2bf23ceaa0f46e6df2b2c71bf967331684b15c

SHA512
ba2382dee1bc82e4b5bc9862b90d25960e845be98933d1f65040aba11e71c8d2fca46f3c30760a56d3311cea87dde508bba10271878d18c4c57230c15e40c61d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\cache2\entries\F750474E830B751B9E8DBE0307124A0780539A28

Filesize
12KB

MD5
cb7a82c33a73aa3c21cd66d9bf90918d

SHA1
a504dd5faf569aee79e98e122a932820f54bafc7

SHA256
43a12900eca18aa79d66ab4b65236d40677eec44748c26e405d12473eba41a5f

SHA512
8208fab5bd6d8318a8ef8058e0144fffb291f44976c92929c117e9fd8142dcdc123d0e63b56e8c21e48d6e0862f9950163ee6d86c9c2283b1b28490ddaeae251

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ac69yvjb.default-release\thumbnails\7e10205b1b9c99630bf866d89d92a8f0.png

Filesize
38KB

MD5
f87e9553caf489fffead1d021c979c3e

SHA1
a59a23310394f624bb3e7fa98149ccb3ed291f89

SHA256
7c9a7542094a89cb31e2fa5dac913e24449ffdb715a902fe84960d3b80cd93b6

SHA512
a16b9fd3ae3aceb50b9e67231f7b9fb4441a786dedc6b088070c5d27ea9114950a885def27b9259d1050ece6fdddaef6e1b29db23dacebd9678cebfecb308ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5068_1919224082\1ddbda11-705d-445d-9165-8d85441a5cb8.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
f22e58f9a62aff8b58ae985fca72514d

SHA1
ec7e771c6c0aaa161c39172ac1d3bf8d1990a4af

SHA256
5ca0b54deacb355185d10439198fa8259731f497ad35439bfa6a08233d92ae2b

SHA512
22574cb4c85fe00a50792882b69eb3e372c9199fe0f9b8cf8172565ea40dd0bdb68cbe35fd1bb7dbb6ec023e0d5dbd434eb0d517e2b58078b6103cba3b514105

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
c91c7fe24d9cc36d782717c678ec43f9

SHA1
ce9cc6756b89ced8d313e69021d83eb8d84c683e

SHA256
e0067b2c6de2493802450c6fdba4f6f391bd20b12bd8dc23374d49b553aff5b7

SHA512
a276d658f6e03a22217734ce014a2307eefea3622b12be2e2748cc67f7cbc8a86d3cb3a17387db8b02f30a6b4d8824028949e35b745cfdc22adfa2d641c300cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
e116f676724c7eba0d3fa11290019e4e

SHA1
39a0a524a32f543812d21ff85acb7da618d56cc8

SHA256
38d26039ae67718fd6f0242705733f294cea8edeaf5693f7696e30900a24bac0

SHA512
732fcda1b54312cf5096c748cd3e8548c1501e566f0fe12734a8412f50be9243f07c86ca4a8937aa1ce77372eb0060280bff558f36cfee606b1e1c1a3d59e1ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
0c920955b78d65f2622f4301c585dc13

SHA1
89cff9e5c70260c4c766acdcf7301c2df481a16f

SHA256
ecab1bbddc41ba755357d831094bbb2722c9ac262ef3dbd2d4e038eb52098aad

SHA512
c03e611870cf62dcf078dd3477bd0e56bc37b066076a6b82541fcb1cb9a48a30c1cc85736039f4179bd9afd423558b48866ae49f8fcaba37d1ade8c16b14ede6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
c491ccdada9f8a5f5d2db2a795dcce6e

SHA1
5acdcfda82d95e43622907b463f8cc03a7530c29

SHA256
12e620de819a00d6e70ecc0ee4b36ed2efd0837d27cdbaca0038fad06f9f7e88

SHA512
a7581446aec160e8b45633f92d8e4419d2f56077f58a0ebc86d46257c91684c5d7253ffdfd49a699f53f3bb3f47dd17959c42c169058682aaa59cc7690904f88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NIKNLZZGQYVL8BWLO0K9.temp

Filesize
19KB

MD5
92d17a72277ae9502c35525d54170171

SHA1
1614868c3d03b99017d4c91ff582d58649e1f732

SHA256
2fd232e7eaf65fb95e209dc8ee3c11edbd893035d0ddc5e4179d371ddad500a2

SHA512
2806d636ea080c1bc65c39d6dd23b640460bf05ce92fc594ee1137f43633447dc69261048d2e2e623175ce4552adfbda3830c695f63801e79e93fcb161d67c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\AlternateServices.bin

Filesize
23KB

MD5
183deeca4a40cbd150e610af241c524a

SHA1
a5c228393ea5123dd9d80fdfd650ac296bbb14f9

SHA256
fa1f5462cc2ab8766db4dc0e993bc822d418d6d8802a878c8980d5b5a0f7b048

SHA512
12bb919bde8eef485c1507c00493a9a74527121bcb0bf54ac4a6ebeaebd03fa575b64599a09dd8fe097f73fcbe91334dab9dcef83736f7ff0862fdda93cf429e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\AlternateServices.bin

Filesize
7KB

MD5
3ba4cb685d8b9517333cc9ead3f228f3

SHA1
197515dff2aa3b86d18a02ab765b8099f4febd33

SHA256
c4a1a4c81ccb0160dfddcfa72a491ba9babd09b70aab5c7c44ea59c2fa951cb9

SHA512
8dbec6b3b6224b98f54ef6027b040e5d7f51ceff076387b6be71be86a9f433965544195fca170cc5016720515359760b4edf3396a1cd481e5b29e27e4045c323

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
bdf7b4ea7e4e83c8c871532a0e4074ae

SHA1
aaf54e6eba2cff04e983af84699ad2592196e718

SHA256
7dc2476aa63544c292cf91ef7f7c432f381e7f6971a3857ce5826252e8a4d2e3

SHA512
17c48548b70dfd7c4e92eb880b3d693f057f9eb72f28403560bedac895d4af46669e8c3d2e3aabc2bf9000d076ad1dca5a921cb7c6cbc015c4df0d8cbec80dad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d6753b5c8a6d93ef6a83b9adcb8ba4c4

SHA1
b8a9d69b3c2e345c9f54d385593249635e2ab62a

SHA256
ac5adf953bc0e88466a619251a16be32bfa402dac6319bb83891346937627948

SHA512
a57708ddb5f2bf195cd5d1fc0bb0b359bb6bbc98e9a90dca1898b5ba78b8b005a340d9de898d0936cf9ed5406e9b616ccf61009eb71725ef77a0ab270b36ce0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1eeca0b95e27832e01e8510fa43960bd

SHA1
a285ff2e019c9ed1eb00e13d898d004cf798535b

SHA256
7115fbc56c5c65e96d438ea1e8f4c3b7ef8565672872e7e9a12c34e85b917e80

SHA512
05937a33f1aa2d2224f619e18e87dc9c4b7ddf705a304af286562f92777134deebd87ad1ac78c110fb6ead52a469f3852a1f881407ee4c6cceab3204dd5f7739

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
970e22ebf45d4abe9246113f240fe246

SHA1
1dabaaf92dcc8c381e1a3cdc70ae147fa39158ff

SHA256
b24cd3c3f74778082a6e6cb00699df444d52ddc2409ad14b16dfc336d5100c64

SHA512
78acd8b7b02de346fe4ea2a446841884500d3dc91a130ba890a2300dc521f965a47daaf7fffb9820a07845e2a2f41fdc81b83c5b25e114860ff2d3c25ae796dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\pending_pings\2a5b3c34-a060-4292-a745-2a072ad54088

Filesize
671B

MD5
84c3b964597a68c5dfa50d0a6e15bd2d

SHA1
2b1ab6ce6f3b11cf14f9972123249f230be2b245

SHA256
e5c14fe0818ba60e7b62be9b7250d297066880a59eb2c2fe77ee9a75108c90cf

SHA512
78b4452e3182df2f078f0de92b0a48a189fed3ac94ad047da94811d51689f9a9b6f33990630ee2d6753dc4ba3d48108efa1b7e175e41b4413d1b9c5de04f92b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\pending_pings\47dbc28c-b426-4f6a-8872-500ccfd047d9

Filesize
982B

MD5
e2eb750bd8fd62007c5d0d6567d40275

SHA1
707625933d770286784c359607cb31a47338db89

SHA256
d148201c1ff8584fd1d32ea6ea71ab80ac7dc5d9b58682d640145577126f04fe

SHA512
fb1e2bb567bbc05258946134ff2895dc50866a94474cf1dcd850e72dfa1afb7ad456fd73a8ebda02a1a0b58a7a12299ad81a89c9a4b46f6d6e05190deba69de4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\datareporting\glean\pending_pings\6fc7e0f5-653d-427a-a47c-7806a1183e6a

Filesize
26KB

MD5
b8bc1b5c44c45fde5878cfe9597100f1

SHA1
6c45840c7e5d1e5b4f688599105d439bebe485ff

SHA256
102f3073992435ac2ece20291f57b4ba80b917a8f3b39522443ec6e96d3ab20d

SHA512
55af6cb50e35a50e960e9d9d95e78b0a755df0201e5d515450bebfd78cca207c41572ba1b84c518daa62d4117332850baf5fec83f269c92d7bf794f52d644493

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\logins-backup.json

Filesize
742B

MD5
246d5d9f2df8559b49a9e33d96bbc35a

SHA1
75708265d79594b79f0e9f607db960a6c961b89c

SHA256
be8fb244579ff5165328f46036efbc79a9416e450ba93fd782b7e63e5cf957a2

SHA512
278c03feaa8b257482dbee462807217cac1cf5af5663d31b5b9543fd54b8eebf619dc098715ee77706cce341ec26153139e7abbe31eab4c871428fdfa919bff2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\prefs-1.js

Filesize
11KB

MD5
103aa2a76efc97109109edf385580600

SHA1
61fb673e2909d4d02844f30985a07bf360708725

SHA256
3446720ee38f738b0c855a20f222d57476318ad42bc63bcc60ca69b62c4eb3db

SHA512
1a24ce1acffc3822de031c7002340fc1cb55e510db2f44a8b2c6409cd1ec8eb0fd51cdd62b05d3a35395f9b3e50b07bed944fbc0c0bc5eb8247cc1095f6439c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\prefs-1.js

Filesize
10KB

MD5
e83cdfba9324663c960ceb6d0571e853

SHA1
48fcda253436f46105b18ecccde468f824cc11db

SHA256
f80b82467a15a3a71a625394ea676bc428436197b4e373d85f600a9252ecce41

SHA512
2b144f627d132755f431d469ba817573e4f908b890467fc189c139a953b24bdf3f3c1319860e786b32a07828b37f360802a644dc75d27cfac1baf0f48c55bbe9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\prefs.js

Filesize
9KB

MD5
02b1db0a7969767e2cf459c83148f399

SHA1
0c054ac7963bb2dc2858940848775d4329e79adb

SHA256
a01673f85be9efa4837c5f84c248d388e38689c62964af77a51d697be295abda

SHA512
05c219190a6548b2c5e21b8594958721f49fd69430d0062695cd21e67e1535fac41a612cc33d25c4d88dc4784be5905dca4e83fb7a0ba3db117b44ab57d0d7d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\prefs.js

Filesize
9KB

MD5
733a56ebffc4df757f08dabad407b76e

SHA1
fe79eedbc25a8a58e2ec1a0cc857ed6523148823

SHA256
3babbf0c8944dc86d0c31ea1a9f375d4480476405b83b2d692df1afe8a626cbd

SHA512
dcd223f895379ea2a1a0bdf5b22787c2b5af44c18a80e46b361a0c2a83cfddf28de6b1adf12c1d83b91a68f7e150ab10efba983df887e15008f4023d8693503a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
74ebdf7c0f0dd38e91b59a6dcc44d4a1

SHA1
926a20761e98b369f933d367b0d3b71465451a7e

SHA256
d3100429e07b820860214e3d966aba041b7f0338426138fc07dc3aae27853219

SHA512
d803b36c585b34acea7f3e3bc97c2c2add287e53f0ed21c2bf6e9aa4fe73a1db7b2e6b158b3c736d089690b49b13924fd021a0ea7fc3bde7ff858bd64baf60bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
b5ab3cfb6b9396f353a4367a6d78e5bd

SHA1
527a4b003815886aacafcce80f385ab4f31c5c07

SHA256
291df1f6fe628af81680d3bfc8fa8568e42b57f088d88bbbad0964b9b4d839a6

SHA512
5844f39474ad78228cc52ac588747b37139fc8ffb0648058b69a42db267573e91d6a4a8248bb6ca5f32b93bbb01e27addb5217616ab943e610d9039f1e8b9e04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
cbc3b80238aeabd09e1471fbd4c946af

SHA1
69d798f3752532b2d77058c858368269400c6e2e

SHA256
9a7f9413677b4f2e99811ad86878c4d00266eb92e0c60a46255088cc1da139f4

SHA512
2160345f8f761bf48a9a522920772ae73298aa45f20c47bacfa4aaf548898ce380461c81bbc41961886adc561b06e9e7e9633bf24df402d772a47dee1aecd461

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
8f721c066585b4c0c9573b377ffa7974

SHA1
bd9970cc653ff01415df2d881bd002d19e4e156a

SHA256
93ddba5d0c115097b48c06581ec8de400012cffa4599baeb27eec812f1d22db5

SHA512
f0b950a2bb45f74fae1db1205927c54e379b4068993fc26f1c010996f8518ee129277605233343e0b7efd64070c4ffdfe85a98acbdc4cbffcb77e4c5e44e2c3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
34e29b2a8df976cf71c8a416634474c6

SHA1
56a2d9155521a9d413db2e22adce0b539937b9bb

SHA256
ace08ebbef6bb6484bf559417039047692ddba927d9d3299dab221c33d1546fa

SHA512
a8f7926075a559c096b6f366596976adaf52995031f439e684c97fa416162798fd422a8f2c13ca047f3be2eae997378502ebd09395cde964c40a4f0aa138938d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
7ed1a31b4a3ca86cea3fb1a99a5c9209

SHA1
3ec158f1fea8dda6668cdb9622f7aa175c1092e0

SHA256
699b94a078179550d415fa91f40f974d6ee2e45fbb37e2dbcd3e182ca8d316ea

SHA512
41e9b26b7e7980d2e355e004a2775fcd268893aa88419fae7c35cb4efc865b5687e6d7369dd97aa6e8acf6097c4287965a6ada25de2b82225433a6e14493b472

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
fa758b05e4e6be188c05ecb2d97ca33a

SHA1
f8cd8a2b88fca9fa00fdce8e48802828f2beb13c

SHA256
35a04b7a780b34b0c9152bc05ca711c7bb20e56612e4185b608e9c8e1ddaff63

SHA512
fc8a4336e06b5bd225da60503a196cfbab97e3875d1ad8b1d2f7c54154e645695592a173722657e3daca2b6c7459c9b9237e2fbe175890e8705d24ef18dc2627

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
babaed75a7cc9361155536088d7886a8

SHA1
c5655578c336f8d78ba5163354dcf0811ab8cfbc

SHA256
5b3f16c29aabfc7c1a8110ee0cf152b8e40ca991b0743c1d12a367bde22caf98

SHA512
d27a78b12a4244780f656bcd016b76afcbe4d2f8999b6e516a4d08cd75f196eb99a9b55f7fa9b0af998d82f6d9b829c6c0bd2552262cd9b2dd0a07c25fa16035

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
16572e254a1d991183c33496fa759b9e

SHA1
39a444b8d1f57c1b25557c792fb107efcfbee01b

SHA256
f7bd9ba62bc1799c296b8fcbaf1cb668af539463e01ab50a9554f55dd4334fed

SHA512
791aa32f628c62b3706ee4d3651b5275c2863707e9f9545ffc68b044f600d23e4ba878e286fcf5383477073d8713dbeaa9208533dc2807b3ed11fc36d8d1c359

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
4084bd13503a8f6a3d690dbd29d1241d

SHA1
15faa6b547a2bc15cfcac3eddd9920e7af694f2f

SHA256
a097941194ffffa8d0e2cd81053bf450ee7724039c98377d22293464aac561a9

SHA512
e85b25309e4c238892dc1f7c0fc9a2c263aa8650ff14a5b3b1c69f74f036d56749e0704c5a186f6b105376983084a6e79c84c450722a5d249b901627f05da92e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
fa2386dae6561416f8d723d3724e48ae

SHA1
2fefce1b6b8da805658ea421d1c83b42909604f9

SHA256
86cd49699f7f9d3198410eb519f4673a8c75aaa33a57b4c50bcbe544d619f30c

SHA512
6f5e1750e634342d7fbff5ab7df709d057465af5084093899c54662500caad60be34c637b3705e184632e4ab0ffb59746a4252ae82cf25122658501be8e2fc10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
3ff412aaad1d79bfe9b1bd5e467854a6

SHA1
cc67b7eddbd7c874d5c6a7f57f844fb3888893fc

SHA256
39024293da9544ed40e018abaa0427b99edd3f0116449e61edf10644b39acc5f

SHA512
9ece7e06e16f9330ac03327a555c306cf7339dff3a658c9cdd8387d40c9052fd9312d932f805932e65f63c95931bef36877a4df66e3a0a561935d34699ffb35a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
682404a19f07448696d3471dde25410e

SHA1
39c0ac6a1a3743fed75d8432ddd44ec823038d7a

SHA256
db0f23e58d971cdd706e682b207396d1b0d7c25109580e291f51acbb15783253

SHA512
0fcc4966c4687aef9911c357d3e5b0b56a309faf3f780dc9e22d1973bbe05d1a24cc6ea970f9a265d75cdbb22c6d7b226481cc3d7f77f70fad0b57289e1ef5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
a03936eb707b589889dadf66b1a83b6a

SHA1
8ce365b37af8677c9aff1d4a666ebbea665a327f

SHA256
0ffc68c81a08ff6a1c16df1c0e01c5407cf1a6be66abe84efa4a6c6f55c42602

SHA512
eede7d7a836396d338eaf2b9b5ea109b4a5c259d615f2282ad4abbd69ae69e8a2685a68cafbb78907be4d4d943d74cdb30ebc73943bbaa6e31f76b168d7d6640

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
27KB

MD5
b5d7545ba4483b8f482e0e0a7251065a

SHA1
6d0700f206da2ebdcd2f6715afa1658c07f882cb

SHA256
2372f7ea74b04790e77f4bca2c3484a48e424ed0ec4b92292c3083245bfc696e

SHA512
0d75d708f02e90577cff12f090e45380250646d66a02eeba642ea9717a4900e5ee0713e98137b2f9be27c59d16eb785204c49c0212539f4e69d6ec1e89647910

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
20c8319ff8932f207583b673dadfc699

SHA1
c4b794e091da9b1de58acfb2a0e4fa116626accb

SHA256
fc3d76918e2a4917e9a78ab1c87e2010e440e7684f8ff1ecea890bba3a50e789

SHA512
849f405e5b06ef8648873b4963c32607328ad4ac42a53a39acd3ab41cfd90d064b5c2764579ab6df3188cd201ad789d1d2e5f35f1176bcaa288fc9e018b4b2e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
c9b3bb8c6968a04f007e189dbfd5a10a

SHA1
e2cdac7c8c8bfadeaaeb71a1898dbf70d50675dc

SHA256
feab1bd20e97c476cf21c721703a34512ccdf19b2b235205a6c0657066a177be

SHA512
c7093a3438b3b0bc1022ded8b5309ae70a3d0c0ff811e7756bfc0dc6d2ad0b34e5aaac73edcad779e0cd96b558fc6d288600a729a0f9399be4af0af1d9691d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
8727a7cd810fe34e21122183b4e7d18f

SHA1
ed9a3858169498a9cdbdb1f1ce299f2d60752b40

SHA256
fa2d26ff083d2c0ccb6bab6da6a0201a69ecfef930ae3fd2efb6080236d28791

SHA512
22482046fcd082c63cca503b4981fa92d2d26eb06ca5bac92461063767de5c0496ac7f8ce0947510faeac186fd6cd313c40c31aafb9220ce3033b0432dee4fab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
2f7d5f4867fec5d38ecd98b96060f908

SHA1
769e83f80df90af05cfc89c7728654f9d020c2b7

SHA256
9845c43baee8349119addc0b29e72f952d889cf51eb3abc799ed29468e4c3961

SHA512
db756e85271fe58d45a8fec99306cf0bbc6a63546387399a0ef08e60765a32fcd7b3155280d88ea0012262508aa81fe7638f7669e0b2419d11fbe31a0e82e5ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
0347cdbb0421d42e04d57a4f9b0b1562

SHA1
81536b372b6978a2f4f7f8debdbac081658b7a9a

SHA256
d16a2b77b494ce8fed001be652b4847cfacddef4a7ba3b2c046c18f799c8be94

SHA512
0da780becb3e97675f35e28b2b970c98e02d2c616e4603b01895b9f20c29a4ec8e65b5c3e933c2fbd75e4444f38d87089d1f3a0c774a090c15518531b4dec9f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
f7c8d25081ee079f62236d967642fafe

SHA1
8a175e292419acc023a4bd32040658317884e85a

SHA256
c9404fb33981330dc691d12fc2cee7c2e6d883f5a4869de431a9385d61e6c66c

SHA512
1726bcb6fb4e76b9b509e209e3d312f32917b83f07a8445b2af9c6f64fad64a530280bef58e31639a297a9396cbd17efd83761c8e4b28e1e0b7bf096d3a0963c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
489d81b86b01c6d70c1aadfbeda9e1f9

SHA1
9fd6fa221cbf5b810cf5a63298e29e0f80935b61

SHA256
09c0ec61b717a4ce088cff6c50f815e4f4987443991dffa200200f8628179407

SHA512
7880f5eedad09d1ca78ed2afc306508eb4e1db7c1160298e59819beb4ac410899dcd05a402d1747e4202510f3456828921d991fc419e72fc4913804fb8f1bcc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
0f7008eba1a29081c345fafeb1f3d0b0

SHA1
f5e34de4d2324ca8ba4b0eb84a4baeaf15a2102d

SHA256
b92cc421cb21e45c6b67a20baba41ec160f2bd530f4148eff61e286fbae91b33

SHA512
6d851037ec7e9195261f0b116a8f857dfba503ba1c32836f7756e414c580df35fb550e9810f3ba1ef2d3e5a6723251d238b5b71666d415a02ddf96481811115c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
ed70b199dc5fed0fda27a3fff7609fbc

SHA1
843989602898dd44451b15b6c3263200e457df78

SHA256
dd2256ebd390adc7f423630ab693098d5d2ecd45794edf26b91c240ada641c0b

SHA512
d0bb428a9d2ef809c3fed2bd34bc03660f8d2100af0fa8fc08f7f684133d3e8f7a745df90196b222e04e3b93f770d9a8fc51429e1b6073b6fb75fe91cc186ef4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
980b889c1a6ce3271af2906eff56b981

SHA1
f68649700eace0c1a8d521dbaf5e976b40f91e03

SHA256
c959cfa2296c43aca51ddd34e909482bfdd651081147fb33faf6173dc131bfba

SHA512
767ea5a412d3acf8cd4967467f0982751bda28a356c8e4b8da7d1b102ab27fdbdbd29a9e2b2eca0e660cdd0fdae16293c171013f10ea260e39ff89fcd8189fb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
29201dc0bc5ef660184f69a2b9756743

SHA1
5f3c5c31c7bd8e1ac0f48f09e7e6b57b8b3e2cf3

SHA256
03985a21c47ae8b88dccaccc1fabc33cbc85467fe5a8fd38238bfa36173b10f1

SHA512
6b8c6e923d3c61d8785deb56e7219496085c5d385c5809a2a924a2c8ec1caecd6e44a732412a4b5298770bd79e03db4505b3ef4f7b82bbdbaec31325ecc9f1a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
11KB

MD5
525e5a4f48354e358aa07742ff3adbcc

SHA1
befb317d311fb0c6172fd51c63730428954d7b33

SHA256
17eadd0f13215acd509dd1c78de8c0b5da8268e4c1d69255bf6b05da9e1ac9d3

SHA512
6a81a4a043e8f223d002610f513a7ae4e52a7cfdcf5e7eec22a777771a525bcb221b56cae67b802c0286d855ec779e6868bdb07e783c33633523fac1ce1cb41c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
21KB

MD5
4f86b1350f9fdd5f3450a3580cd3e75b

SHA1
6bc053ddcbea0b8a984d1ecafc43928081ac2969

SHA256
f3ad1d79bca2170449b93afa56e7d293bdc08c7d8bd7015a06267bb55ad28f14

SHA512
6f7c386c9f4d893e24fc41401c15a3a066ad87c42219f4040f8684abe0dc8132f1d9b8ed25c9bebb96ec17a98712be053d440c0855388c3391bad92b2e671d3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
63261f7b091db199c3db83b7bec84231

SHA1
5c045a3ddf540b053b1902edcdca43ed9caedfe0

SHA256
910c28be448e6a526a4544d1899d48f0abc9e8ec93bdea78faf91c7df0f2bbea

SHA512
276232461a2b1b838795a7017e94056a27863a55e924bce5605fa42666fd60aafbc48b449f5882478ce6adde5d6d1559b6b0f917f7fe7c45a7fb197c5e14f70e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
21KB

MD5
65656b2f2063825dab83265ffee65561

SHA1
27ea2f4842b3287ac23c50286c98d67810fbdcec

SHA256
7692265708ed7c617ad013bc3bad06107721a553bf35fad8ca4625e8a8e79d39

SHA512
b268aab2f591c5bf9bbf9c96c71d25b498eac95d3e34345ed5af728d31f5726ae77655767bf3c6dc2a4ca8c59505693f7ae072006c509574d60576fef45fc031

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
22KB

MD5
8af4be9cc0ae81e66e6163dc6609ecde

SHA1
f678b7487f5c4f8c0eff1d47d7123e420330f6f7

SHA256
bb58165947652ede668dda0617e37270ddab1f894e1d5bf2e5bed4bd07e038ba

SHA512
4a0352a314c2a629323440970944ca1383c767e362727f702b5fde4419b44d463b9add19217538203cc9fcc10f13eb81c9496f1b597808fb352489974b7e0daf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
27KB

MD5
d6e47a565fad36e3b74b750945ced609

SHA1
b11891257229d4f867673956bdc018ebbfe035d1

SHA256
2548bf36a2811cfe8d196f1504dda7fb9b2a52f1c3c098038181cd5c5a301c11

SHA512
1c9fe88cfff1052230b526e47b7c8d4e8be35c1137bc405576bc0e5a3404734ee8710071b4fc59f91ba9f5caec08b896722efbab921fad1ef9cd54e47db01e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
27KB

MD5
2aca5a5e045c632e39bf2f5d0b119f62

SHA1
d6a2ae0ab86635837cb58ee92602c046550f575c

SHA256
76eef4d4f9942aa7e5d07aba824d61e98c8e2ab43a2ef25ac235fd5922a2fa21

SHA512
9e973a2dcdf6cc55f09823016982de5cba54f04d2db2894a63e5e2c8651cd69be188e480b5b6fc15c0dd5f27fb5824d3007851812fb6865eef3499b164254879

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
9d4de08817128d07085556be830ac26a

SHA1
6e37c8fc27fe53ca40a7bfcfc7091867eb8126ce

SHA256
c9665ee0beed939f36be99b5a92bf1818885aa7bf27595f8a0fbee7b5d4f1a61

SHA512
cc1e41cbb7d61c67320ab22bb16842c42cdee689eec948f74e3bbbc12b7fd128b0f3ac15873e1d1f4a7493f89680655a381ef86bfd23568e270b55a876e06c57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\sessionstore-backups\recovery.baklz4

Filesize
25KB

MD5
7bf64c40e05b31a34e60dabe28ad30d7

SHA1
03617826f09b69e769b63753249c8ef87feed6b3

SHA256
e21e8c8610f1ba4e6bae9ac7ef7d8c2554a97f3265e78bdf71e11d392e83db17

SHA512
5e4185cbc2f6e2eee2e03ea0304342b8cb1ede4ebf291f329901566bbc769d5ee85635509c953a08ef0eca794e29e954e0f00681a61ce33b69ac44ce4adb35f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\storage\default\https+++metrics-gen2.openvpn.net\cache\.padding

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\storage\default\https+++metrics-gen2.openvpn.net\cache\morgue\126\{0ed29094-7c36-45c8-aeb4-2a3d5090317e}.final

Filesize
4KB

MD5
affeee81638049ac1171ade6cd6f357d

SHA1
3db9c058eed73d186fa2a51aed00e9ca9e7eae8f

SHA256
e8dc68032cf62fbcffecbde765004d942ca299c58a5e7b387cdb74acd33154b1

SHA512
1fa406a1dc5b366c313d22487ab177078ddb914abc39ae90558dedb9ac356ec43fbead27d56a6faccadf9875415de0f1e588e67738a66f47d0c8ebe3d8004c2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\storage\default\https+++openvpn.net\cache\morgue\126\{f25690e1-1a4d-4a90-9d36-c020cf3c617e}.final

Filesize
4KB

MD5
953e9e0fc0aa6896877db9a5a18ed0a5

SHA1
ec59fb0b8dee011874514ef8aa84506f67dac2a9

SHA256
da287992d6bfafab2405fb931d78c04125be22dda1c8387a48c68685221dc361

SHA512
cb48fcaf056fb722acebfbcf805bda35a0127eaffb9cd844ab8646beb20f2f0eba6eb63a0cdea271ca5e6f17db84072c54ab887e8f88cc5ce03449147fa8f73b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\storage\default\https+++www.googletagmanager.com^partitionKey=%28https%2Copenvpn.net%29\cache\morgue\8\{2dae9343-1a63-441f-83ab-c613e5649308}.final

Filesize
11KB

MD5
631fe342ea671e3a98c99521a411573f

SHA1
62ce9cc7c2cdade5ea5c167b41510ecc4adb234a

SHA256
3e26b067bfcbcd77e0b1089dfc9f891ee8f16c9e868e50f30da3ccaa9d4bd0c2

SHA512
795087b3bca98becfe410e346dd5288a38902bb79b996891554133b5c10583d03c0a3c26f96f89c9b3e6d8fe69dc67e86e9fd468f7476d1b47a88cf2d3db084e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\storage\default\https+++www.youtube.com\cache\morgue\131\{928e6123-25ff-4c3c-bee8-edefa795d183}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\storage\default\https+++www.youtube.com\idb\2232182701SeesravbiacteaWDosrgk.sqlite

Filesize
48KB

MD5
72f8e1a57c72762bde317d3bb591bac5

SHA1
ac64764107f54983ffe2b3052035ae59de1e16b1

SHA256
aafe47c7460e1d40600804287c5eb44d88eb90bbaa23a93e083a56d006331b13

SHA512
c37d05d5256a8c93417355f79859ea36a704b1c53f75ca6c00b2fdea16e33ac01af2a87aa079824ee64d7e9b68e1fb38eafdade9fd812da7e83d08d384588841

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ac69yvjb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
664KB

MD5
b1460f1e036c4b890ae052cc03250266

SHA1
136c065bb4fedb0b2dc974723ec01d1c34bc334e

SHA256
5793d17f20e52a66c302d14255dbd0dfdbfa2ca4b6daf94abde9c849f7eefd8a

SHA512
59f354d915bcbf502eca846313d0a9caeda928d090ffa064909edb6e17065c05a96fadd5805a99a86c6cffeb25a3d69135a5b54d9dca7078954cbc30f7c5dcce

Download Submit
C:\Users\Admin\Desktop\CloseAdd.wps

Filesize
498KB

MD5
5c0be4182a6cfbad4716ab5297abacca

SHA1
a3a432032d7e983dc09d20ab5f286230da5cefd2

SHA256
09d65e716f94ed134b32e642666ba2849ef404d0783afdc432826ab8e4ad81b1

SHA512
b608ab8c7ba5014ab80d0c6d2a9ede9187f255d10e0733e702ca8db577abfeaafcdc1db10233340b546c5c2dadae9600e0f3db201fa3a1423c3f44a2fe1f9992

Download Submit
C:\Users\Admin\Desktop\CompressSplit.mp4

Filesize
386KB

MD5
b742f2965a981a30c5c68295f0d09bfc

SHA1
29d9a5d7d110eebc8d0c7571210764ceff0e4d00

SHA256
2e16b8890d88bfab85a7b06139d7b951ba07f8f8928db0ecc39cc595b796719a

SHA512
90d4bdf359dc9a9893ab194c59ce9e443d2815bd83ff6c3b762190e4f026661df6c843c91a741bd7d378833c638232d96304a6677620590df629281e29f97590

Download Submit
C:\Users\Admin\Desktop\ConfirmRequest.docx

Filesize
14KB

MD5
d139e3e363c2b2432117a7b9a3c6b5b6

SHA1
1a1c8350783f9d23090c494fffdb35892ccbaaa9

SHA256
43272da44bbaa0b43652be5bed4e962d73ca4c7953245d082064f2eb087cb8fa

SHA512
589152385538a35c98c41071aaa016a4ae3486447f36803adce245ac69f9adab86d0e5d058ff96967155fd7a47498b3c7dab372553dc08ac9809e9f00a265f4f

Download Submit
C:\Users\Admin\Desktop\ConvertFromFormat.pcx

Filesize
372KB

MD5
05583ffb03383e293b61fadb6e90a788

SHA1
2e3e91190e78f769b115258173ad20bf159489d5

SHA256
65bb7ff249d5f3ac8aa4f4ef8749107021a55836629a76294a2f1c2cbe16e276

SHA512
c38c82f3195121421f4e0192274d2933db681628096b4754a8061e5d437cf34a7fc22a221e138eb953d698148d3d5e603dcfac726ab5a5d03ef9dfb13fd8e40e

Download Submit
C:\Users\Admin\Desktop\EnableExport.easmx

Filesize
744KB

MD5
20d8a670fe67ae13cec6b8bbffc40354

SHA1
0c6cd70f964c42fffb1f40fb8cd105daae114056

SHA256
65b2ea3d9ed8aea953c8b8114e01e691080ca4f7dbf045755ba81bb3a3f16977

SHA512
c5c0bae41fb9bf1b6857ca8424fb525a6a3a30419ac762ebc0a3b7b25a22134a5d9e6dd8c6367857b03d6259b6f9add98a75876c98aea6598c10cde8afbac448

Download Submit
C:\Users\Admin\Desktop\EnterReceive.ps1

Filesize
512KB

MD5
eb9fad6e49f94846344c61517083e5c4

SHA1
f307e9825c99e2ecd5d3e45f500d96dec4aa5eb8

SHA256
70f2390ba49073c455b0d0a3ad66e9c4b48233dda079f54e091a892239bb7648

SHA512
5380e20a6751ab8efb1ff58e83de6e1f2cd247d88d457a0a0541e84644c05e0380df6fa6cbf318a99aba79d2aba72e92131834988234c98150fdd1064ff9c4c9

Download Submit
C:\Users\Admin\Desktop\ExitConvertFrom.dot

Filesize
456KB

MD5
57ac635bee8a98cd1567f9e9d60a8937

SHA1
27d091f43cbd533cc9a8a005acd631d25ae1a9ff

SHA256
a5da104bfdd60e8927f71e387fa952d3da6f32fbe2ead7a9586f2fb9fd5e9166

SHA512
889784ab6fc53cc09afb67e201cc96e087c729e00cbd60ee9d13f784662bc451f00f97be13a44c445412962cd15dcac7851a87156ac887c1669de8bd8123316d

Download Submit
C:\Users\Admin\Desktop\ExpandResolve.rm

Filesize
231KB

MD5
6461303896f9c2a28ebd29a18b7f4fd5

SHA1
ec68b221c441a7c9c18a14ba2818b3978727ee73

SHA256
47b95eff949c5c3d0a18ece2bbe865cfa8b92332b638057d6ab5ab43e625a3b1

SHA512
b7983a36ad94ae8af9dd6a51a7a8eeef7fcbb8e4e97e83fd9372b1c1b9e4a8c6396a5e6002b551e30d565b3f4404f9df1d7a060f95fd9f9d2e2b5a034219c939

Download Submit
C:\Users\Admin\Desktop\GetUnprotect.vsdm

Filesize
428KB

MD5
2320b713bd852da4c02c6011fea1051a

SHA1
0f11adb041d97bb73afda8a49daaf20a023ee50a

SHA256
29466d985bbd14566a72cf32eb4b8d16386375d245bceaad7ddf733dceefa822

SHA512
62e8bed6a88d73a3e7a866e9f52cf78bab10f712058caad39ad38b5db050f0754c79040d99aea38e005966d76d5bc12f0c9e4bda836cff113d182d4f008ec7e4

Download Submit
C:\Users\Admin\Desktop\GroupFormat.avi

Filesize
245KB

MD5
f7e36b2dfba0aa9077b840fffe1c221a

SHA1
2fd02e172e58ed5a026d297701d2cab210a2aa46

SHA256
5aa270d56739247f7bd58aa8a27c4b785946e98fe38cd05063bdcc2b8b31072c

SHA512
85f9ca3fea7bc695a7f085b042fbd524d4a9ff84b3527e39f88a06975538476d309780ed5013524c1fa006558ed28e9539b669fd3b97cd26ca0e9fd203fa8849

Download Submit
C:\Users\Admin\Desktop\HideDisable.bat

Filesize
414KB

MD5
4a82d2588c5c99e9f59263d2acf165f2

SHA1
f0d4e458de2eb3b707e3aa275e38646ce5963c09

SHA256
4842f71a926112ee929a754f4a17afb0a6e835180a50d756e9f3228be81382b8

SHA512
b6beb2fe4709053cad8d925a31ef2fc0f218270eaa5b530d5ded9691aaee971c8aa00f7ebcbdb74e569e3728c2ce25855587d3ee60bb72f3443c870818d873ec

Download Submit
C:\Users\Admin\Desktop\ImportResolve.pub

Filesize
442KB

MD5
b0cd45f45a5045269a8140cf2ef43232

SHA1
6d0276ef5a4521186295b6f4f8d5203c4e7c8fbf

SHA256
3dbbe4a24d04b6d5f7a35c730ad9067c9b0af8f841e000589ff09c10ec4fc7c0

SHA512
1257ec1c2393c3e001912b6617c93189d60a6160a6539823a48943819c985558f2736f0875741f8973d9db61dd4222ef755cfe8f6dbb00657612c70b49c54c68

Download Submit
C:\Users\Admin\Desktop\InstallResume.midi

Filesize
217KB

MD5
cf0bb981db35b23cf0cb0106a8bdbd2e

SHA1
786cf1b1c350112aa5cac25ae4c3ae4120e9dda3

SHA256
9d752efdffd518aee948f27c20e6408b648535be802fa19b9d20e910d64751da

SHA512
abb9d8fec0316a0b3a265385225a4e28414f89dcdea839aebecfe854113003c8456dabd3a06698b6cc3050b5ff97dd639843c3d85a08600f84654900da1806d0

Download Submit
C:\Users\Admin\Desktop\LimitConnect.wdp

Filesize
203KB

MD5
60b41b71831d00d1081ab742d596c7a9

SHA1
e04dc12ac726089418dbd44e4bcf35169d995bfc

SHA256
2b83af7783a7f8eae6a03d3b96a642b8456614b575c27b400d192f15b2d889f1

SHA512
633f8a8f85dfbb618d25777944f28c0b948de712a482958fcf3937a7952b6c81b89fc06f995d0e83cf05ae19b048e8e27d4287cb9702154fd28230802d9dbb21

Download Submit
C:\Users\Admin\Desktop\LimitRequest.docx

Filesize
302KB

MD5
4e37ca367c8ce560889c52f6fc3a35ba

SHA1
39b75eac8af50068266d454b79724ea04cb91e53

SHA256
656952638493c95ce4c56c028cecdd8a46b1634207b675083f8152e34a2f8050

SHA512
79f07cb79fad73f7b04312188cf715e8219565adab9bd95e94d9ccfbe3a164202ba0ab1285ff68fea2aa685910005a6adb10bccaef7ae4daba9e57ee8b9c6b0b

Download Submit
C:\Users\Admin\Desktop\LockCompare.png

Filesize
400KB

MD5
a003b2b55033cccbbcd05975a9be59eb

SHA1
ae69dc1020281e9e7d86ce267af0efc173babe56

SHA256
5f2fd4da17d54fbdc7a959a4dd852d73ef32995ae041e41040d3d7a9f94ad4ac

SHA512
149b3c9e251c14c765163ce00fbaa4bf979903099d3620ce36804c00eca15786db7a483c055656d11d58fc996a5adbfab33cd09f5819be7109505a4f3f3377ad

Download Submit
C:\Users\Admin\Desktop\LockInstall.vdx

Filesize
316KB

MD5
76018af1a3789a0e7e6f3860693ab50d

SHA1
4d272abffda3bc7b35c1bf7fda069c236de8f20e

SHA256
ab80478f341e8e9d9c9abffb3f5043f94e4afca4a62ec88623f37b7930186528

SHA512
db5e22d7e2c84ebece49f94ef76670d87479c3a3414be0367e2b672bcba6661ebbc599f35f9f11c261a6034d2af4b5a649c0c2068d50bcd0053c061c90bf289b

Download Submit
C:\Users\Admin\Desktop\MeasureWait.xlsx

Filesize
9KB

MD5
cb4af27c49caf5cf58ee5ca414990ede

SHA1
24c6a8f4fb06ded632729e8027d58f7d77fddca7

SHA256
44c24f008658aa9212407a47d778690abc4a341e469531065a21bcffb778c7fe

SHA512
3edc0b60ba2d517ed1d572ec682b9f5251085f5d4a46771d02a3b3e9173a43f68513c8703253c4377086aae9255632613654c28bc6fd68985b6596b238251fe0

Download Submit
C:\Users\Admin\Desktop\MoveLimit.vstx

Filesize
540KB

MD5
e6ce89a81d2031c992c2a6c0e3680052

SHA1
5a2aaf0009707d137cb8564d636751a1fe5b3074

SHA256
eaefba0490b83c2ed163ad3a48ffe3c77227434cdb1f3f10b76b534b3a36cb8c

SHA512
aec40a7cba0a408122cd04cd55131c54a157cafc2ec59398abba091d8e6f42a8b4b98e537391dc859efeac156ac23e1977c266306cbb96a5d63b6228bce3785e

Download Submit
C:\Users\Admin\Desktop\ProtectCompress.docx

Filesize
13KB

MD5
e41c93ad1f0d2e01f858fd319e1de0bd

SHA1
9ed1d2c6876476f68d999d7e766a3ddb4e3c902c

SHA256
ce3d06cc6f6ef992a3574a47416c881fa729c3d18ed459d9f904a450db27e0af

SHA512
7490f044223cf5a095efff44a3a75f9dec11f5eddfee1c20168da20fd07c3de606c9cdfe87acdd58697b4da74b6358be9b647f2e8b0d20d8133cfcb24fd4ea6b

Download Submit
C:\Users\Admin\Desktop\ReadFormat.ppsm

Filesize
330KB

MD5
5ea00434fd3a5133e00e5475f0defcb1

SHA1
f839bda008f46f04cabce05ebb2982222b949bf5

SHA256
66b5b9457f0069c3b3dd67a524daff3fd52c310a29a268eafa62de4c090a986a

SHA512
6d168224e84c49742dc283c7d3e1656ac4eb57c843fccdc35b414b96e47b0b1eb5fa7f2d156647b5935b243db4b1a04f0cf0b5245f441f1c432cea1835184bc3

Download Submit
C:\Users\Admin\Desktop\ResolveNew.edrwx

Filesize
484KB

MD5
40a7aa4d96038f8439f8da4a04e8f42d

SHA1
f9a373dc9826bf8cd20b4e8b8cbcac837c695568

SHA256
3523a76c4c46680b6f588c9a7fc209d459b37de4eb56b01d3690b75a68af0b92

SHA512
a4311ed4bafa8c27caa5dcf37e436ba2dcf9e506198d03d467529065fbe45d5351dacd563647709732073880f6ee171b270db7b756d94a5cf09d40fa588ae6cd

Download Submit
C:\Users\Admin\Desktop\ResolveStop.M2V

Filesize
287KB

MD5
fc926604abd0b0f2f9ae85ef5909d73e

SHA1
ff767459657fb53573ff5b120c04ac31e28ec801

SHA256
3a0ecd904e700558a29acb184e757f0c13758baa531986d05cdd10c1486762ad

SHA512
a3193ed568ca92af16e5e86d739913abc54ef07daac1db57dc5bd6129017e191a20fc7b39e4665087c9893a9e1413d1993f72613e52955641b33257516c34574

Download Submit
C:\Users\Admin\Desktop\RevokeHide.otf

Filesize
470KB

MD5
c3f96b1318a91312e52633629188bbc1

SHA1
0501f893ff848172527d1de54b91a821cc30a929

SHA256
63cedbc68bffb61a9ad320631cafce3a6c44a59da0f6d53b8f1bab2eb64b6cf3

SHA512
f11ed0401b7229eeefbacb532db44ca7467d4b878ab13d610da01dc0a278a1a5327580362804e7a77516935d68f7d48b607eb0cd28d4932d3de13b91057cdd22

Download Submit
C:\Users\Admin\Desktop\RevokeProtect.txt

Filesize
526KB

MD5
90a5b4809715b5c31c0c9ce2eff75c68

SHA1
d3684979c620c12ed06c94d268b03da72200f478

SHA256
3673ad3bb31e86a353529aacea3fad90324a07aa0c0d995fd7a5d72b682933a6

SHA512
5fc5fd6b1adb4c31edb289a9b10c9a95ac8795b542208b9c80c7119cdbf89e64bfe1c45b2c35cd0b3bf23c765e3f1e1800d6fe0b8bceaec6209c001cae2e54c2

Download Submit
C:\Users\Admin\Desktop\RevokeUnprotect.docx

Filesize
189KB

MD5
f7a04b1612fb821a2ee64967858ea462

SHA1
c5112a98aa89706de14179f148554b6d3c79e7bc

SHA256
97b9a8d07a68ba0e8abccc52d5c7d5b23839ac8c0ab1703116e6c720cb0ff1bb

SHA512
0273a7749d856174f471b0453f2358ce50ca1e09940b0140fde36f1da766b94ed48f58f2fe3c8594b23ef4c9705f4994c3fda59442ef444b4762f992b91446a4

Download Submit
C:\Users\Admin\Desktop\SaveInvoke.mhtml

Filesize
259KB

MD5
5eec817cd00aaff30b2908efd222524f

SHA1
adccc9778d2d9271f6feeede58805ca4bcfbe791

SHA256
dfcd3a497ad31fb50a6b9e2ae224f1bd4dd3a951ebf3e4a9cde015918eac35ee

SHA512
ffa74976d074f14e7e5a1aec7d3a8eb7a2d567f7214a7e03ff110fe61076e4e3cae0fc7d632fb194a6bf8d62420b45478094b4f6dd4b9c25c9c22205b72f5a2a

Download Submit
C:\Users\Admin\Desktop\ShowCompress.docx

Filesize
13KB

MD5
9cb99e65e314c6c314bffcce978e51c4

SHA1
c9cd9a7360f952c2521f56e14180616115f0ab60

SHA256
65ec67f1179d37db987032c7105241517a660acda3df22f383bcfe8ff6615402

SHA512
6e9de52418633f94c54330a6c18911fb9fe112138d30f71a3260e8114d5378aa7bef01fffc51ec88e359529d9820e3a24b07d9fd8691f96f2f59c403a4d26ef6

Download Submit
C:\Users\Admin\Desktop\UnprotectUnblock.pot

Filesize
344KB

MD5
8d2cbc3c3e999cb5e5bc940a341d447f

SHA1
e45c3361fec7a9726b56cc4ef2fc7450d7f37995

SHA256
4784d81b27986c2e40351c900df5b3ce6c2e9d9075be8cb709080e6613387da9

SHA512
6890844ab23dd0515259755a1641acf6c994085f30afaa7a90cbf2b8bece2c51c475ade643f4b3d7ecde887ff64d6dd84b69719088ae076591494438d19eadbb

Download Submit
C:\Users\Admin\Desktop\UpdateExpand.M2TS

Filesize
358KB

MD5
8b64925b40f05936fa6836dcc4c458e6

SHA1
c2a3b1d513189a0396390ea50585788057ef0454

SHA256
3b655ad0109c7097a1a47c379b294c82623508d38da5229cb742d034e141c814

SHA512
8056bdd06a2675f4936b3bd701b8347f4925c9b9e6f12572badef3eccaa357cab6287eb5d9cabf912c469a10f719f7d6360ac3e9dd3ae790dcbe66c451e78360

Download Submit
C:\Users\Admin\Desktop\WatchResolve.xltx

Filesize
273KB

MD5
137c2fe257c74490126f713b3e98d1ff

SHA1
3553262e9bba0337dabfe0253b2f6c6686db8b82

SHA256
afff27724790cff1e3d0eee0622b2ffeb1269f4577ecf31f7892c76bb180db91

SHA512
3024770cc296c6f8c721842acd7a2793ef68adc0b3b6bc11b34e4e4fc81eb906f8f2c7186fcd34bc9c0320540bcca026b5acafab6b146b609a0122a4299edd0a

Download Submit
C:\Users\Admin\Desktop\remcos_a.exe

Filesize
430KB

MD5
3bca2b3c330750c24ba7a49c4637e54d

SHA1
b901b44726ddd3100dbe5eba8dc831d2350b247e

SHA256
4d08f602b593fc397e74c171abcc3932bf6cc9177e96e69d95a1e71385b2ff94

SHA512
fbd7debf2126cd0106ea3edb1793a703bda6b9cfaa7fae68920ec0b6903eb379094eceb6d8f0252bf3d959c441286a1c3fe65715617b21985fb11b79a328b24d

Download Submit
C:\Users\Admin\Downloads\4jPg5Npw.txt.part

Filesize
4KB

MD5
da021d8a47c50a94bfda8ad0c4a07faa

SHA1
10e1a2e9eb3bef2c3cfc905b1b7713d05937d455

SHA256
c03fe446e8299cfe3fe8eaec4451986748e5b80861b62e3cddab36d8dca8337b

SHA512
b03e44738ca5bf8913b03aa4a1a1b11d4f068fa5d3414543245084b3f6a11e99d9e246e1bdb3c826abb8c28ca748e661713cf01dc8c582d5c1f5a380022a4775

Download Submit
C:\Users\Admin\Downloads\COMPILED.RQDpygW0.zip.part

Filesize
6.9MB

MD5
30b1961a9b56972841a3806e716531d7

SHA1
63c6880d936a60fefc43a51715036c93265a4ae5

SHA256
0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

SHA512
9449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0

Download Submit
C:\Users\Admin\Downloads\OpenVPN-2.VYG7Fsa3.6.13-I002-amd64.msi.part

Filesize
5.5MB

MD5
d23fbdb4820878d5af830a2fed68cd53

SHA1
1438f1d01bc0f22710f963ed8dbae65bda278c05

SHA256
6a6e96b2860c6e2b2fb751e6a12fceb2ed0449bc6877836a21d888b38e018c6c

SHA512
c70f5ac8d7919f27d61325820090f2f14c8cf75e5feef26ee13feb18fef2b16aea99718e2f0b6d0058558c284df219497e62d4c0631afa7d4849d9540333e3cc

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\BuilderProfiles\DefaultProfile.ini

Filesize
394B

MD5
e170d5e110b0422ea8524cee0496ca15

SHA1
e0a905c78f44d1f11319aa4781b9affa2ff5e73f

SHA256
6705701329c15474ef4f1d1d3d6f6b84a3b700d114a6ca6aadc6189e6bd8d500

SHA512
919d2b4d056820dbf62096ea897f2a7b2f482dffe00c7eb7b34f6af2a47db19dd36ad19dc2645ea9c67fc06d76530b68377e98a8cce2bf971cb414531e31f96a

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\BuilderProfiles\DefaultProfile.ini

Filesize
389B

MD5
2d7546562eac48cd8b78bdf38d703578

SHA1
9f84e2af7baaf3a5a3eb2f7fe6d6e90710bea05c

SHA256
e03dbda16a91552fca03fef3d6476496dfc30ae9e80f1188872831c4da53904b

SHA512
264c4cdbcc0b2b8e14fda63bec65d48cf8debe0921e72d513f786a149bb8e00e8f86a05f21e8771f078afbf3e42c7b0d771357c0022144eb43606eea495b51a2

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\BuilderProfiles\DefaultProfile.ini

Filesize
394B

MD5
63bc673c1b526f455faa0ab2ca9425f1

SHA1
9607e03de14e530acb4483afa80832754a52c6f3

SHA256
6f836d943daf4e35fcdf135a6e16f1b90050467d193790bbc88f5593a83d2e14

SHA512
2e8cf967c85044c9ac84cb995218770b564f3f67e4dd37b3238b0dc94cf23c1216ec18e39d331d0c21e6c6fa468e3b726100082cb39122c32e392235f51155fc

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\BuilderProfiles\DefaultProfile.ini

Filesize
391B

MD5
8640259fe8a68fb5321d56ee917c2e40

SHA1
47c86cd76dc1c99abaa2ce222ae58b2b4b452089

SHA256
7ea65264b6abbc3aa1128ae4c5164c46f7d67e0c42266ca332f6811f2f9c39aa

SHA512
490cc1d485f65f1b054ff59dfe9beeaf8c1833b5a216fa520648e876a8d09603c396c61f2ccc9386f8d83674b470178c32597560f770bcd39a1ce5db41f54ac5

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\Remcos_Settings.ini

Filesize
29B

MD5
5ef6edd2053ba7dae1c9b137deddff92

SHA1
3f8a68838109ca0fa42e451aded13c1dcb5496e3

SHA256
4ef0b5f5085ee7b911b8f64a66c40c45cc3049b74e1e8154acc8338337ab717f

SHA512
f1a3a705e9d49ad6f1f4408a2cd2f7b1803c15ea0c2d7d1326e52e27689add38a5a718f87015697cfd4af043a64718f369e9a1e9276940c0304efcee3098572e

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\Remcos_Settings.ini

Filesize
98B

MD5
f56daa79149ce23d7e62fe57f097c80f

SHA1
c9fbf2a1f5678142e71ac80470e79601b883aea1

SHA256
5f18d8c9331d160c7c8b645b44e2bc8177a2a8baab4b3e558563ad633cd4ba11

SHA512
41394432c108a60e5984df9d2b4a7924c1269bc2e03e6dba864b4bb0795f84254b0a50e987ea4b8535337a6179acec6c7ece922bce7b8f51ef489f61ead1630e

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\Remcos_Settings.ini

Filesize
139B

MD5
c66dd9111a507f5987c221db144217db

SHA1
3eb2140a8739b0ad8ccd6b58d13a155ad048b11f

SHA256
df240002125314704b83312156332941c7ce4249e83a23df736e99816e5ebb7b

SHA512
2c81914c0909fce05bff3f974aceae83d63c9c83affc2ffa865e3f48af0cd4e563e1d85ac561f1e8031ea77cf6e8812b8fe3ecd4b43ece1cff0b83c9806b2413

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\Remcos_Settings.ini

Filesize
1KB

MD5
11a04fe6c32bacf1858772c137bd216c

SHA1
d65afb439ac2a5548fbbd666544d42799309a5a0

SHA256
b4db1ae8e7231f4b76a5341e805324af995ffc41a186ee0d938467cc696c7ab3

SHA512
76b77d9b3ad6cfd83c4c079766259baf2154857a495c10bb8b714c344416398a31b951cfd74d9dc56f2e7b7d32d4d5d93553877b8c084b36507de487c55cf396

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\TLS\libeay32.dll

Filesize
1.3MB

MD5
fa5def992198121d4bb5ff3bde39fdc9

SHA1
f684152c245cc708fbaf4d1c0472d783b26c5b18

SHA256
5264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305

SHA512
4589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\TLS\remcos_client.key

Filesize
633B

MD5
455202a8f0a78e84919556a4f31f8eca

SHA1
2c0578b13ee09cfc203f246cbdcf28429486532b

SHA256
8548191e26d4adc20b3a9dd09eef3e44a2acf0060f373f35b789a6a6c4635dd7

SHA512
ae848d22991816b0616757b26cc90f889612cf20accb559234c08fe1d8a95a87bbe110d55ee6337433d8afc56b01d247e4a554b76d2c47ce1db1306b852d1899

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\TLS\remcos_server.key

Filesize
633B

MD5
c18055f9cd574d28d2d08d64a9c9c750

SHA1
f6979dbd9d3a65b5cafb4393fd363ba2704b6354

SHA256
e03a2afb34fc54d65443c56b1056209ceeab089a513daf3717ad364ee7c84c9e

SHA512
0ed56bb2fa235e8008422a7a72a309c69cd1d0748a83a4aa39446d45738a017e099c4fce449ee642b8ef61863fdac5a8b4fe63b6ff38e481808eec7b9a38c35a

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.1.0-Light\TLS\ssleay32.dll

Filesize
330KB

MD5
2117e31688aef8ecf267978265bfcdcd

SHA1
e8c3cfd65ed7947f23b1bb0b66185e1e73913cfc

SHA256
0a4031ab00664cc5e202c8731798800f0475ef76800122cebd71d249655d725f

SHA512
dd03899429c2d542558e30c84a076d7e5dbde5128495954093a7031854c1df68f8ff8eca4c791144937288b084dd261fbe090c4ff9a3e0768e26f0616b474eca

Download Submit
C:\Users\Admin\Downloads\Remcos-v6.X74xR4Gq.1.0-Light.zip.part

Filesize
39.3MB

MD5
6afa9649eeba67e4b66d06f9b1a86953

SHA1
4496ab76a8fa337c4ca9ecb5dd756cf0d8eddc21

SHA256
165438a10b386d39a4e08e38699abca95702908335c3b36f7be9e383339d6e11

SHA512
0dc7c0545014d6bb47bec4a26b7a1b1ceb354a619a049d7a1ca2d63cc96b809374f943d74887d86d6a2d7655fb54053044e8798b93e1468f29e1cafe1a5ab55d

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
b14e1f69df1160a15a5a823927f08f56

SHA1
7637a45c7f904cca38f12394890f656c8c9d73fa

SHA256
f3f6bcf8afa6b1b2ba5642914bcb7b5398273e78428c5e49795a0aa1e4568049

SHA512
8d097ded54afd77b4299b6e56048c4d40eeb105b55470469cadcf5a45faff3b3065d6937d7ae55520582544d612b471b9072791be758ca91b8229c637962f504

Download Submit
C:\Windows\Installer\MSI7AC.tmp

Filesize
219KB

MD5
4618d60a78caf2f9765e6faf472d76a4

SHA1
20af6f1922cc4615d85257148a04002ce43d452c

SHA256
d3b5deff36c337f4c57f4172a49846bb7dd40823f105e6405c878812fa7c96a6

SHA512
780fa12ed5122c38c4da449134ead144bca532ad8b7b58f7ecbe8bbafe043e38b14c7965560419869da4053b62ec57206c513a7748b8413a0b9c4d57e3b3811a

Download Submit
C:\Windows\System32\DriverStore\Temp\{a59616cc-40b6-6943-afea-cef86510fb12}\tap0901.cat

Filesize
11KB

MD5
71ecece58bb00bdc1e728ee28d7a5332

SHA1
4305889415cf95662a30d024f1138f1af224cf42

SHA256
ee062e5ef2743ceab10c64830e4cefe52e35cc1ece85947ac4e61ddd1c0b05f7

SHA512
9b23404d867fc4fd7c7beeba3768e8fed3113cc7430ec1bc9ca7faf6e6105388de7057b1402f9b4ba8fbc11e5fcd3afe14233721e8d15b6c0bed40f65aa5b58b

Download Submit
C:\Windows\System32\DriverStore\Temp\{a59616cc-40b6-6943-afea-cef86510fb12}\tap0901.sys

Filesize
40KB

MD5
1bb9772a05517e227d1dafd3936e8f66

SHA1
d695ca5791a4b6a3509939aebdfaf5e229c6fbcf

SHA256
581dcaace05d5c1ac9512457ff50565aca5d904d2c209bd3fc369ca4d4a0d2b1

SHA512
3f1966038f91b887fe1a71474929bd87f3c75091846c6e9563f7424d3a7c19c908f1d874895341c61a868a616aba637e3d4188d4ebb7383087886a13a4dc0aa2

Download Submit
C:\Windows\System32\DriverStore\Temp\{bc4ce57f-9afc-9343-ab65-9b87c28baba6}\ovpn-dco.cat

Filesize
11KB

MD5
8fd89f82a273cd3ed2f76f7f09cf30ae

SHA1
43bb4e81acac468715e874ab86521497ca2e9369

SHA256
8c9456aeacd5566234519b5b34ceecd0f7ebb22f6813747e595f5945517ec438

SHA512
f77ad5dca3f72701ab2b779e900d22fa3f0c3ca6b8713e25bb7d6d1480992518d66879b6315122c555b32be527fef7c86ead1d59244c955287d48c3132b684f0

Download Submit
C:\Windows\System32\DriverStore\Temp\{bc4ce57f-9afc-9343-ab65-9b87c28baba6}\ovpn-dco.inf

Filesize
2KB

MD5
77da079a3665afc84d05c3d07bcaa0d0

SHA1
3fbfafe2c08100f5b46b792398c2ecb9157760e9

SHA256
1f6c35bc11d910f91c32ea54894d0fddb0094876bdd526d04a9287d04d636242

SHA512
10fcd8464c6aab386bf2f675175598764e0b784a898b7b450fef3d055ecf902c7a57ac0aef2725b9e6899146e4e9230c8677bfd2a8f18489b642fa6beca25507

Download Submit
C:\Windows\System32\DriverStore\Temp\{bc4ce57f-9afc-9343-ab65-9b87c28baba6}\ovpn-dco.sys

Filesize
90KB

MD5
6b0722f0b6ed86877d96da4a57f3aa03

SHA1
85cd52a10a8be6ca807fb5f6e180a1b1a1554583

SHA256
2c2958dac6f36922ae094705e058bf6470e1622b31318fb9fe0db5457e383f45

SHA512
74c399af44e982bb02eeb103bc634d2b5923b5623625a87bd148b6dad1afc438775a00ecbcdeeb2adb13d04c3b1d23a92cd9ee815c89f1af4fdbb3eb8fc3f49b

Download Submit
C:\Windows\System32\DriverStore\Temp\{e9457eee-e90e-e448-9b07-0f7761272471}\wintun.cat

Filesize
9KB

MD5
faba2ccb8fe366fd281ca6be6d2bb7c2

SHA1
bb7bd32a21f3eba652fde24146387ffc5278143e

SHA256
602187e5470ddbdf9421045bb0515f358c88bf88f59fd8a886fb6373da5d0f82

SHA512
ec424a545e2598f299706499dab07b4d12b0734a52f928216a53bca2b7f384b97bd4fc092d7d68de636a75daf79ac392c4b49b7251ec011236de1659253d6214

Download Submit
C:\Windows\System32\DriverStore\Temp\{e9457eee-e90e-e448-9b07-0f7761272471}\wintun.sys

Filesize
37KB

MD5
1945d7d1f56b67ae1cad6ffe13a01985

SHA1
2c1a369f9e12e5c6549439e60dd6c728bf1bffde

SHA256
eb58bf00df7b4f98334178e75df3348c609ea5c6c74cf7f185f363aa23976c8b

SHA512
09af87898528eaa657d46c79b7c4ebc0e415478a421b0b97355294c059878178eb32e172979ee9b7c59126861d51a5831e337a96666c43c96cb1cf8f11bc0a0f

Download Submit
C:\Windows\Temp\6a571dfddd2dff2b6b3e22f9b330c0a635339042fb846246b09488f33f7bd408\wintun.inf

Filesize
1KB

MD5
8480579050970b0812cc3d9a1bce1340

SHA1
edebebd090602f4eee375ad754c8566d4fda23cb

SHA256
44098408ab9611dd99a38e140c7fb1ca5dce6eb2d5f0d5e500547ac1ba5d235b

SHA512
46de9202c3cf0ddbf19f9e0e02ec17530f2722abfa08669fd30a6095ce2342fa89a2cc59c1d47afd82b48c915bb95f4c6d16e7c21129a9c8f09c2bf239566933

Download Submit
C:\Windows\Temp\d835039e7ec08ad04d30f33ef461e295b95e0dc200022dec1de0aa93faca913a\OemVista.inf

Filesize
7KB

MD5
6f5ffb58a9e406ab1643c890e2a198c6

SHA1
3ff1faba00ac18a93e88a6f2bbfa747c9fdc7e0c

SHA256
1327ab3a8c50691f04bea8e2ca356c5b604092a719e219464f8cc4b42e192de9

SHA512
af29bc13cc02238208c51e4e95dd0a4445a952755635a9eab38aa77a5c087cc8e2025af55d8f3a0e9f2430baa91534e7f892bb71aa0ef72bab4483211a845b4b

Download Submit
memory/6840-1963-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

Filesize
4KB

Download
memory/6840-1977-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/6840-1970-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/6840-1969-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/6840-1968-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/6840-1967-0x0000000006F50000-0x0000000006F51000-memory.dmp

Filesize
4KB

Download
memory/6840-1966-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/6840-1965-0x0000000006B10000-0x0000000006B11000-memory.dmp

Filesize
4KB

Download
memory/6840-1964-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/9900-5280-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download