laplas | 6245c07bf0750103927e9040861ef8b7dd5542d0e58bf5224830d2da89da391f

Analysis

max time kernel
461s
max time network
490s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.zip
Size

1.5MB
MD5

98a2b3e1a3ffe6bf93e15f580b8a0172
SHA1

d4100db083f42a3e4d872c52e2409ebb66382505
SHA256

6245c07bf0750103927e9040861ef8b7dd5542d0e58bf5224830d2da89da391f
SHA512

63df92f9d69a470834e11b337bbc85fa033a5c92c4a9c7a0fd2dcce90c03cfef03ce39cb7e1062b10f7a0b81abfe559bfe9b8124c3bb7771886a3e3da8d17720
SSDEEP

49152:RubvnOfAShPr98xN4ACTXtoGj72uk3l9Yvxrs:gbPOfAShPr9874dWY72ui6o

Score

10^/10

laplas redline 0407 @hddwet clipper discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@hddwet

94.142.138.4:80

Attributes

auth_value
7ea037c98a7d3534ffcae43a97e29278

Extracted

Family

redline

Botnet

0407

89.23.96.198:24230

Attributes

auth_value
09f9c337ba96f35d1b35a378ca190d67

Extracted

Family

laplas

http://185.209.161.189

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	winrar-x64-622.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	WinRAR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 15 IoCs

pid	Process
4268	winrar-x64-622.exe
4164	uninstall.exe
3656	WinRAR.exe
1616	setup.exe
4636	svchost.exe
2396	ntlhost.exe
6084	conhost.exe
4600	7z.exe
408	7z.exe
4920	7z.exe
4172	7z.exe
1120	7z.exe
876	7z.exe
3852	7z.exe
5076	fgi432fg32f32.exe

Loads dropped DLL 7 IoCs

pid	Process
4600	7z.exe
408	7z.exe
4920	7z.exe
4172	7z.exe
1120	7z.exe
876	7z.exe
3852	7z.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1616 set thread context of 512	1616	setup.exe	109
PID 1616 set thread context of 4872	1616	setup.exe	110
PID 512 set thread context of 4912	512	InstallUtil.exe	111

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240746031	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-622.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-622.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-622.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5496	schtasks.exe
3840	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	202	Go-http-client/1.1

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\IESettingSync	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\installer.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\winrar-x64-622.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1616	setup.exe
1616	setup.exe
1616	setup.exe
1616	setup.exe
512	InstallUtil.exe
512	InstallUtil.exe
4872	InstallUtil.exe
4872	InstallUtil.exe
4912	InstallUtil.exe
4912	InstallUtil.exe
4912	InstallUtil.exe
4872	InstallUtil.exe
5076	fgi432fg32f32.exe
5076	fgi432fg32f32.exe
4240	powershell.exe
4240	powershell.exe
4240	powershell.exe
4872	InstallUtil.exe
4872	InstallUtil.exe
5076	fgi432fg32f32.exe
5076	fgi432fg32f32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3656	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	firefox.exe
Token: SeDebugPrivilege	5016	firefox.exe
Token: SeDebugPrivilege	5016	firefox.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	4164	uninstall.exe
Token: SeDebugPrivilege	5016	firefox.exe
Token: SeDebugPrivilege	5016	firefox.exe
Token: SeDebugPrivilege	5016	firefox.exe
Token: SeDebugPrivilege	1616	setup.exe
Token: SeDebugPrivilege	512	InstallUtil.exe
Token: SeDebugPrivilege	4872	InstallUtil.exe
Token: SeDebugPrivilege	4912	InstallUtil.exe
Token: SeDebugPrivilege	5016	firefox.exe
Token: SeRestorePrivilege	4600	7z.exe
Token: 35	4600	7z.exe
Token: SeSecurityPrivilege	4600	7z.exe
Token: SeSecurityPrivilege	4600	7z.exe
Token: SeRestorePrivilege	408	7z.exe
Token: 35	408	7z.exe
Token: SeSecurityPrivilege	408	7z.exe
Token: SeSecurityPrivilege	408	7z.exe
Token: SeRestorePrivilege	4920	7z.exe
Token: 35	4920	7z.exe
Token: SeSecurityPrivilege	4920	7z.exe
Token: SeSecurityPrivilege	4920	7z.exe
Token: SeRestorePrivilege	4172	7z.exe
Token: 35	4172	7z.exe
Token: SeSecurityPrivilege	4172	7z.exe
Token: SeSecurityPrivilege	4172	7z.exe
Token: SeRestorePrivilege	1120	7z.exe
Token: 35	1120	7z.exe
Token: SeSecurityPrivilege	1120	7z.exe
Token: SeSecurityPrivilege	1120	7z.exe
Token: SeRestorePrivilege	876	7z.exe
Token: 35	876	7z.exe
Token: SeSecurityPrivilege	876	7z.exe
Token: SeSecurityPrivilege	876	7z.exe
Token: SeRestorePrivilege	3852	7z.exe
Token: 35	3852	7z.exe
Token: SeSecurityPrivilege	3852	7z.exe
Token: SeSecurityPrivilege	3852	7z.exe
Token: SeDebugPrivilege	5016	firefox.exe
Token: SeDebugPrivilege	5076	fgi432fg32f32.exe
Token: SeDebugPrivilege	4240	powershell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe
3656	WinRAR.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
5016	firefox.exe
4268	winrar-x64-622.exe
4268	winrar-x64-622.exe
4268	winrar-x64-622.exe
4164	uninstall.exe
3656	WinRAR.exe
3656	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 412 wrote to memory of 5016	412	firefox.exe	86
PID 5016 wrote to memory of 1440	5016	firefox.exe	87
PID 5016 wrote to memory of 1440	5016	firefox.exe	87
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 3912	5016	firefox.exe	88
PID 5016 wrote to memory of 2480	5016	firefox.exe	89
PID 5016 wrote to memory of 2480	5016	firefox.exe	89
PID 5016 wrote to memory of 2480	5016	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4528	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\installer.zip
1⤵
PID:792

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.0.1771965922\1440117512" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1848 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2dbeaa5-e0fd-45c0-b315-a25e1586df72} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 1932 1d8540fbb58 gpu
    3⤵
    PID:1440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.1.1509933657\725095225" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ab80fea-c433-4bac-84d0-f2284d4043c9} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 2332 1d847671f58 socket
    3⤵
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.2.126839964\1888305641" -childID 1 -isForBrowser -prefsHandle 2812 -prefMapHandle 2944 -prefsLen 21012 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fea6826-78cf-4c36-93f9-f30914d9401d} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 2868 1d857d97458 tab
    3⤵
    PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.3.809277400\1352114083" -childID 2 -isForBrowser -prefsHandle 2468 -prefMapHandle 1308 -prefsLen 26372 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77edc7ab-382b-47c7-ad05-5f9415309498} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 1288 1d847670a58 tab
    3⤵
    PID:4676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.4.1017409366\2119751843" -childID 3 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 26372 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cb7e58b-19d0-415d-a48a-8003fa810c28} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 3656 1d856b39b58 tab
    3⤵
    PID:4356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.5.1682760444\411272278" -childID 4 -isForBrowser -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36a82f2e-f8c8-4eda-9ab2-2ffb4ebafced} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 4944 1d859cb5658 tab
    3⤵
    PID:1668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.7.1007593730\1742869932" -childID 6 -isForBrowser -prefsHandle 5296 -prefMapHandle 5292 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d06ef9a-d1b9-4631-a271-afb38e168733} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5312 1d85a0ed858 tab
    3⤵
    PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.6.1508936309\1448549728" -childID 5 -isForBrowser -prefsHandle 5284 -prefMapHandle 5072 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f968d9a3-e69a-4551-b4ce-24f3cfd91204} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5268 1d84766c758 tab
    3⤵
    PID:4468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.8.144749137\2093525389" -childID 7 -isForBrowser -prefsHandle 5268 -prefMapHandle 5568 -prefsLen 26842 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abc88d4f-c438-42ae-9321-f69849ce0df4} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5284 1d85a0bda58 tab
    3⤵
    PID:4184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.9.1239619138\674048273" -childID 8 -isForBrowser -prefsHandle 4860 -prefMapHandle 3772 -prefsLen 27272 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {962fc704-e862-43db-b5f7-6cc945bcd5f3} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 4864 1d85a0bc858 tab
    3⤵
    PID:2096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.10.1697758687\750347025" -childID 9 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 27272 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {391d27ae-303e-408f-829b-8076095c1b39} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5312 1d8495d6558 tab
    3⤵
    PID:4304
- - C:\Users\Admin\Downloads\winrar-x64-622.exe
    "C:\Users\Admin\Downloads\winrar-x64-622.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:4268
  - - C:\Program Files\WinRAR\uninstall.exe
      "C:\Program Files\WinRAR\uninstall.exe" /setup
      4⤵
      Executes dropped EXE
      Modifies system executable filetype association
      Registers COM server for autorun
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.11.313604108\1463579846" -childID 10 -isForBrowser -prefsHandle 5708 -prefMapHandle 5696 -prefsLen 30336 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {712a3db2-9a48-4ba6-a120-3fe0eca85931} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5792 1d84766a558 tab
    3⤵
    PID:5508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.12.276421148\859241461" -childID 11 -isForBrowser -prefsHandle 5784 -prefMapHandle 5772 -prefsLen 30336 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb9907b0-e9e3-4d6d-a7a9-c6ab538bcf14} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5716 1d84766ab58 tab
    3⤵
    PID:5500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.13.661425508\504946356" -childID 12 -isForBrowser -prefsHandle 7552 -prefMapHandle 7328 -prefsLen 30336 -prefMapSize 232675 -jsInitHandle 1412 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6398e662-e3d3-41db-8d0d-1d876fa4d0b2} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 7936 1d84765b258 tab
    3⤵
    PID:5908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1936

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\installer.zip"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3656
- C:\Users\Admin\AppData\Local\Temp\Rar$EXb3656.7101\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Rar$EXb3656.7101\setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:3224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:512
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4636
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Executes dropped EXE
        
        PID:2396
  - - C:\Users\Admin\AppData\Local\Temp\conhost.exe
      "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:6084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        5⤵
        
        PID:2464
      - C:\Windows\system32\mode.com
        
        mode 65,10
        6⤵
        
        PID:2108
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p76249059265548492400510558 -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\main\fgi432fg32f32.exe
        
        "fgi432fg32f32.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powershell -EncodedCommand "PAAjAEUARwBsAGkAdgBlAGQAbQBXAHAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBjAHUASwA2ADgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMASwBBAEwANgBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AZgAyAHUAOQB2AHQANwBTACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
        7⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAEUARwBsAGkAdgBlAGQAbQBXAHAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBjAHUASwA2ADgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMASwBBAEwANgBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AZgAyAHUAOQB2AHQANwBTACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5637" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk5637" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:5496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:3840
      - C:\Windows\system32\attrib.exe
        
        attrib +H "fgi432fg32f32.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4528
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
18eeb70635ccbe518da5598ff203db53

SHA1
f0be58b64f84eac86b5e05685e55ebaef380b538

SHA256
27b85e1a4ff7df5235d05b41f9d60d054516b16779803d8649a86a1e815b105b

SHA512
0b2a295b069722d75a15369b15bb88f13fbda56269d2db92c612b19578fc8dadf4f142ebb7ee94a83f87b2ddd6b715972df88b6bb0281853d40b1ce61957d3bd

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
103KB

MD5
eaeee5f6ee0a3f0fe6f471a75aca13b8

SHA1
58cd77ef76371e349e4bf9891d98120074bd850c

SHA256
f723976575d08f1001b564532b0a849888135059e7c9343c453eead387d7ae4c

SHA512
3fc5994eefce000722679cf03b3e8f6d4a5e5ebfd9d0cc8f362e98b929d1c71e35313a183bfe3ab5adbd9ce52188ade167b8695a58ebd6476189b41627512604

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
317KB

MD5
11d4425b6fc8eb1a37066220cac1887a

SHA1
7d1ee2a5594073f906d49b61431267d29d41300e

SHA256
326d091a39ced3317d9665ed647686462203b42f23b787a3ed4b4ad3e028cc1e

SHA512
236f7b514560d01656ffdee317d39e58a29f260acfd62f6b6659e7e2f2fca2ac8e6becac5067bab5a6ceaeaece6f942633548baeae26655d04ac3143a752be98

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.5MB

MD5
04fbad3541e29251a425003b772726e1

SHA1
f6916b7b7a42d1de8ef5fa16e16409e6d55ace97

SHA256
0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7

SHA512
3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.5MB

MD5
04fbad3541e29251a425003b772726e1

SHA1
f6916b7b7a42d1de8ef5fa16e16409e6d55ace97

SHA256
0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7

SHA512
3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2

Download Submit
C:\Program Files\WinRAR\uninstall.exe

Filesize
437KB

MD5
36297a3a577f3dcc095c11e5d76ede24

SHA1
ace587f83fb852d3cc9509386d7682f11235b797

SHA256
f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b

SHA512
f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
1KB

MD5
e3664dc7632b7d6913e0e818b02ae363

SHA1
08a21474ab2598556ffd49ac64cca79735b65682

SHA256
54e313b19bc33f1d3b156241c80660cedf93d8c4f5f28fc630f4b3ec8574925d

SHA512
dc343596ad3a71a26d06c2ccfbd5d00056fa642c7477aab48f0239313eb8f1db0633e8a84f753e79b1c7a67e6e2e1181fdec3e900eb5adb2b4b3308a09ece020

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\activity-stream.discovery_stream.json.tmp

Filesize
152KB

MD5
6d778f64dcc3efdcbc6287475273bf47

SHA1
fc9cd4a53ba0e6dadde6c228c559e48a35126235

SHA256
972618e5562e13a12f126fcb8d16457b0b34981083e6e63dc8737380c284f488

SHA512
a6482f5156031b35537e1c93230651702d3d9037498606d9f173ff90c83ce0867f36a73f646af9c875e37d49a278c5ee6fda96fb402d3b2a1c21c57f8f321d81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cache2\doomed\25154

Filesize
9KB

MD5
88219229e32c432543d701ccfcc17e5a

SHA1
4c21affa93f0ac83669b0c6363a1693f7c44a4e0

SHA256
9ad3fa77896158026994320c2441dddf40a6d32fe88ba7de9c4e3978a0ae2069

SHA512
b9484b48cbe73bcdc667c6e20cc478d0ad7e1b7dafaf2c987d3ece9d43d473c2a4204225ca47164cfde1223143b9f05eac36f9f38978ef664f5650898c90b750

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cache2\doomed\30604

Filesize
15KB

MD5
b19d0fe1d52960c971c0dba5eb2504bf

SHA1
eacadba22b4ca1bf37ae294cb52e4a573a289e7f

SHA256
ee61fe42e84fae0cbc09756160294178faadcc28f1214dfbc71b331a049c9e88

SHA512
edf4699c5cf0d8a064d8980f6b67c8d31839deb1a53e34d344deba14b28b1dc568eb803c2051a9de882fb2ac6143ba3540fab07503eb49e579ff06d3b0e4c9fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cache2\entries\118BB2BA245AAA64B01692DF29396B97E11FC1A0

Filesize
14KB

MD5
fd9b7fe5b5da67f5368fb830a3fc2268

SHA1
d03fd53c41e097ef6b81d92acece18c9b418202c

SHA256
709db315f7da89069ba0d7650df670946e4563c11144c2c91ad41d55c5d94f94

SHA512
60a9acc077251654e0a83df062a4f4e8c9311f31db4931de0331be0c9097bd967a8b8b42e632d5be7d30e2b21f8919b48696c51073195af5fc5699e21c368e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb3656.7101\setup.exe

Filesize
750.0MB

MD5
c162136e9ed70e179be3c6488d546abc

SHA1
71d186698bee8880edb13d76d3a34387f135d8c3

SHA256
f318603beda74131108d182a0e72b55de289d78bdd1fb0ca3c443d1ff758acdb

SHA512
d4de4248399e37fb826eb93dc87ca68e116fa5623d6818b531a948780f1f36f4da06b4ba1ed3cb05385c9aaf6f2cedc761bb5d9e73449433244887ebfec9899b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb3656.7101\setup.exe

Filesize
750.0MB

MD5
c162136e9ed70e179be3c6488d546abc

SHA1
71d186698bee8880edb13d76d3a34387f135d8c3

SHA256
f318603beda74131108d182a0e72b55de289d78bdd1fb0ca3c443d1ff758acdb

SHA512
d4de4248399e37fb826eb93dc87ca68e116fa5623d6818b531a948780f1f36f4da06b4ba1ed3cb05385c9aaf6f2cedc761bb5d9e73449433244887ebfec9899b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb3656.7101\setup.exe

Filesize
750.0MB

MD5
c162136e9ed70e179be3c6488d546abc

SHA1
71d186698bee8880edb13d76d3a34387f135d8c3

SHA256
f318603beda74131108d182a0e72b55de289d78bdd1fb0ca3c443d1ff758acdb

SHA512
d4de4248399e37fb826eb93dc87ca68e116fa5623d6818b531a948780f1f36f4da06b4ba1ed3cb05385c9aaf6f2cedc761bb5d9e73449433244887ebfec9899b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzpbwyfg.ee2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.5MB

MD5
cb772c8ada23124869d55fee2afc604f

SHA1
a5722facb279cdd23a1568009a531aeafe7bb876

SHA256
a12002d074424d71c5990176e32c5dbc4680857c41515de9bec54f6508333628

SHA512
7cffacd606c440711f7e5c56817a9656ea3538656cbfd0fb5f1c5c303c5d0a9561c7315e866c2356ab0aa93f07d956ea705e06701ef808203933e80e63f57625

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.5MB

MD5
cb772c8ada23124869d55fee2afc604f

SHA1
a5722facb279cdd23a1568009a531aeafe7bb876

SHA256
a12002d074424d71c5990176e32c5dbc4680857c41515de9bec54f6508333628

SHA512
7cffacd606c440711f7e5c56817a9656ea3538656cbfd0fb5f1c5c303c5d0a9561c7315e866c2356ab0aa93f07d956ea705e06701ef808203933e80e63f57625

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.5MB

MD5
cb772c8ada23124869d55fee2afc604f

SHA1
a5722facb279cdd23a1568009a531aeafe7bb876

SHA256
a12002d074424d71c5990176e32c5dbc4680857c41515de9bec54f6508333628

SHA512
7cffacd606c440711f7e5c56817a9656ea3538656cbfd0fb5f1c5c303c5d0a9561c7315e866c2356ab0aa93f07d956ea705e06701ef808203933e80e63f57625

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.1MB

MD5
3e5bf3786a211388b1cc5eda3c8b8a69

SHA1
9174a39374113fec4856d01d70a2ae5524e6835d

SHA256
94b1076a7629090fd6eca08659425714625974713c1543d1afef6b497661b47b

SHA512
ab0ceded395bdb218ffbfd622ddeca4412a3c0e78e1f99a0f2876f279db1c7a71f3528810e853655ffd01c6460c1d99348a1fa325d69d35dfe950da65144ad46

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\fgi432fg32f32.exe

Filesize
21KB

MD5
c089ba74d9f4f2609d2d4238b3ca15fe

SHA1
7cad6c750a1874b21bd46b2c8fd8f9e03e4e68d6

SHA256
d236f3ea7e13c8b96709bc1d789544a40fea3ef5716663865683a1d46178eedf

SHA512
1737b46cd7975af7ce92109bb34a388846a735396d33adb3b706b6c03c99b2822c90cafdf9ffde5a91ad2f8451d837895636bcb0f12953e463123b56f2bc2fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
9KB

MD5
bbde7ae1c5be3f2c2d578fee48443f33

SHA1
7ed128c519c5b126682f4fc3d840d5abfe4365e2

SHA256
e8b7e1c31838f7f46a1db12b8961fcead934fa3e1c59fc2a7a775c94514f6c64

SHA512
d9eaed6f680408f83eb72cb3f8d70bd5d94988dda35f2c64b65ca2c44f79b3eadc1839c79bb5c8cf886a097ca7771cca74756919da3ddeb1d111760b3896c51c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
9KB

MD5
aef84fcab866a8da6ab860a32255b624

SHA1
c9561ae6c7fad3665f8f46929ff5c2e9b11c8e22

SHA256
4345ee52d64a93100e88b81d7651bd5665f9d092ad3c4989f568906a90714df6

SHA512
ec290c22ef8309074faad6ac2026e52ea26646885ca17a55ecb38de19888f49934d0b2e65d6ca4993f6bb8c2f924a482a13521a81e958df2703d7a4b38ba0145

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
9KB

MD5
d394e803626c4a13abc1a92da5d2d4af

SHA1
bdd5b08f7097b0b1caca3a606fb6c8e86e7b0b81

SHA256
9c5cba506320e294f794f289600f12d84106b08176c95758300a5294710e9c65

SHA512
0f14f09fbc95c94a5ee20451a71f5870b1ef571503d6044939505a66a8a04368b072a67195891fa107eb15a4408746434e3e5293f9f344c875ee40d8cda0d156

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
9KB

MD5
2e7acb5d175812289eff73e4d9b0c205

SHA1
b45219a500bb222859486c62c876eda833eaadfc

SHA256
af52e4282f806051b28e7be786ea60625ff57508043703a81dc102a4ce3886e0

SHA512
4ec5893685be3ab9d29b059383f5ec47cabe4441acc7785f55e395859db304ae5fb131a002a64a6d37a1cc3cd71f1734ab9e181e3c270668179ca04f0bce0ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
9KB

MD5
96348c4467b287234d334a48004d6b91

SHA1
17bc37b10078dd134d847395d2535db3d978029e

SHA256
dc5ec98dc94ad28fedb74444609c05f091f5df0c8252a86dd0a1d146af4b5d84

SHA512
850ae63868e11ca7b59eef0e1924aabe97f9ccecdb603ac591c5f0793d7c99f9da11571773068e32a045973436a570f3bd22dc88489959683cde329f2535350a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
1.5MB

MD5
c81dcc913ac98b3ff4f9fb9c492c25ca

SHA1
ea5ad7f094005aec622bc6f1bec1e55af6bda00b

SHA256
39f2876dc4e4b256fdf93bea4dbc643512f6f7abf05eef691deae6d6029665d3

SHA512
2ba8db488e3291fae00a3150bdc4bbee29b62ebe53d51c0602ce86f96d354112d109dea2eb2395bf03d1b1f9e9dcfaeb9ec0973232db1247ea9317c01583e641

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\fgi432fg32f32.exe

Filesize
21KB

MD5
c089ba74d9f4f2609d2d4238b3ca15fe

SHA1
7cad6c750a1874b21bd46b2c8fd8f9e03e4e68d6

SHA256
d236f3ea7e13c8b96709bc1d789544a40fea3ef5716663865683a1d46178eedf

SHA512
1737b46cd7975af7ce92109bb34a388846a735396d33adb3b706b6c03c99b2822c90cafdf9ffde5a91ad2f8451d837895636bcb0f12953e463123b56f2bc2fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.5MB

MD5
f354f0d8a4886e8a68934872bf575c6f

SHA1
6a016e9d01291279bb89a80d85dea5616b61189b

SHA256
a94aaf4a8a7a4be31175534d5a5f7fd8f3c3cebdeb2c69682bfd587793a80521

SHA512
b2323179cf23e8a92038775b50fd742414fc87df7697fa02ca297229e04d39bc65c7db80c05b168d57f5bdd3dd9e706dd4b2bfe44e3e9b1dd4d1b003bdf6bed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
492B

MD5
b881c6c278dea8db0abe1e1affb738a7

SHA1
edc2c15da6bba3ab82ebf3b946d4481a591cb8d2

SHA256
61aecc69c0fed33e96b30a1f579dd420d8bc33158872ca0ae536175252c12d8c

SHA512
059edafa72dfb04f01a8153c0557cdf72ce87f281d87772e5bcd7226abe388710d552f0a24c1eee9b0bcd383eca82a62774b0cab19c42696d233ca11d616cbe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
4.0MB

MD5
d076c4b5f5c42b44d583c534f78adbe7

SHA1
c35478e67d490145520be73277cd72cd4e837090

SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
4.0MB

MD5
d076c4b5f5c42b44d583c534f78adbe7

SHA1
c35478e67d490145520be73277cd72cd4e837090

SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
4.0MB

MD5
d076c4b5f5c42b44d583c534f78adbe7

SHA1
c35478e67d490145520be73277cd72cd4e837090

SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
c5b4d705bca18aaa2c87173257d18422

SHA1
c81efbbb1a4c6f54b42b4e774bf84da3e0429d0c

SHA256
a8b109ef31ea231ad31f063bc1593a61670c0b1e9bab159228ca55e69cd8bc1f

SHA512
764b8d602b61204d5b6ff10a4ed396e7f6117547fb5e756c596af9ac11f69d28309c3353bb4a4bf5a98432b6d1336a6641998c9bfe778b656110eb2f9186b12e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
2b9ce9ac458e1af224a05f6a1355f0a2

SHA1
ffd2bc8b1c845903d42ba89f7f9af46c4fdfadc3

SHA256
9e133fc730d926fc8e0d01311aaa75d0f7161331571dbe94676748b60ea9effb

SHA512
76fd5ca8cad15ec792b14ddb99075dde9ec78d98472b7ef9914ce76e282094583ba09628ed0a4d083e6dc59be504d0372d7cb6da386b3ddaebc92127c569f3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
a12acd030e080adf2ec704a43bc43ac4

SHA1
56bbb648ccf27fcc57eff5a9021b5f84b603e1d8

SHA256
234ee3473c6cff26cdde43e9e18986202b965c6eba73d19c64b8543dd9fbe9d3

SHA512
7cd0ea4ff3f8387663bd4f36a4e5ece0fdb91282959a24b3ed8dfe0c7b8cc498efa7d7af670c9e428f4aec72ddab0cb823b53253aeb195f0fc93c3b772d9d0e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite

Filesize
512KB

MD5
2f6f8f70250fccc8e2b0ffb701fbd495

SHA1
84de760453793766f4713adb5d0c650ea0b00b00

SHA256
0faa57a06042ab579ba5c2d0dca020c5946ef13f4c0cc331c00c4d9f751183b3

SHA512
a8f2c54cafa87a59728b2a4939db71cbf538b693062116c2564ae4c697cf56babdeb5bc7535f73f4fd1d6ffcf720ee6595af237ad357d42f4d382b764bf91ba4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\datareporting\glean\db\data.safe.bin

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js

Filesize
6KB

MD5
c6cedd4a7d5ee56c4cfdd1fd8d04f7db

SHA1
23549c44073fe9b018dbcc6a2770d1ce8886690d

SHA256
bad893f8b8a56c64e715baff6c1439f1cb23440fdc62f4012d2b15623f07f417

SHA512
99fc1f75fdfdc395a72811feb2adbe841103f980e79c8df9e550fcc6214f3266b2053cfac8704aa1542112fbe72da99f03ce1cc779f72bbd84c983f1a9a63e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js

Filesize
7KB

MD5
7e510480a7afb32fb8567db31e649488

SHA1
c6c2939b0191fc8a7f98c03565f51f9f945b47d2

SHA256
d004c66873ce374e59b087a7d729a32b199ce2f9b68f436ddc7bb2544b56f94a

SHA512
f57ed6961fcd81a4fe44cba1782caa3e1764977872faa63f90186fbc3cfdc96637f4e00a3a2c8174ffb857ba2800975d3ca342ceae97cd1c3d633b3351d5962d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\prefs-1.js

Filesize
10KB

MD5
3fc8fe05707bbfe9729f78df13bdf778

SHA1
32dcb978fae2abecb7f153d5b29df39966b17285

SHA256
44d0d1cad634b68b864a16de8897cf927ed54411b9181ae2a167445619162327

SHA512
2afc825a938a537ed3f15436b852945f50b925f945b90b51135ce05c9d559a37897ee4d2733cab657f992f84bfb46e5d391c35831fd17dfb20f155f7a2662d4a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
08718795e163ae0783ed144774156847

SHA1
a5e5a7e192af6d9186a2dd82a05a92f530c1d00f

SHA256
e3a34b676301191cfb8b9683e2f7a8e8380777c5e84dd27d3aa9f756cd042025

SHA512
8da2bc5b7b39393f103ccbf3462dfdb64f234470948927ed1a1782617e99f7e0c6fc0b69f3b1b5b9c944fb18e053a2907264c138a028f14f4039a2b1aa7d6152

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
54149372632897c357c4e8f3246bcd6a

SHA1
6b4998b01f1eb9dd151c8cf1bb42b54f6e43791b

SHA256
1bb78608d35908b072a65ff31ccfe441f84d5127949eee4bd4a88304e08206d9

SHA512
53bc480f2bedda6ced2f540df6129fdbfb42466a85b99fe245918cbd3ed5fb21da041deda8781d87ed8b3bcbac1d6218e91f31e1450deb69e265a6813de146da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
4b5b88949159e3461fc2ccae6e10da38

SHA1
52bf15b716d87727e8f3904a4ce6c8d6f3868a7d

SHA256
7fd1d9623d911dd95ef93e3924c7ea51f03097b30c7a281ca271dff0140536bd

SHA512
687fff26a0ba626798a536fcebc330021172ee27d67f2f23b09af68516df44ae178ba1e6b62720ca60e536d5cf9ae213429fd9e8df41ad156e7246ae5c8d3357

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b80301e76c6355f4437b15cb5c0a2a80

SHA1
47c40a16a6bb900be56c70e0ed0ba431809af357

SHA256
3145b93311ff32361cedd4555a9ace2af6d261a4a5fddcd514b3be217783bcd8

SHA512
fc0dd82a909dbc32f1f27788247aaccc798b20967cd1c0e1ce010a92624c6fc82b9fc751532a0a47bc19a96b737bb06f9d23f8776f8933e7bf12a1b13e070056

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
1dcbc036ffaf158aa4a84c14ed24e02b

SHA1
b964d96c0c2f6bfbcf5e242262ac909f2d290b66

SHA256
db2194194124abb725f91109a08f0f2ccc53ac8f8c4923620d2ea841aee3b0ec

SHA512
874795eda945a900af5019ea5e9491397f293544222c6c3730c21fd5e8cd69f525bd7a99b8583d942640013f412fcf3a635fd0edd27b8b5783905504c5f4a4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
9efe81eff2e77be24ba3e2efcea90208

SHA1
61ae480f9021591cc31bc83310f6e2aa1216dd1b

SHA256
ea28704bc96d1c84e79cc036a57441d11dce4dfc8ce6aabc914c325fff438d73

SHA512
4653efcb7e4c491eac9b5801d1f522f91ef1f7ca39e9e235ef23cc7c4720431f7be7261ee5fa566817b3378458419deec232d8f1ec6b14d4fdc0d4e817d2ea0e

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
838.0MB

MD5
a6f62be376bdc2d41b155ea9b524b52e

SHA1
651def4239b5798fe454639f00184533754bc04d

SHA256
4162985dcb6eb1322c5c8d74af80fba337dc25533f616b130ac283f3de515925

SHA512
7dca5e9bbe73e74a3116bab8a62c3dab00063ff148366ac4ba3de3c431fa1295d7554015e2592eec1fb5c8f70dba2d21996f0341ba8d651ca763e2b40b152923

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
838.0MB

MD5
a6f62be376bdc2d41b155ea9b524b52e

SHA1
651def4239b5798fe454639f00184533754bc04d

SHA256
4162985dcb6eb1322c5c8d74af80fba337dc25533f616b130ac283f3de515925

SHA512
7dca5e9bbe73e74a3116bab8a62c3dab00063ff148366ac4ba3de3c431fa1295d7554015e2592eec1fb5c8f70dba2d21996f0341ba8d651ca763e2b40b152923

Download Submit
C:\Users\Admin\Downloads\installer.76O-7SfA.zip.part

Filesize
1.5MB

MD5
98a2b3e1a3ffe6bf93e15f580b8a0172

SHA1
d4100db083f42a3e4d872c52e2409ebb66382505

SHA256
6245c07bf0750103927e9040861ef8b7dd5542d0e58bf5224830d2da89da391f

SHA512
63df92f9d69a470834e11b337bbc85fa033a5c92c4a9c7a0fd2dcce90c03cfef03ce39cb7e1062b10f7a0b81abfe559bfe9b8124c3bb7771886a3e3da8d17720

Download Submit
C:\Users\Admin\Downloads\installer.zip

Filesize
1.5MB

MD5
98a2b3e1a3ffe6bf93e15f580b8a0172

SHA1
d4100db083f42a3e4d872c52e2409ebb66382505

SHA256
6245c07bf0750103927e9040861ef8b7dd5542d0e58bf5224830d2da89da391f

SHA512
63df92f9d69a470834e11b337bbc85fa033a5c92c4a9c7a0fd2dcce90c03cfef03ce39cb7e1062b10f7a0b81abfe559bfe9b8124c3bb7771886a3e3da8d17720

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.XRaCv5dG.exe.part

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
C:\Users\Admin\Downloads\winrar-x64-622.exe

Filesize
3.4MB

MD5
8a3faa499854ea7ff1a7ea5dbfdfccfb

SHA1
e0c4e5f7e08207319637c963c439e60735939dec

SHA256
e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff

SHA512
4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

Download Submit
memory/512-2747-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/512-2748-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/512-2749-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/512-2753-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/1616-650-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/1616-649-0x00000000049B0000-0x0000000004A4C000-memory.dmp

Filesize
624KB

Download
memory/1616-692-0x00000000056A0000-0x00000000056AA000-memory.dmp

Filesize
40KB

Download
memory/1616-663-0x0000000009DF0000-0x0000000009E82000-memory.dmp

Filesize
584KB

Download
memory/1616-831-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/1616-662-0x000000000A0C0000-0x000000000A664000-memory.dmp

Filesize
5.6MB

Download
memory/1616-648-0x0000000000CF0000-0x0000000000DF8000-memory.dmp

Filesize
1.0MB

Download
memory/4240-2953-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/4240-2958-0x0000000006F40000-0x0000000006F5A000-memory.dmp

Filesize
104KB

Download
memory/4240-2965-0x00000000071D0000-0x00000000071D8000-memory.dmp

Filesize
32KB

Download
memory/4240-2964-0x0000000007290000-0x00000000072AA000-memory.dmp

Filesize
104KB

Download
memory/4240-2962-0x0000000007180000-0x000000000718E000-memory.dmp

Filesize
56KB

Download
memory/4240-2961-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/4240-2960-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

Filesize
40KB

Download
memory/4240-2957-0x0000000007590000-0x0000000007C0A000-memory.dmp

Filesize
6.5MB

Download
memory/4240-2954-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/4240-2955-0x000000007EE10000-0x000000007EE20000-memory.dmp

Filesize
64KB

Download
memory/4240-2943-0x0000000075090000-0x00000000750DC000-memory.dmp

Filesize
304KB

Download
memory/4240-2942-0x0000000006E20000-0x0000000006E52000-memory.dmp

Filesize
200KB

Download
memory/4240-2936-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/4240-2926-0x0000000004DA0000-0x0000000004E06000-memory.dmp

Filesize
408KB

Download
memory/4240-2921-0x0000000000E20000-0x0000000000E56000-memory.dmp

Filesize
216KB

Download
memory/4240-2922-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/4240-2923-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/4240-2924-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/4240-2925-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/4872-2760-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/4872-2770-0x00000000071D0000-0x0000000007392000-memory.dmp

Filesize
1.8MB

Download
memory/4872-2755-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4872-2759-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4872-2771-0x00000000078D0000-0x0000000007DFC000-memory.dmp

Filesize
5.2MB

Download
memory/4872-2757-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4872-2773-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4872-2761-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/4872-2758-0x0000000005F80000-0x0000000006598000-memory.dmp

Filesize
6.1MB

Download
memory/4912-2769-0x00000000069E0000-0x0000000006A30000-memory.dmp

Filesize
320KB

Download
memory/4912-2767-0x0000000006840000-0x00000000068B6000-memory.dmp

Filesize
472KB

Download
memory/4912-2765-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/4912-2762-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4912-2766-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/4912-2768-0x00000000067D0000-0x00000000067EE000-memory.dmp

Filesize
120KB

Download
memory/5076-2909-0x0000000000F80000-0x0000000000F8C000-memory.dmp

Filesize
48KB

Download
memory/5076-2910-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/5076-2968-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download