bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa

Resubmissions

07-04-2024 04:02

240407-el8z7sdb34 8

07-04-2024 03:42

240407-d9lzxaca9z 8

Analysis

max time kernel
1200s
max time network
1201s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42.zip
Size

41KB
MD5

1df9a18b18332f153918030b7b516615
SHA1

6c42c62696616b72bbfc88a4be4ead57aa7bc503
SHA256

bbd05de19aa2af1455c0494639215898a15286d9b05073b6c4817fe24b2c36fa
SHA512

6382ca9c307d66ab7566acf78b1afd44b18b24d766253e1dc1cb3a3c0be96ecf1f2042d6bd3332d49078ffee571cf98869c1284c1d3e5c1c7dc3e4c64f71af80
SSDEEP

768:hzyVr8GSKL6O3QOXk/0u3wqOghrFCezL1VFJdbq2QTJTw02Q:hGx8DKXE//ZhhCirFi2cwK

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 4 IoCs

pid	Process
452	AnyDesk.exe
1308	AnyDesk.exe
2468	AnyDesk.exe
4940	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	AnyDesk.exe
1308	AnyDesk.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	SystemSettingsAdminFlows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\zbxl.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2468	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1308	AnyDesk.exe
1308	AnyDesk.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4840	7zFM.exe
5684	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	firefox.exe
Token: SeDebugPrivilege	5036	firefox.exe
Token: SeDebugPrivilege	452	AnyDesk.exe
Token: SeDebugPrivilege	452	AnyDesk.exe
Token: SeDebugPrivilege	1308	AnyDesk.exe
Token: 33	3028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3028	AUDIODG.EXE
Token: SeDebugPrivilege	5036	firefox.exe
Token: SeRestorePrivilege	4840	7zFM.exe
Token: 35	4840	7zFM.exe
Token: SeDebugPrivilege	5684	taskmgr.exe
Token: SeSystemProfilePrivilege	5684	taskmgr.exe
Token: SeCreateGlobalPrivilege	5684	taskmgr.exe
Token: SeSecurityPrivilege	4840	7zFM.exe
Token: 33	5684	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5684	taskmgr.exe
Token: SeBackupPrivilege	5692	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	5692	SystemSettingsAdminFlows.exe
Token: SeSystemEnvironmentPrivilege	5692	SystemSettingsAdminFlows.exe
Token: SeBackupPrivilege	5692	SystemSettingsAdminFlows.exe
Token: SeRestorePrivilege	5692	SystemSettingsAdminFlows.exe
Token: SeSecurityPrivilege	5692	SystemSettingsAdminFlows.exe
Token: SeTakeOwnershipPrivilege	5692	SystemSettingsAdminFlows.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
4840	7zFM.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
4840	7zFM.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
2468	AnyDesk.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe
5684	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
4940	AnyDesk.exe
4940	AnyDesk.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5036	firefox.exe
5692	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 2212 wrote to memory of 5036	2212	firefox.exe	100
PID 5036 wrote to memory of 2516	5036	firefox.exe	101
PID 5036 wrote to memory of 2516	5036	firefox.exe	101
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4372	5036	firefox.exe	102
PID 5036 wrote to memory of 4004	5036	firefox.exe	103
PID 5036 wrote to memory of 4004	5036	firefox.exe	103
PID 5036 wrote to memory of 4004	5036	firefox.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\42.zip
1⤵
PID:3972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.0.725133646\743246013" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96732da6-3a71-48b6-8512-9b1343388135} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 1980 23afe3f8058 gpu
    3⤵
    PID:2516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.1.603167634\977789675" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5024998-ddd3-44cb-84c8-2ad64ddeba18} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 2380 23afe0fa258 socket
    3⤵
    - Checks processor information in registry
    PID:4372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.2.649630570\1393288314" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2940 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f32abb7-b8b7-406d-a3cc-b8570ca31e56} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 3064 23a89f9f458 tab
    3⤵
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.3.247953991\1130464421" -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3544 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f649cf9-a2ac-4106-8eae-6b35b1677274} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 3560 23a898c9258 tab
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.4.1828086814\985536409" -childID 3 -isForBrowser -prefsHandle 4240 -prefMapHandle 4236 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efaab64-0d08-4588-8cac-fba432443320} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 4220 23a8b3d7a58 tab
    3⤵
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.5.97210120\943581238" -childID 4 -isForBrowser -prefsHandle 5116 -prefMapHandle 5028 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14d02bbb-34ee-4df6-8242-ed61bb3264e8} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5124 23a88692358 tab
    3⤵
    PID:2192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.6.395455268\1296153363" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5112 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b17c0ebc-1551-48be-a218-dc2e0351a8a8} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5148 23a8d74d158 tab
    3⤵
    PID:1888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.7.1756168542\1469514595" -childID 6 -isForBrowser -prefsHandle 5272 -prefMapHandle 5148 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78849fe5-7b5a-4c57-8b84-b288a89013e3} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5528 23a8d74d758 tab
    3⤵
    PID:2112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.8.845358457\1720533556" -childID 7 -isForBrowser -prefsHandle 5804 -prefMapHandle 5792 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d50688ab-4e91-4273-9125-a11647f729ba} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5812 23a8e4a5f58 tab
    3⤵
    PID:3964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.9.1713112007\1397991880" -parentBuildID 20221007134813 -prefsHandle 5984 -prefMapHandle 6024 -prefsLen 26460 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a9b4b0-3604-43d8-907b-0d23d4c4056e} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5828 23a8f1e7858 rdd
    3⤵
    PID:4408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.10.1542703806\59210432" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6220 -prefMapHandle 6216 -prefsLen 26460 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {843008bc-2645-4bbf-8bc5-b8475e679c1e} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 6192 23a8f19cc58 utility
    3⤵
    PID:1504
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:452
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308
    - - C:\Users\Admin\Downloads\AnyDesk.exe
        
        "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4940
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5036.11.332026820\273322360" -childID 8 -isForBrowser -prefsHandle 5100 -prefMapHandle 4992 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1380 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eea91403-e287-42fe-b423-16aa2a974a9f} 5036 "\\.\pipe\gecko-crash-server-pipe.5036" 5368 23a8d74f258 tab
    3⤵
    PID:5504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x338
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3540

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\zbxl.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4840

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5684

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5692

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4568

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4372

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\doomed\19992

Filesize
17KB

MD5
b22d7a11200bc91b29a03e8c167732a3

SHA1
69f35a9e6df2c2d6edcd8f77d3d4f78392212f8d

SHA256
3b9007025631c240cac2debd14f621412e7b015b91e7f2bfcda7736e0eafc916

SHA512
12f23c5c7287c419223de04814b7cac3040d4986876d056706b3e17818192c659d5e81a5b2a13f4e191b90f178205dc9a2c5cfa79eceaf985f5116fc7bcc2238

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\doomed\9163

Filesize
7KB

MD5
d98ed4b04cf411710a7499d41ea622eb

SHA1
3578ccd1315cf71ae22182a2a0d01b6b9d04ef00

SHA256
a7a84905705a5e82fdbe6ac3bb28b6ea33b288157c0a787309701f7391085504

SHA512
5188f85a040f968011a993a2f8ebae0b28e4d2f22e3f9e2daa58ed234c0a006b1932c6decb3822d130d4615de3f333e44088ef8f3c5cf2e0ae35dbc272d48ea0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qapp529h.default-release\cache2\entries\C4E2BE7DAE371E2DA4773FE7BDA476F3DD46ACA8

Filesize
153KB

MD5
6e22668abfa5620f4d8542e7e9594767

SHA1
2465c3dc67591834c70972fd88de438b742e2836

SHA256
234ce505119c2b326f8e0fbdb19d7f24069026d4eaa91525f9df1d102fc86651

SHA512
1cbe186f31b5b8175ef6009fddf257e814dfabc980fe004971f0153076855a76b92f0a11a2b3213194ba47274b55b50d4aa502985731ee8c28e00cb1b0d2deba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
8.8MB

MD5
3f382224c9e6a94df05dc1bde7199629

SHA1
6a6965201f789955400ccc439fedf87a574b2f84

SHA256
bcb2390e86fd39928d25da6a882985dcf010db3b96b42e554248c00a4ee06f2c

SHA512
fd266fae9f8dfe8edf4cee8001ff386d10818bccfa2aada3a01d4711de49fd8669657a025c9b348dfc8b6498497a2b7ab33789d8c6974d53022c5faa26d9d9aa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
9410dabcd7e4fe55640a0eff285f79c9

SHA1
a136e7dbc9f6d4c6deea33b5c45ab2f98ff81cdf

SHA256
b1494fe586a336ab23d54f8d5dd7e43d228fb880249be33e27e9d458a37e499f

SHA512
655920c02cca4562ded2fa7ddd534467f0c12cae085c81f7317ff3b2e2a47173f29aa970e45a37e34c0f7eb89704347fd8ab1e1fe3fda9b7aefbb13bacf1097e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
41KB

MD5
5f4d6bdd7cf98ce6a75ae464924e8dda

SHA1
643b1ad975dd1edd806e28a506cfa3579089253e

SHA256
22394711ccee8dd5a7f2334c061193badd1671a329b2857ddb207b38a74ff0dd

SHA512
1f1b937f5b9bd3099cea03f5992d1119ffd7f50867cb52691ca52106819da0420123d0718a52fd2717a681adfb4d760b9d30398584abdd5080342e00fe7a9a19

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
dd49d0c3edd1eb900c87157309191e40

SHA1
58bf59290dcc239149e0862af3c84735f44ddbcf

SHA256
062afeda8d030287b8023dbdaa0081b941b9de50af2c91ef46e7e4507cecdb09

SHA512
24476ac1e82a500c9ecb42c2eb34a2ceb6906da0bc9ee90f862a89afd04513d4a9f6daab14a9e2e335bbee4e8dcf487204c79c45cb2d30d3d757d3644647329a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
649ca85bbcb114e5bc1b5900d8b6d40e

SHA1
da370d5d4b2e36757103f92b69e0857482293905

SHA256
c75a5be71ff45083179142b537c7cfa1513b421c168dcb6e38a43d9c572cc6c3

SHA512
b59f3b502ff7360e1e3e83557b5267aebb0858e4583a5956dbe42a593ae3d4f22fa8b79c61d4f20e7ac434bdc8076d2a0950465ae86d8dd1c58b665d7a24397c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
79a88816690d4fb91bc4dcc4a7fd3f1f

SHA1
6b8ff91977d102e7367b8d78b514ab07e163e8db

SHA256
650831e91170c51aef5a4187bca4461d367086928250d7f2b4fae4705375daa2

SHA512
222fbc50c7a3b75c5877804b3d8a8ed679167a39ea7e4c91c16596a0a181024c85cee27c540ba9307eacbf491ad8d55dcd209ea7847e0055ec09ac42befcee0f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
0e6d46f4d42adbc744383dc619a80cd3

SHA1
fd3c1f75e19ec503f5cd48b149baadf6f4b1d68f

SHA256
deb9145726e3c94853b6bc123427cb2e28b75cd17ba9a6d26dc69f4d0129e320

SHA512
128ccbf63d45442cf8ed63a9cc3d51b6360ce9f25c7bffba7f8dcbd721fc08ea28a2bd367173990a49103ee36c9904e95746d5c34d665b57c78e9bb51dd9fe29

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4dcb082af1e40cdfcf5aad9b8e764fe3

SHA1
157692fe2d721cd6638bd209969fab5e6415b142

SHA256
dd00daa7e9c8958d3cca6c4cf0b16de075bd220f7ab3696cef71611bb6539c77

SHA512
5947392b25b40292486c44d968ca1ad216ef8a450c4c2e582442a4a0a67c3f495c86d003d44502ea4be84460461a2617b200e84cc4c48451ca989a0e8f9e7bc9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
92c3d4c0c9fbf9b6d392c78008a1c10d

SHA1
be1e16957eeb8e62281a916ec079eb3ac6e9ee50

SHA256
e59748481c1f53d80472f43f401268b64819f60297a2d919ea6f51b4842c14f4

SHA512
6c109b1a0875639551a767c6942794b764342796da2dffd3aeecd8ec7967c336641b1300aebcd4191932d9346e24560dcc666eb18aac4d0d74552d571e4d79b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bb5701121cdd75539558fa15e55da860

SHA1
fd71cf3b81ac91c89fa51d7a37f264a0fe25e0fd

SHA256
62ba16cff6d858c6df89ddc0357cb9182c700d38e5c543bbd07331bb51a2789a

SHA512
d5d4cce315201f532b88fe6121ca94f06926ba36b9990829bfc675e6c34a61e851895e94304451d3075e8c97cdbe54061ff7c38d8b2350f19fffbf33de11a909

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
164e0d4f43ec83ae69370502340ab28b

SHA1
bb3c9d8023286391490066409e4cc079bc784213

SHA256
8a0ce31734632e0cfcc183a3d52e3c9d8162d6c4c099d42871d783585b0fb422

SHA512
228f2d21b2c728cd332514f21ec61166bf9b7bded9520a950c9873221d7b8ec4ffe6dedcf7a857aa745037e806503a80a5410edc868c18b5c66f278c0000246f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
029225db430167a794c2a46d0f3eb5db

SHA1
800eeb26996d05fa3346657ec536407c0a39b98c

SHA256
52c0f04de5b10d64f319d14d3533d887902a61da00dbc3328f45e1d3af38c631

SHA512
259b179c43d6fd7dd7b19e33e6964d4548aaa3add32662156aba971cc44ac5abe0b8a9a09eff5e52a120d2490af482183368a85310bae270b1a34755531e2261

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c3fa4c191e6c6aed30cc6269c5101c6c

SHA1
0b2f2ec16de6fed29d3a05b01c587c6aa9dfeff7

SHA256
32f182193db7a2100a9050a9be79dff62ce11d0faf800d29199fa7fd6e357b41

SHA512
fd72647c9e743d32fc330891ae7daf3e30da33540fb409e6ec3f7052252eacaf95d1509d3c4e22b96829f79b15c69260b2ecb920324974a90676dfae539e40aa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8fa7a104eb14ca8c98a11a17f4124e03

SHA1
348d1bdb962137e94ace327ecd4321945adf9ac3

SHA256
d8b6b24ff440c1f5e41af88a4842cd070a35822923138e9110ad5e078fdde7df

SHA512
bd859b4ba9f93937311269e6d3caa25e14660d8edbefbd3f1d19cab526dbeeddf41f5a3450c9ea3aba916d415db36cb8155289ce9714204d468134c8b8a42f85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e487448dcbce39d227d5d08670ef09da

SHA1
7bf042c4c44b742c98498493614236538cf310ba

SHA256
07eb67258b050bed3286ec898c64b3e4d6d5e10c06728cc2a92a2ec3be3dca46

SHA512
888b0dc3d6d7a6d6e2ef02e74581b22863a956ea76aa20c81325bf1c6c6858496cc4129d87343ac985ea4af9e7bc1c9c28ebd61105d5c49664a9a7f9ed35afed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
dcad267c48ac0918ef4eba1b3d06acb0

SHA1
4702dbcd92552a70c69b7897e12b41636faf6350

SHA256
47013699f5a60ea70659c70d41ee182bac7e90ca4db4f818cfee6daf8afacddc

SHA512
06da2b64e1612232d7d4c0cff1e741250dd882dda2a803daccdbe66bffccfb233f00e18b1a5fa36cc91bc19e1d07fc7026ae3362360be3bcb751aa910b29808d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e6e70b82098e39f9595e3bebbd3f8d14

SHA1
d7a00a355f480be33f7d6eabcdf27524b862d5a3

SHA256
98a3f24dcc93afd6c2821193e7982668ed78895c75b927b2b99172d601f0883a

SHA512
465a7623ef9e141faf1abc90630e1e0f0eee9d0652ac4caeacf21e7844c20d42f9c69569235b5a8bc01faaa9a38d23ccc8c1f48a0f52b529531147af6ae528a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\703b8db0-7cdc-44f1-bfeb-33543d8a6ccc

Filesize
11KB

MD5
12fe5b76243b4574dfd122652c47dcfb

SHA1
3677e13589004621d17a1a76338e8ca9c0db0a13

SHA256
9fe80d2e9acfbbb4bb636bfce96bd19ae1c85761fe0da0500de17c362ce8a6b5

SHA512
9f40c2f288ee552bebf26605e9403a60a16bee6c1370d7a144adbecd8223a2354a2626781fc525e0760e43940a221cee56e0c26407314df628a44950262403a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\datareporting\glean\pending_pings\eb2e8e1e-af1c-4a78-9d64-de2b5b828598

Filesize
746B

MD5
140c7b1da21c9e8d37f991dc13a8ad94

SHA1
47c590605e7df0bfd8c8b9b3c17f9776131ae159

SHA256
03d9de9d1db3496d18e9d1ac40199cc7d514960acfeb2bf272619f270dd1cde0

SHA512
4cfb22192a8dffceb99503ce8b01d1da97c11818ab043ddfc5e9b12fea7075b7bc27dcf77693baea27f4054ff88521b562678bbe0b7005f4580ec322a3577cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
4fd386bbff13b41346b0913d57e05d55

SHA1
541381b7cd9518a99aea22f2490919ffc5fcf405

SHA256
bb023f2f796089c3ec5fa98946283c82469bb57742a9410cfd4264e6ab654f18

SHA512
e0c0b627100f28c4800269c5b6c2afce6071c118bc33f9490eed7280dd5a163b794ca2b4d4536e3cbdac7858a8089496cc228138c1f506d248ca4d65cb5c462b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs-1.js

Filesize
6KB

MD5
293b941b2e31ec7b8dcbbe383f6aea6d

SHA1
bb0b08d823fa53e7a2e159e29d587b64d88a73f9

SHA256
bdee3fdf66a092e7c48d791fc57d683a00f007514fbdc83aa0608880632b9076

SHA512
d07d0db6015816957b8fca87ec2af5384f258ec592aec263b404aa7ba207f4c30ff261f67520120c047144e08cb9b67045247021ddb3baa64462280ecaab4832

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js

Filesize
6KB

MD5
136a3af1026f78d37074046723c9b775

SHA1
4533ef9bb48111d481e7a675a25949d380b7f3e0

SHA256
1d83d55e4ab0dfb237c134f29b2a950a4a25ec4cf80b7a809c980fa38df5c9bf

SHA512
071aa9c7b9b9edd4c4508e3c24d29059cfc238c071c35b93f8b3324dbc060a6022f695e9084938029a5f62573756a5542cf05a32cfe4b3d06de3495ac5547428

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js

Filesize
6KB

MD5
471a077865192745f2692c8c4683cfee

SHA1
8122a13bc1366f967de027f3daea3a835b3c1348

SHA256
ba763677b434adb70a73a161e98d37c8352235e5db2b559a983a6b575b12f14d

SHA512
aab72762d8f7266be9fee215eb54af8f8018eaa89acd887d8897ab1e5b0d8ba01f770631389f08ff9700b30f3d1665ddca922e15f190bf8ae1031251f785d519

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\prefs.js

Filesize
6KB

MD5
47b5fd95e1dbbc15381eb5dd8c4b79b0

SHA1
67d7d1c584b4ec6c00923531cf943900b58df432

SHA256
5d96f47bb98c44158c3b5d9f4a7b28368227411e96762cb12503cda83ec3dd9c

SHA512
2fcf70f818bfb812010f1478dd98a783cc3a35770159a7f38cccdd2d4fcb26780bdb0af97a9600c01fe7754a459dc136b7091fe26810c635aa26a64c15435dab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
7bd91f21b4b7877b0fedf0bb80a712b4

SHA1
baf86f526742da8eb45afa29816e61a88818b3c3

SHA256
ebb5425ef14c9328b893cb3a0d06cdf5d490dd84f690f29a7f1f8149c73ef5d3

SHA512
d4eb5c848bffc192667c43a6d22b4941800fe1c131316cd0b7f08ee43b93a1eb160c3903f867ee595dd738a2271cc60e65a7cef2244dafb64db702709bd0d8de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
be10ad13493c3e3646b1ee810a411dda

SHA1
4ab1f1d4f5c7b521e4e7bdfcea2540d396b751d5

SHA256
c93d04d39f286199b988e0d438af43603538f0aed83f508e2d6b9eda87a79aec

SHA512
7e3f08efa3b0fa481e67ed56d8b1adbfb185a433d5379f97d4b71a941f9c8a327d7fa0945c0c4b95c7801f175b3ed201f91a59cce913e3060c9a1d158ec1c588

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
39b1aba6762b38e740b0ccc1547e0834

SHA1
8a2787ebcfe79765d27c7267305def305b76b1e4

SHA256
4963c7bf1fd149b5f39e2ed37c59a5595bda5dea26bb816c898d43ac10202de9

SHA512
7ac60982158d0f9b30c76037e19afc776e8b6dfd064241bdb2f1515f0bba080aaccf4e6cd56ae4a5a4a450160c8212db11482b465129690cee5772663683764a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
ec8689e89b2465a355dfe02e57329f84

SHA1
cd887970265d183d3f2b9a4208635a8796024f11

SHA256
e57b09e533ed4fb74cb66529f35d6f356639fe1d8a09db5f9bc20d3c3c2bbe33

SHA512
c86bea8a38e9c30952c4c488989cb39bd24ec58ba7e49cd7295b4e6f191524672b1412715af92c9fe959792c1b292db9d1df359f122f104d1999d21ab14504b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
bbd02df971b95a213a9f9b8176fc854b

SHA1
c2bbb3bd79e1a1aea25fd8274a47eb2d5ccbfa7b

SHA256
417142f1d85ffc4be6beeec97408d9862a76afd4f000c39f4eacd981e35b1fbd

SHA512
c6cce2437f2e31c6b9ccd89aa63011b394f1e3ab807b41f495a07eaee091670ced2690b2441b3e8ce2b962487049a581c6a5685020fe120139e3f4597129c483

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qapp529h.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
5e96fddc74c8586f182161a217276b4a

SHA1
31c310545f018ad29912c5f7483d2b3d7bd39fed

SHA256
b3b3d93377337a13917184d0a795f92adbd961aea3c4c39e0c2c6471b385023d

SHA512
5d094ac6498e8fdca948f9bc5a414614b33ed9538c9078135a8a2cee266ff4a8b4b477edc4ec9a3095bb6c5e19267df2c3f609737400651fe4e896865eda7a03

Download Submit
C:\Users\Admin\Downloads\AnyDesk.mbI6vb5G.exe.part

Filesize
5.1MB

MD5
863fa58aa1fe8a88626625b191d4722e

SHA1
e7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02

SHA256
45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220

SHA512
ffd3bf831e8f0dc605706075a9763c68552f6560aa8660d7993e5156f64032fbc4ff6134fd333822e3090fb863cecff9e463316a8d9c3150152b73f8377aa2bd

Download Submit
C:\Users\Admin\Downloads\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\Downloads\zbxl.laskEZde.zip.part

Filesize
647KB

MD5
efd56b5f1ed03bc1a85508d876ea0cb9

SHA1
47dc03cb0c1ea4552f6ed90a0d6a1ef17d513d42

SHA256
dcd1ffe8567227f900b8d2b8a585dec48e59db8d56bee541d07b7da13a299db1

SHA512
aef49e8f03ede47cdc9fb1ddf8a26b42ac0a4899c3abb7163f0add7a1f306a2d04820a35c3cc0bae73583a29a11dc09b6a7af77d0c149b9efb704feac39e57b0

Download Submit
C:\Users\Admin\Downloads\zbxl.zip

Filesize
43.8MB

MD5
da596c5fa1bfe53dc6ef777e810c2e7d

SHA1
dc756fddd264eaadcc0c8e8576d11259bbe1c150

SHA256
eafd8f574ea7fd0f345eaa19eae8d0d78d5323c8154592c850a2d78a86817744

SHA512
bb7a10c4d9decee9687dfba5987939d1f55c3966bd80d06103d4bde6f61df3957d89392ac185b96ac668bc794193319dad33e34dde199df91eb2981e7e5f9fc3

Download Submit
memory/452-708-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/452-550-0x0000000008880000-0x0000000008881000-memory.dmp

Filesize
4KB

Download
memory/452-703-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/452-547-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/452-453-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/452-451-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/452-686-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/452-455-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/452-473-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/452-487-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download
memory/452-553-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/1308-465-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/1308-825-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/1308-754-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/1308-709-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/1308-493-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1308-785-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/1308-977-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/1308-717-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/2468-826-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/2468-786-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/2468-492-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2468-710-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/2468-472-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/2468-889-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/4940-723-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/4940-724-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/4940-742-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/4940-743-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/4940-738-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/4940-735-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/4940-732-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/4940-728-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/4940-740-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/4940-752-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/4940-739-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/4940-736-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/4940-759-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/4940-762-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/4940-737-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/4940-733-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/4940-734-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/4940-787-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/4940-731-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/4940-730-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/4940-729-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/4940-741-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/4940-840-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/4940-726-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/4940-727-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4940-725-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/4940-722-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/4940-721-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/4940-720-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/4940-719-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/4940-712-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/4940-992-0x0000000000850000-0x0000000001F95000-memory.dmp

Filesize
23.3MB

Download
memory/5684-980-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-981-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-985-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-986-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-987-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-990-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-989-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-991-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-988-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download
memory/5684-979-0x000002383CBC0000-0x000002383CBC1000-memory.dmp

Filesize
4KB

Download