d433cd0ba6b6850a9f616b3b89754a005699547d4e04fadb75cade770156cfd1

Resubmissions

15-07-2024 12:22

240715-pj7dpszhrl 8

14-07-2024 17:11

14-07-2024 17:07

14-07-2024 16:55

01-05-2024 09:05

24-03-2023 19:33

24-03-2023 19:25

Analysis

max time kernel
781s
max time network
784s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Replace.exe
Size

34.8MB
MD5

fd5cd14325c51ecab6a57d1d665f8852
SHA1

ea16aa0f197210437733c63a42a8f1dd6442d753
SHA256

d433cd0ba6b6850a9f616b3b89754a005699547d4e04fadb75cade770156cfd1
SHA512

9a2e4c8baa01fbafe6968905daeb8d3b7eb62c09d1d7584e973ad1c23d964093e161a51a7390dfaa598d2657f45ca17bf00b5055aeaf0441f875ddb364741d71
SSDEEP

786432:i9hj60qHOBbQcVM3sct6C2ubdsUeGXV4yQnb+LQgRkrm12PYfrB:i9kH+o5sG2ysbhrmka

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

wnsADEA.tmpcleaner.execleaner.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\""	wnsADEA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\""	cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\""	cleaner.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wnsADEA.tmp

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wnsADEA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\InetHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\""	wnsADEA.tmp

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
143	2988	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

run.exewnsADEA.tmpcleaner.exenode.execleaner.execleaner.exenode.execleaner.exenode.exe

pid	Process
208	run.exe
1472	wnsADEA.tmp
4384	cleaner.exe
1232	node.exe
1000	cleaner.exe
4588	cleaner.exe
3476	node.exe
2572	cleaner.exe
1192	node.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
2988	rundll32.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0006000000023253-1025.dat	upx
behavioral1/files/0x0006000000023253-1031.dat	upx
behavioral1/memory/1232-1037-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-1129-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-1140-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-1229-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-1414-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-1513-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-1708-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-1802-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-1992-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-2091-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-2286-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-2388-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-2588-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-2688-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/files/0x0006000000023253-2786.dat	upx
behavioral1/memory/3476-2792-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/3476-2840-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-2891-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-2980-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-3182-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-3280-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-3479-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1232-3577-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/files/0x0006000000023253-3715.dat	upx
behavioral1/memory/1192-3726-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-3815-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-3932-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-4123-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-4316-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-4577-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-4670-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-4866-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-4964-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-5154-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-5268-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx
behavioral1/memory/1192-5457-0x0000000000400000-0x0000000001F1A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cleaner.exerundll32.exewnsADEA.tmpcleaner.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\InetHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\""	cleaner.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cleaninethelper = "rundll32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wsc986C.tmp\",Start verpostfix=bt"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wnsADEA.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\InetHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\""	wnsADEA.tmp
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\InetHelper = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\InetHelper\\cleaner.exe\""	cleaner.exe

Drops file in Program Files directory 7 IoCs

Processes:

run.exe

description	ioc	Process
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe
File opened for modification	C:\Program Files\Image-Line	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\__tmp_rar_sfx_access_check_240558546	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FL64.exe	run.exe
File created	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	run.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 5 IoCs

Processes:

firefox.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 5 IoCs

ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENotepad.exe

pid	Process
3752	NOTEPAD.EXE
4532	NOTEPAD.EXE
512	NOTEPAD.EXE
3548	NOTEPAD.EXE
2572	Notepad.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid	Process
2448	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exetaskmgr.exe

pid	Process
2988	rundll32.exe
2988	rundll32.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exetaskmgr.exetaskmgr.exeregedit.exeOpenWith.exe

pid	Process
2768	7zFM.exe
4268	taskmgr.exe
3284	taskmgr.exe
2448	regedit.exe
1284	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exe7zFM.exetaskmgr.exefirefox.exewmic.exewmic.exe

description	pid	Process
Token: SeRestorePrivilege	2768	7zFM.exe
Token: 35	2768	7zFM.exe
Token: SeRestorePrivilege	4628	7zFM.exe
Token: 35	4628	7zFM.exe
Token: SeDebugPrivilege	4268	taskmgr.exe
Token: SeSystemProfilePrivilege	4268	taskmgr.exe
Token: SeCreateGlobalPrivilege	4268	taskmgr.exe
Token: SeDebugPrivilege	3360	firefox.exe
Token: SeDebugPrivilege	3360	firefox.exe
Token: SeIncreaseQuotaPrivilege	4820	wmic.exe
Token: SeSecurityPrivilege	4820	wmic.exe
Token: SeTakeOwnershipPrivilege	4820	wmic.exe
Token: SeLoadDriverPrivilege	4820	wmic.exe
Token: SeSystemProfilePrivilege	4820	wmic.exe
Token: SeSystemtimePrivilege	4820	wmic.exe
Token: SeProfSingleProcessPrivilege	4820	wmic.exe
Token: SeIncBasePriorityPrivilege	4820	wmic.exe
Token: SeCreatePagefilePrivilege	4820	wmic.exe
Token: SeBackupPrivilege	4820	wmic.exe
Token: SeRestorePrivilege	4820	wmic.exe
Token: SeShutdownPrivilege	4820	wmic.exe
Token: SeDebugPrivilege	4820	wmic.exe
Token: SeSystemEnvironmentPrivilege	4820	wmic.exe
Token: SeRemoteShutdownPrivilege	4820	wmic.exe
Token: SeUndockPrivilege	4820	wmic.exe
Token: SeManageVolumePrivilege	4820	wmic.exe
Token: 33	4820	wmic.exe
Token: 34	4820	wmic.exe
Token: 35	4820	wmic.exe
Token: 36	4820	wmic.exe
Token: SeIncreaseQuotaPrivilege	4820	wmic.exe
Token: SeSecurityPrivilege	4820	wmic.exe
Token: SeTakeOwnershipPrivilege	4820	wmic.exe
Token: SeLoadDriverPrivilege	4820	wmic.exe
Token: SeSystemProfilePrivilege	4820	wmic.exe
Token: SeSystemtimePrivilege	4820	wmic.exe
Token: SeProfSingleProcessPrivilege	4820	wmic.exe
Token: SeIncBasePriorityPrivilege	4820	wmic.exe
Token: SeCreatePagefilePrivilege	4820	wmic.exe
Token: SeBackupPrivilege	4820	wmic.exe
Token: SeRestorePrivilege	4820	wmic.exe
Token: SeShutdownPrivilege	4820	wmic.exe
Token: SeDebugPrivilege	4820	wmic.exe
Token: SeSystemEnvironmentPrivilege	4820	wmic.exe
Token: SeRemoteShutdownPrivilege	4820	wmic.exe
Token: SeUndockPrivilege	4820	wmic.exe
Token: SeManageVolumePrivilege	4820	wmic.exe
Token: 33	4820	wmic.exe
Token: 34	4820	wmic.exe
Token: 35	4820	wmic.exe
Token: 36	4820	wmic.exe
Token: SeIncreaseQuotaPrivilege	1372	wmic.exe
Token: SeSecurityPrivilege	1372	wmic.exe
Token: SeTakeOwnershipPrivilege	1372	wmic.exe
Token: SeLoadDriverPrivilege	1372	wmic.exe
Token: SeSystemProfilePrivilege	1372	wmic.exe
Token: SeSystemtimePrivilege	1372	wmic.exe
Token: SeProfSingleProcessPrivilege	1372	wmic.exe
Token: SeIncBasePriorityPrivilege	1372	wmic.exe
Token: SeCreatePagefilePrivilege	1372	wmic.exe
Token: SeBackupPrivilege	1372	wmic.exe
Token: SeRestorePrivilege	1372	wmic.exe
Token: SeShutdownPrivilege	1372	wmic.exe
Token: SeDebugPrivilege	1372	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exe7zFM.exetaskmgr.exe

pid	Process
2768	7zFM.exe
4628	7zFM.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	Process
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe
4268	taskmgr.exe

Suspicious use of SetWindowsHookEx 43 IoCs

Processes:

firefox.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid	Process
3360	firefox.exe
2684	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
3680	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
4220	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe
1284	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Replace.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 2752 wrote to memory of 2988	2752	Replace.exe	84
PID 2752 wrote to memory of 2988	2752	Replace.exe	84
PID 2752 wrote to memory of 2988	2752	Replace.exe	84
PID 2752 wrote to memory of 208	2752	Replace.exe	87
PID 2752 wrote to memory of 208	2752	Replace.exe	87
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 404 wrote to memory of 3360	404	firefox.exe	105
PID 3360 wrote to memory of 4604	3360	firefox.exe	106
PID 3360 wrote to memory of 4604	3360	firefox.exe	106
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107
PID 3360 wrote to memory of 1320	3360	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Replace.exe
"C:\Users\Admin\AppData\Local\Temp\Replace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Users\Admin\AppData\Local\Temp\wsc986C.tmp",Start verpostfix=bt
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\wnsADEA.tmp
    wscsu.exe /S /VERPOSTFIX=bt
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1472
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      PID:4384
    - - C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\service.js"
        5⤵
        Executes dropped EXE
        
        PID:1232
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:1996
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:1912
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:888
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:2764
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:2292
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:2292
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:4960
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:1124
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:4760
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:3284
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:636
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:1844
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:1332
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:2580
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:3808
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:4628
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:3388
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:2764
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:1544
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:4956
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:2280
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:4116
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:3104
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:2076
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:3144
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:620
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:2336
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:4160
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:4504
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:4452
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:1256
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
        6⤵
        
        PID:3388
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
        6⤵
        
        PID:1340
- C:\Users\Admin\AppData\Local\Temp\7zS0CAD4986\run.exe
  .\run.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3044

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\wsc986C.tmp"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\wsc986C.tmp" -t#:e
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:404
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.0.1021992296\863450548" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {236c60d9-19b6-49e0-917f-7cd2bf537159} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 1916 1a3fe418f58 gpu
    3⤵
    PID:4604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.1.1520323039\142170485" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {733d0719-5916-4ad6-813e-86291898cea8} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 2316 1a3f056fb58 socket
    3⤵
    PID:1320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.2.1343026613\1192133259" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3196 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32b77adb-f24c-4c60-8242-ab23bef22c15} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 2996 1a381f0ab58 tab
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.3.638936050\1586063943" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 2992 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe849a38-2e36-4e4f-a81f-c87c431af484} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 3556 1a3808a9c58 tab
    3⤵
    PID:1460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.4.853964615\1987012786" -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {328f23f1-62fc-47ba-a823-f27c4f64d6a7} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 4136 1a3f055e258 tab
    3⤵
    PID:2768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.5.2043569662\851098802" -childID 4 -isForBrowser -prefsHandle 4984 -prefMapHandle 4700 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8baded98-5342-482f-ae0a-3a6b9a118a89} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 4988 1a384133458 tab
    3⤵
    PID:5076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.7.45714136\1134122607" -childID 6 -isForBrowser -prefsHandle 5316 -prefMapHandle 5320 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98a835b0-5dda-48f6-85ac-6d8e0999af39} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 5308 1a3849e5a58 tab
    3⤵
    PID:3752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.6.1581805289\1262933844" -childID 5 -isForBrowser -prefsHandle 5116 -prefMapHandle 5124 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9766ac1d-4142-4d15-a922-d65a3709ea41} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 5012 1a3849e5158 tab
    3⤵
    PID:2636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.8.2087094183\291628793" -childID 7 -isForBrowser -prefsHandle 4984 -prefMapHandle 5600 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9388778-c59d-42c0-8a80-d8efca6d4bb3} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 4008 1a38449e558 tab
    3⤵
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.9.282918158\113397722" -childID 8 -isForBrowser -prefsHandle 5808 -prefMapHandle 5876 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72b153e6-87b3-427b-846e-5ac69464dbc6} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 4344 1a3866f9558 tab
    3⤵
    PID:3764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3360.10.1241167544\1673075463" -childID 9 -isForBrowser -prefsHandle 4820 -prefMapHandle 5892 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1472 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63e06a75-c8ea-430c-82ce-28aee43aa9cd} 3360 "\\.\pipe\gecko-crash-server-pipe.3360" 4900 1a384135258 tab
    3⤵
    PID:1928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\service.js
1⤵
- Opens file in notepad (likely ransom note)
PID:2572

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:3284

C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe"
1⤵
- Executes dropped EXE
PID:1000

C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe"
1⤵
- Executes dropped EXE
PID:4588

C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe"
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3680
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\vp
  2⤵
  PID:2680

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\servicelog.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3752

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\servicelog.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4532

C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe"
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:2572
- C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\service.js"
  2⤵
  - Executes dropped EXE
  PID:1192
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:4592
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic path Win32_NetworkAdapter where Index=1 get NetConnectionID,MACAddress /format:table
    3⤵
    PID:636

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\servicelog.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:512

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:2448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1284
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wsc986C.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper.status

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe

Filesize
4KB

MD5
e9ded10dff258f6522fe9079ed3319ca

SHA1
b0127ea7675f6359bfa80a7bf6282bd1c989b405

SHA256
ea1d61984ede5908e0840e91a71bb127efd62d836c1f76702b426fd79b57f780

SHA512
d95482d3cf50b37e999e3f91377bd41a215f3f0c55c9f3e47fc9c563b9cd3f5c5ee945878889a8147b9f089005826ce81398172395d0107dc14eb8fefc0d36de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe

Filesize
4KB

MD5
e9ded10dff258f6522fe9079ed3319ca

SHA1
b0127ea7675f6359bfa80a7bf6282bd1c989b405

SHA256
ea1d61984ede5908e0840e91a71bb127efd62d836c1f76702b426fd79b57f780

SHA512
d95482d3cf50b37e999e3f91377bd41a215f3f0c55c9f3e47fc9c563b9cd3f5c5ee945878889a8147b9f089005826ce81398172395d0107dc14eb8fefc0d36de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe

Filesize
4KB

MD5
e9ded10dff258f6522fe9079ed3319ca

SHA1
b0127ea7675f6359bfa80a7bf6282bd1c989b405

SHA256
ea1d61984ede5908e0840e91a71bb127efd62d836c1f76702b426fd79b57f780

SHA512
d95482d3cf50b37e999e3f91377bd41a215f3f0c55c9f3e47fc9c563b9cd3f5c5ee945878889a8147b9f089005826ce81398172395d0107dc14eb8fefc0d36de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe

Filesize
4KB

MD5
e9ded10dff258f6522fe9079ed3319ca

SHA1
b0127ea7675f6359bfa80a7bf6282bd1c989b405

SHA256
ea1d61984ede5908e0840e91a71bb127efd62d836c1f76702b426fd79b57f780

SHA512
d95482d3cf50b37e999e3f91377bd41a215f3f0c55c9f3e47fc9c563b9cd3f5c5ee945878889a8147b9f089005826ce81398172395d0107dc14eb8fefc0d36de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\cleaner.exe

Filesize
4KB

MD5
e9ded10dff258f6522fe9079ed3319ca

SHA1
b0127ea7675f6359bfa80a7bf6282bd1c989b405

SHA256
ea1d61984ede5908e0840e91a71bb127efd62d836c1f76702b426fd79b57f780

SHA512
d95482d3cf50b37e999e3f91377bd41a215f3f0c55c9f3e47fc9c563b9cd3f5c5ee945878889a8147b9f089005826ce81398172395d0107dc14eb8fefc0d36de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe

Filesize
6.6MB

MD5
5f40521d2e1082fe1c734610c4a83911

SHA1
86d54874cc8976cdb75a9dc8dcd817af50837796

SHA256
79ac7ae94231a392d27f303418e305a60c4194dbbe143c5deffc977c7b2e7a78

SHA512
ef2b54b46844cfb13cfdef6271e2a8b4e646d2e31ca55229e5c76ca90c649895533bc8fb83c4d50dd3721abb2a5e4c5ee32df5c4540e1c14498a5e9b550d3189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe

Filesize
6.6MB

MD5
5f40521d2e1082fe1c734610c4a83911

SHA1
86d54874cc8976cdb75a9dc8dcd817af50837796

SHA256
79ac7ae94231a392d27f303418e305a60c4194dbbe143c5deffc977c7b2e7a78

SHA512
ef2b54b46844cfb13cfdef6271e2a8b4e646d2e31ca55229e5c76ca90c649895533bc8fb83c4d50dd3721abb2a5e4c5ee32df5c4540e1c14498a5e9b550d3189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\node.exe

Filesize
6.6MB

MD5
5f40521d2e1082fe1c734610c4a83911

SHA1
86d54874cc8976cdb75a9dc8dcd817af50837796

SHA256
79ac7ae94231a392d27f303418e305a60c4194dbbe143c5deffc977c7b2e7a78

SHA512
ef2b54b46844cfb13cfdef6271e2a8b4e646d2e31ca55229e5c76ca90c649895533bc8fb83c4d50dd3721abb2a5e4c5ee32df5c4540e1c14498a5e9b550d3189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\service.js

Filesize
186KB

MD5
42fb0fa52c2e0bbbdf379c1aba97d12e

SHA1
164c4639d99a7dcfacf29da930ca4dfef3621a11

SHA256
3db6ffa48cae2dbdc68f9bf5ee75ba5b7abd4f923c5fc6741477916957909071

SHA512
b9e96ba85508bb44f49dbf92185157db149fab2a6245a2d39ce49da5ae14617928f44cf8ee2bcb8c9dd4060082cc4b2b84ea6ff7659ce15caa8d9da02c46c936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\servicelog.txt

Filesize
109B

MD5
82aff7396b909038e53bc314c5004e70

SHA1
ba2019b0354bdf2034990588c47ec063d100823f

SHA256
6a680ec79d484cb2275a766aa5235c9b2470446fd90db2ad3254644c0daa6c4b

SHA512
92d456e3039ec4d268f3508ec62027be8009c17968fefaaa5d1bb5a4f8484a4ba9271dbbbf7a5298358e700794092fcca6b233c2a9349b315a5c96af3fe4080b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\servicelog.txt

Filesize
109B

MD5
82aff7396b909038e53bc314c5004e70

SHA1
ba2019b0354bdf2034990588c47ec063d100823f

SHA256
6a680ec79d484cb2275a766aa5235c9b2470446fd90db2ad3254644c0daa6c4b

SHA512
92d456e3039ec4d268f3508ec62027be8009c17968fefaaa5d1bb5a4f8484a4ba9271dbbbf7a5298358e700794092fcca6b233c2a9349b315a5c96af3fe4080b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\InetHelper\vp

Filesize
2B

MD5
6920626369b1f05844f5e3d6f93b5f6e

SHA1
edfb92a5be2a31a47d117f6c1530e1cebe1b4963

SHA256
5e73d6d7edd38daeae9f10721987e301e4d4b5421e88eb17063ac5a41b168273

SHA512
0b307a2eca21778e3fca2d855f0e12ff10726fe276bedbf70b40e10f21de839922384d494b67d65a21d4fa15d8642a84b6c39b15ab7e91f3b9555a53ece4f882

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
157KB

MD5
092fc57febaa48c86cdce9c10c5194bf

SHA1
9e91969f6ec6050b0778167767099b87a397477b

SHA256
2d0831cdbd81a604798bad31b380b332a20129781c09dbef0e4e920a0fdb0b57

SHA512
0a4290bba48c52f39990f3be6e02f1e4751a9f4cd408563ea9d79d8fcff930d89520056f014bbd401ff4c663e213904cafc87ea5649e3e5c64e36cd75e27159f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\13568

Filesize
13KB

MD5
b6ac88115af6b9ae1b65dccb8238eda0

SHA1
b758cee3d05aa5a7c1853000c8bdafb52e7d0b01

SHA256
30743a3a75bc4bb9aa86f33f29bda6f40b6565f5d8b87c4427008ead05a63f4a

SHA512
feede42465ef2217733d6e1ce3a3bc18b8e9f4a56c213ec9425f6d70896fa5e1f1f5d1ef1413cc22e8565986b849f56e2cb83ae99b969f259a2c5256fa8d8647

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\doomed\20132

Filesize
9KB

MD5
d54be957df7aed154e9fc68b3ab851a8

SHA1
a15610d1e3211c4d27e34bc656fd7a2c87dbf9f1

SHA256
279f1ee5bb4102668695132f445749918b26ca0584a01fb014be45c2e0fb0011

SHA512
7c9f34568c22c49f5b1c39f484deb55dad890032ced06184c6d2d4b7605055ea2cfc3e7c1b000db9473e250899ac983cfdfb02af5ad02e3d96bbd9ad7f9ef0a5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\cache2\entries\D5594A2648EECD01993B5C42919BA64ADBF56052

Filesize
14KB

MD5
763b23358d90981e08dc24d56012179f

SHA1
db0af0ce5e8e3d80beaeecb372747f4120eea29a

SHA256
55158093ad9f563cc1bb61acad4a65a2adda698b906c078f940e83b041e8ade4

SHA512
2f817bab66f0e8d4c64387f33be35d18b84965bb22ba20ee7ecc82e7727980677e1144e3f114ec9d99e8d576dc494c98f30567e2b58c8d9868ea093b5ea5727e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\57nap2zl.default-release\jumpListCache\PEgp4DhYo7ZIUNh3fwwrbg==.ico

Filesize
3KB

MD5
3fef9833539ecf7625989a1192319b16

SHA1
98a69e5e74479847a673c688e44a44a16ae87f12

SHA256
4428522c40ebb41bee7c71186c4cbed9c4ef97a435d795ce074895ae055267a2

SHA512
1d2a7d78a7af9a46f01f22315e374f6366ddfee46f26ebb15bb22198559b64a9024174f14d2630d150f802ced1e7bfbf3057fa06e6bf575e281bea903a99071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CAD4986\run.exe

Filesize
34.8MB

MD5
d77c3ef3efa7e38ef91137466eee801b

SHA1
0b6ce4b03f43c2a7290f95bfbbe9107298efeaef

SHA256
91c2295f354b0616aa6481708248f6ce35dbe9292901464fc6bf3a22522ccb2f

SHA512
7c0171509814f7e5f24b2a9d53a10ab282586ec56bcdedc2deb2ba1aa2b4d9edade6d6d753ca80fb65d147597bfd4ac9f30e330e88c695e72c913ff3ab224750

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS0CAD4986\run.exe

Filesize
34.8MB

MD5
d77c3ef3efa7e38ef91137466eee801b

SHA1
0b6ce4b03f43c2a7290f95bfbbe9107298efeaef

SHA256
91c2295f354b0616aa6481708248f6ce35dbe9292901464fc6bf3a22522ccb2f

SHA512
7c0171509814f7e5f24b2a9d53a10ab282586ec56bcdedc2deb2ba1aa2b4d9edade6d6d753ca80fb65d147597bfd4ac9f30e330e88c695e72c913ff3ab224750

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnsADEA.tmp

Filesize
6.7MB

MD5
7a506a2e92bc66a9f64c2333a815e97a

SHA1
a123f6c070f4258c481cb0b6c2b5d1403463e2fa

SHA256
c9daca7de1b623867aee943a1d508573841f2584ffa91aaaf09de2a883d2733f

SHA512
8bdec3839ca8e0c72dcb76455ad1585264dcef4150d90e0299b477f99590a1b98ac0bd377985ac2e8e2c15f071588ad821650fc200e0f65ec4583f3f82582e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsc986C.tmp

Filesize
6KB

MD5
41e689a7859429d628c34a82bcbb1187

SHA1
f435c4225fc00b3ce4543b812731a65d3722bdc3

SHA256
252dd587c652e9939432bd8b5574590c4a8db64660bc753f5490a472703f5c3a

SHA512
6a8f76f4d2eeb78df1c48f43c8d31f4510f2ba8da71fbb93d88627eba5f4cc74eb9aa12b7688d7fb62ed938fe2ac15bd2c060d6ad90e5b2c61114f74fcecec85

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsc986C.tmp

Filesize
6KB

MD5
41e689a7859429d628c34a82bcbb1187

SHA1
f435c4225fc00b3ce4543b812731a65d3722bdc3

SHA256
252dd587c652e9939432bd8b5574590c4a8db64660bc753f5490a472703f5c3a

SHA512
6a8f76f4d2eeb78df1c48f43c8d31f4510f2ba8da71fbb93d88627eba5f4cc74eb9aa12b7688d7fb62ed938fe2ac15bd2c060d6ad90e5b2c61114f74fcecec85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
17KB

MD5
9c81b941feb18df5523f1a9c052e2283

SHA1
c15125a16da62e80b178ead17cf34c0418bb2c68

SHA256
e048cc15c5718ecaa0c2f31331fcaedb5be08399f41b841dbc1f2cf64b89f04d

SHA512
1483d0efbea33df396a115be5da4d58aec25b3f5680dfb55045b6ac87ba3a26c0cba85c7cc9cf8ef3729f2ef19da138779023340ca7971d83c35ae0fa83f7f98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
be91310de1a6723295dd240df513f52d

SHA1
6c16e642f5edbd0a39df9649745885583deb2e4d

SHA256
be987e44602d2b7f3b242aac333fd580b61a686fdd1cd8a9a6ebe2378a7eee22

SHA512
c18b28fbba47ea3c612f2505bc1d2cc2d114715307d9e9a7e1a3a39a37b198952d3fcf3f3edd26a394f7abc905a7871be62654f2ce9793c9580da93cad6644cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
63b1bb87284efe954e1c3ae390e7ee44

SHA1
75b297779e1e2a8009276dd8df4507eb57e4e179

SHA256
b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

SHA512
f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
aa8abe39a95f09d80f1616a16c2cfdd2

SHA1
401a1e2773288a2b92f17c93f7f0a904fc0be476

SHA256
1d1bf1cce02a2deaf30192c95cac0a24d75bcc8bd1a6ae6857b3d54349cc1a2a

SHA512
a6e777d395ded6bb3bb02e4a25ea3126592db5ed888a5ec4d8ac105329f9270a931cd9be899065a26558059634c2f0311312efb2283bb7036e975c4dfb0110be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
6KB

MD5
24f6a95f91b60cfc8f01d749614aee59

SHA1
217aabc1e93bfbf5bbdc8871a4f89701dfe61de0

SHA256
a385f7325e7f378f466aa5234aae991251a5c70ece6f088c1521e5651d1102b2

SHA512
44c3e6888f548597c654efdaaf3b9d48a0c0ea689ebac0929f84e1a053fb2c967b3895ab18c9e68d33ca9889f8e9ffb16a6d40c567bc59347dea381306430384

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
09401abbcaf4d32b92550965290abc98

SHA1
f5c681c9d29f1750e9f1341c28f66199050dc634

SHA256
d0eab383f1251ebc7825788f1855b199f7db7a996036d451a60c1c3edd7dd288

SHA512
255f0ced6ef4482671db4bcc8f35cb8a52f79fb77f2af4880708236ba32d2eda54add107666c7b2a65fbba656fb156b4ca7869edb925367640c71e62e92980a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
a78ddba148eb4c34b87f0679d9b8634b

SHA1
da5103206d192546f582a1cee9566910ae050f1f

SHA256
f17e4b3f6dd9fab932fcec35c3018dba72a469cfe637f9fdb4e378649772ec93

SHA512
073bbe2a3c47f4dc0e9338745352164d97509ece74eff4fc6f2a008682c1098b5bd966b77892c81dcf1bcd83709b31d42c5d9cd81f224c87bd51158662978147

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
6f59c5912058209d7211fa5e54f0a924

SHA1
5bfabbc0b1e68809c8fa4dbad61f48720ca0bda2

SHA256
84644ee793cba22f1e8554db62c9290b2836634b98787fa0888ee6dd5b131df2

SHA512
4aa50e7b0daf52aa268a5a1f35a65949e6067d8e034ea000cc585daeaaae1705f904c877761188a5a551cb7a9af32aada5d65417e984f5050c8d83443296fe91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
8KB

MD5
11baef34c0387b4eaab90b077b8097e5

SHA1
84e799bdf0b21bdd7ee0477691a953bda425f5ba

SHA256
93e0fa9296d3e604777d737fa5ea85847b4b2019980636525b2e5e50c8e8e674

SHA512
33ce9f35555edf5cb5e929b97b3e34a5493b753a0ee90909bdec4620dc7dbb05f6e47e452f85614222f02a92d0bdfca05650523e5ddf95e5fa53e236b0a3c8f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
9KB

MD5
e4324771f35adbbb5cfa1a07f41b1907

SHA1
0e2da28b5651e871a461c8bc4a721d7a253e2ffd

SHA256
dda6586288b994ec1f1647bb0b9912fff87aae5ac8d9dab5df7c52506df7ef73

SHA512
3394477e864ce6314aa3484e83f6e2ec54d2d1922aaad5c698dea9c786e244df690c2ce0e948efa4b5777ca0f5472662ed28beefcdb4f020df818fb0b7d7f57c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
10KB

MD5
7459aa19362b2199904338d263c6865f

SHA1
886f97298f9c5d178f5af3797ec2ead55870c8a0

SHA256
f0518f9f64dc91375d3db74b37b63dc51380a9b2ca8a162fc27cadfac2141285

SHA512
819a1db3f30ee2862393112c082852db667bfc16b4df69415be6ff187b8c1812de150c1a4cd3740f48c027f73718a58bc6e240fa36a67a8b8d0397b8b2472e39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs-1.js

Filesize
7KB

MD5
43ca56f3e2b08af6ecfa5610fc3b15c8

SHA1
da84e532b0a01bcd3f5135bcdd4596743d1cbace

SHA256
38177029b6b99166c888529d30101a80313b15f000b366007193cbb45ec83021

SHA512
6a67f8f5751c51539d970c065029120d471af0e43912d9edce49e90c43201d9b7adba7ad4204feecf545b8d8551ad84398a29df0b0e6a1ca4ed2f3e2dc03eca6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\prefs.js

Filesize
6KB

MD5
feb8a52858c8167a58f36caa1b37f116

SHA1
7ae7f9d2721ae3c579f9e18e4fea679e8c848158

SHA256
adbc4c7b5e775c3d401ae811d5be5a69b844f5937e3d0a416d374dd5a7ec227a

SHA512
109d42ec5b9744b3561d29a9cabdcf2ffb81233935fa5c2d80c39f27b92ae55366c3c51ae3d26cc1a8936635662acbd11af89e54efac374aceaa279f13e7dc16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
70e3eab222eb39ac275672f52684d5af

SHA1
6e740fa92d95f279136863e1471f586670aa4a89

SHA256
5af41b9176349e058752ec79393e610c17aaeb88780659d7e7dcf13610b3a10a

SHA512
da97f7c07ee6fe4328ff015b05460d406f1d83eb15c3ee82d052c53563f7badd95638fee8dd65ac6f764d66f0eed6859234693e30912b46de7e552d06b0482d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
56d2acaf636eabc7b192ca0da99ae8c8

SHA1
b489e4c23bb73a776bc21c4afbc343df512feed1

SHA256
9da9513b53580a9d8b1d67cc7fd1c22dabfd46f3c06cc9498d575d116e03cfa3

SHA512
24ffdbe4fdfdf57a66fdf5c3ef8e2984f9423fddb68738b637f0086f79673c6c9400a498c6267a830ff1fa2fb1aa5b56e2adb83b2b39fdb1c089e6f85f59660c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\57nap2zl.default-release\storage\default\https+++www.virustotal.com\cache\morgue\190\{6c028ae3-5904-42be-ba34-11905a3795be}.final

Filesize
41KB

MD5
63960ec6a4369289b7116a2393969f5e

SHA1
d56b8e2f4f0c3ca99aa64b1e4979160403545e13

SHA256
9eb0af0367167ddc1a4fa373e761e25a07f7fb9959baa3b352c11982a1cf5aa3

SHA512
dde1d81e07a8a4667dcbfc8a3447ed12acf206b4382294a225dedac828500de89dcbd93f8258bc6ab01f607b2cb4c1d423712eb84d8279ac1c6130a04930190f

Download Submit
\??\c:\users\admin\appdata\local\microsoft\windows\inethelper\node.exe

Filesize
6.6MB

MD5
5f40521d2e1082fe1c734610c4a83911

SHA1
86d54874cc8976cdb75a9dc8dcd817af50837796

SHA256
79ac7ae94231a392d27f303418e305a60c4194dbbe143c5deffc977c7b2e7a78

SHA512
ef2b54b46844cfb13cfdef6271e2a8b4e646d2e31ca55229e5c76ca90c649895533bc8fb83c4d50dd3721abb2a5e4c5ee32df5c4540e1c14498a5e9b550d3189

Download Submit
\??\c:\users\admin\appdata\local\temp\wnsadea.tmp

Filesize
6.7MB

MD5
7a506a2e92bc66a9f64c2333a815e97a

SHA1
a123f6c070f4258c481cb0b6c2b5d1403463e2fa

SHA256
c9daca7de1b623867aee943a1d508573841f2584ffa91aaaf09de2a883d2733f

SHA512
8bdec3839ca8e0c72dcb76455ad1585264dcef4150d90e0299b477f99590a1b98ac0bd377985ac2e8e2c15f071588ad821650fc200e0f65ec4583f3f82582e30

Download Submit
memory/1192-4964-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-4316-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-4123-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-4577-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-3932-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-4670-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-3815-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-3726-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-4866-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-5154-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-5268-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1192-5457-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1129-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-2688-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-3577-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-3280-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-3182-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-2980-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-2891-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-2388-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1414-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1037-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1802-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1229-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1140-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1992-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-2091-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-3479-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-2588-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-2286-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1708-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/1232-1513-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/3476-2792-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/3476-2840-0x0000000000400000-0x0000000001F1A000-memory.dmp

Filesize
27.1MB

Download
memory/4268-155-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-146-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-147-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-151-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-153-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-152-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-154-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-157-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-156-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download
memory/4268-145-0x0000027E4C5A0000-0x0000027E4C5A1000-memory.dmp

Filesize
4KB

Download