b39d9cffc75b87df3c9a667d447424677ddfed52292f3fee0d06b186d000be02

Analysis

max time kernel
92s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixkit-applause-ambience-loop-513.wav
Size

2.2MB
MD5

4fff259029dcfaff61d29fa97f27b81c
SHA1

831340583aabef6f0b39a7c8f3bb33135dc3a809
SHA256

b39d9cffc75b87df3c9a667d447424677ddfed52292f3fee0d06b186d000be02
SHA512

1756a4ea190cd12b0215a60cca53e7ca9086652f2c2ed6bf70b555ce3ddd7d3c8791bd3c9645674d90d31f285f097c79320c763f67d372d8b1b57e34da1c0c33
SSDEEP

49152:FNceRIIesmNxGEiFMJHyI5CkJ+7bZRjJNzatlXxJngjn/b4q0wxKmWPUX:FNceRIvsmJS0fJobHjJNz+lBJngjn/bt

Score

6^/10

bootkit persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
136	raw.githubusercontent.com
137	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	salinewin.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637207064743202"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
6800	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3828	chrome.exe
3828	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	firefox.exe
Token: SeDebugPrivilege	3624	firefox.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	5988	unregmp2.exe
Token: SeCreatePagefilePrivilege	5988	unregmp2.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe
Token: SeShutdownPrivilege	3828	chrome.exe
Token: SeCreatePagefilePrivilege	3828	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3624	firefox.exe
3624	firefox.exe
3624	firefox.exe
3624	firefox.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
3624	firefox.exe
3624	firefox.exe
3624	firefox.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe
3828	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3624	firefox.exe
6684	salinewin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 756 wrote to memory of 3624	756	firefox.exe	95
PID 3624 wrote to memory of 1124	3624	firefox.exe	96
PID 3624 wrote to memory of 1124	3624	firefox.exe	96
PID 3828 wrote to memory of 1936	3828	chrome.exe	97
PID 3828 wrote to memory of 1936	3828	chrome.exe	97
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 3496	3624	firefox.exe	98
PID 3624 wrote to memory of 2028	3624	firefox.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\mixkit-applause-ambience-loop-513.wav"
1⤵
PID:3808
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\mixkit-applause-ambience-loop-513.wav"
  2⤵
  PID:5504
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  PID:5580
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:5988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:756
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3624.0.265327755\1056851010" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1816 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15d091ce-c1d8-482b-9116-5918beef207c} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" 1976 1759f0c3a58 gpu
    3⤵
    PID:1124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3624.1.1341292240\1910534539" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ce09f7-257d-4f24-946a-ba91bf3971b9} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" 2376 1758b372258 socket
    3⤵
    PID:3496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3624.2.1210573079\1119688776" -childID 1 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07517f19-97a0-4643-81f2-b4aad61fefd5} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" 3396 175a30dde58 tab
    3⤵
    PID:2028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3624.3.663696188\1509392045" -childID 2 -isForBrowser -prefsHandle 1220 -prefMapHandle 2512 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfe14762-1ffa-4272-9b1d-614d9a6e9a20} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" 1000 1758b367b58 tab
    3⤵
    PID:2872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3624.4.1904874436\1455785502" -childID 3 -isForBrowser -prefsHandle 3012 -prefMapHandle 2960 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed5c823a-95dc-4f36-a9eb-07ef9227b6f2} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" 3596 175a1b50b58 tab
    3⤵
    PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3624.5.1082089839\1230811962" -childID 4 -isForBrowser -prefsHandle 5012 -prefMapHandle 5004 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f2c02d5-162c-4d1e-b70c-3772ea64905b} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" 5016 1758b364458 tab
    3⤵
    PID:5516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3624.6.792658310\1971217295" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4728 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a87af1c-432a-4731-8dc4-679918f43e7e} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" 5040 175a58b8858 tab
    3⤵
    PID:5524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3624.7.1661298408\2078956764" -childID 6 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1396 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbabc45b-60d6-4148-b502-e3c0f2a4cbff} 3624 "\\.\pipe\gecko-crash-server-pipe.3624" 5280 175a58b8e58 tab
    3⤵
    PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc8d069758,0x7ffc8d069768,0x7ffc8d069778
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:2
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3236 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3268 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:8
  2⤵
  PID:5884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:8
  2⤵
  PID:5892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:8
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:8
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4824 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5060 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:8
  2⤵
  PID:7044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2708 --field-trial-handle=1852,i,4536764786254506694,7349791405625465153,131072 /prefetch:2
  2⤵
  PID:6152

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:6928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6308

C:\Users\Admin\Downloads\salinewin\salinewin.exe
"C:\Users\Admin\Downloads\salinewin\salinewin.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:6684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
  2⤵
  PID:6776
- - C:\Windows\SysWOW64\reg.exe
    REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    - Modifies registry key
    PID:6800

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x494
1⤵
PID:5404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
09e7e2597ad0115bcd9c560361d77a08

SHA1
14e8d5ffd6600d7bbb5ccce9d1f58f21ac3e4540

SHA256
45de4822a69b6af090a1f9d48732d805acedad49f2dab3465a6ecc5a3ed0a995

SHA512
b91d0eb7e7c3ad791c315e6bccadd339a12c00ea7b4c5545dfcf033d5cd74204d2dd56fc2a90b81efd6817a843c7310e702d8daa3e3375d70b4f3ee51d9e5344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d6b0733d2838f8a3ae72ad9b0fca9fc5

SHA1
0d62a1877b5e4028e67833ea997686faea9becef

SHA256
d2cc65e3f0f60b977996be709df075fe4a80260253b4066ea151909300ca538a

SHA512
1479bd671d2654465ba5ca50df4fcea16ccc4bad8f3f5a4a6c790f319dd9008ed0570312947e51d4dc510d181aae6cb67737c3f6dd5ba18e3fb85fd0180b17dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e047bb9939e3865f8730706ab534930b

SHA1
81510604c70898f4d87e0baf0f3253c3986f2fba

SHA256
638c879cee33056a0843d98eb18df1078d606c737ce2576ec647fe3708b73daf

SHA512
aa3f417dec97f25240afe4a3bb397c3b4d2e3486e9001c60eea2d0716e1649f7339ba40b2fa126b6b93d93f6e7f13b8fa535f2c6649a02adad573ab32dfb2ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c9df6603a91331e903c529e4701fc92

SHA1
138426c91847dfa10e9d65456cf9d4d8de692043

SHA256
79f9e5de727756d660e1dce0697cbcd8a4528198007de8160bdbed2d46020f6e

SHA512
60f8017963b94ab5a63667697927bcb13f6506d93e7da938064c185a94bd5b325bae04917071d9ddd9a97f183c9fb8346d1f2879da81ed3911a5c960cd47d54b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f78ecd014d1c07deb4e40dc6293f1d38

SHA1
4c901182c8e07d03d3207e17c083bf054fd08476

SHA256
1ad8f7c4c6e4e460e6a2e90af3daa7c019aa6bc7475728f5fe5386423487ac98

SHA512
047e4252d0eb024868bb8ff5aaf9167ebdad7f9c6dcd5ff66f4c6d7cbb1b3f83636291c1f2e538ff533614d235602ccc8ae755394099bf2508d7356a0142f5ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
41b41227e53cab3f4302717a82f1e8d3

SHA1
1551302dd0eded6480ce1dfae80f5d830c15d9b1

SHA256
e30b136e8938eaab80c29744b3c4867e5d0deeef2c36a50f004a7dd9c05179ff

SHA512
af988ca39035931dd5a609b7a82a5287ea80c6ef7cf8ef392525ef5f8ad031e034add02f89485b5448fed9a26b8f9669a5cad984d765ccedf4f7e946bbaf67df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eab8c842428e9e6a0b9ff5f640aa1927

SHA1
1466ff2a4085f810f41b2cd4c1e207b1653a5f9b

SHA256
6cad84c5279373b8df05c9ffaeeaa8029ab7335a9de457d6ce8619b4ff80d4ae

SHA512
f944d2f13e059c3f0a30c8b239c1f9bf0c80bb3141b15712da75432ce2803ecb65c569db457979714a0b41929b32c6ff4a7dfaf80d87b2055353a7400b6cb77c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
069d3ae36bbd76c8496213ed59ae29de

SHA1
fe16ce570526055635d4eaab2b23770000a994b9

SHA256
d1e0a13ce4e28eef26c3bff1ac664e10775b2bcf39eb07b50144f73e23801c9c

SHA512
dfc74993ec79e0cde4276e25dc0c4823c61f74c665b4b309f056b0f60839d3b4e8aba919732e52e5b9861b60b57c24cae7078b70dcabd47ab65eaaca96087033

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2d74b94bcdd6289afb3f8aab3b8eb201

SHA1
7b3d6613d9a19c30418fc43620486a13b1995037

SHA256
635201a6bc1c709611931cf6f88bc0636b3f76d6810888028a29846ffd19d3c0

SHA512
ac82b370fdc9a1796249c6137f61d5e598dfe3282bddcf3a184579e5cbd84929057b2dc3b0ff8cd587fc5e01463c706930c5b936af99d079ef65359683c3699f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6c094c61cb99f20cf69044af0597335a

SHA1
24bedc0db1c858385b6e2f80552047ba70860c4e

SHA256
99474ade21970cb0096e3aea259e8f1447a99a34330911d08f60431ff1677c4b

SHA512
3f6be74b26794d3370a19ff693f8183701e109a880489918c7278fbbccb143a5f0e2ee4ed2d277221c9887af3576eda78680e28eb03a6f893097425630ea4f9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\be08970b-cc9a-4918-9fd4-8fd45033a07e.tmp

Filesize
5KB

MD5
75709eccf155139de914ea2b32ac1ba1

SHA1
59d7145c6c79e0e4c8071f0a7885faf4beabc6cd

SHA256
782646d9e30e4f6423451117122927f9814e8c11e189cebfd0919bf1583be0bb

SHA512
645e1b41309e37da2771f752c7a45eeb0d7c3dd5fbfc51d746bc917ba32cc369353a949c57b4813b30d02572445c8376f1e77d46148133a858f4eb31f224b2ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
2dcc0a111b0a73c171fbbceb8f3542ed

SHA1
02896d33897b211fb361f1da17218fc30ad3037f

SHA256
d4b610ef52c618a4cacccaa6a850f0dd3bdc743e92db4a6ee740e01efc82c9bc

SHA512
37553a1b30abce9ab33acfcd0f8932234e2c3b2aec3b5e2be24e38e46de460e025203292784f4b0480a50407451b77cf35175611c865faa6d4f7df76cb252947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
14450c0af636b7eda41fe96c9e67ad37

SHA1
455de67ac965a64d31a5ec6f78a633d3f93dc7f7

SHA256
b78e603e054c9dcdeb15b2be07e9f2444413481c3f0f23749ec9c2c551283fc1

SHA512
b5744436169c45bb35a4f71824371756a4c7d464d9fefc5b82731920f09d63bc4265fa9c32568323f1dfce2c26f4c46a3a33ff77406d63c7cedba16b7346b40c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58fc3d.TMP

Filesize
102KB

MD5
ff38601b363f335ae113bd402bd1555e

SHA1
ab1be20e629f662186ef4f31bd604d3fee2ae06b

SHA256
34c4c112fb55a4e7958715da92cf578f4f6b50ed118da1ac1a1964c37731e015

SHA512
3959bebc9df14dbce119fef5913b65d50b36942399f01bf5dfb176094d6f02b487025c10e0db1636483f8618a772661e1c2c6679bb9b7d785f6ecfc287373d8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
9c481a94abc7eee23cd5234262e60077

SHA1
2873225e708fb5461ac60c3613fe12112423f0f0

SHA256
681c9665d741ca6ed709cdd79d070ff7f4fdf158e02342f7d47e90a6d962b061

SHA512
0579499b5f01649f7e5e3afad07b4c7924d30fbc56dd12b37d9ad46bdefe35fcb6371694c1eff6c42d56c21b1de4c4f40531b27cd32eca1bdf51c6cac41fe668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
fa0030c2d54ac843f606a246dd245a34

SHA1
d3dbaaa7eb5eae5db2052ae0dead28a17a940474

SHA256
82cf747183a5c81d8ffce9bf348ee04c87204eb79e1c176204addd28103436c3

SHA512
264e915337465b8ea9e2270ec3ac12490cc31332174b546688e791cc8d6e2f0cc1857b25cc39db46694e1aeed3845b376b4495b38b5bd60fc60693bd25893fce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b8b707faccc78c7d245b70846198455c

SHA1
52873d8915382b4631cef2d7d70a94dd59491e73

SHA256
fdcdc9ac72a9490d5a513f8928206b9919852377b55f25af32a17bda8b5220e8

SHA512
71da4717432365a606690568ecc7c123b3324922dd8a3630ec42beec236392733c16985a2dab7797922247a1264bdba0c7cce17d65750645d585aa4cca37d8e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\147d3fa6-cf83-4447-ae6d-4634f9481c41

Filesize
10KB

MD5
478e07a9fd8778b6bc0bc268285b5201

SHA1
de7e3f9f8082f30991dd4c7f32fd3602b8e6e5fa

SHA256
6ab85bb7126b93a1442ca72210401490f78573b11f628705b9efe60df3999e93

SHA512
39e1490ac44083124e16b87b0bed0c8fa07bc2c9be7c35bf2ac24a1095048dc24079c03dd4aaf43e95af81333a59c257dd3f23f181043667be6ff8ab1e05caa7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\e69f19aa-665d-45f9-96fb-4091b4ec9b41

Filesize
746B

MD5
e9d54439dcc7cd3ac27b8268cf2a60f5

SHA1
ca8e03bd2c4050f38bb034aa7cc83b983c21bb2e

SHA256
7abb073318673b5dc93139c09494ad7af9c53f3d46be69454c8f09d6881e21de

SHA512
38bca03e3b99ad202a05d1401572c7b6f3d8f33e4da1cfeb4f5ea724d7ac5cd7f3aae34808099edd16372060440078d32992eeeb8419f18a0e4e40afaf95ee80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
a1e3f0b7b90650de0d1eda220e9fd9d3

SHA1
830682ecd468d2d513616883fbd3fc70cd48b572

SHA256
0b25a6196e06a233e797cd1739ebe6156495227d78dcfa7fe7693abbf91ba7ac

SHA512
81f6d6cf8cfb4f1bc9ef55bb4df1e0ea4eca5f26543c0af7a8a9e81cc29bf57075b30338b1d6105489250003973b3af8ed31c1ad7109ad1222b01c1947c37e39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8f17b80767f07d6b6223e592996c433b

SHA1
f7bc3df7b4c690cdc429642a0d9aba2f07bdcc11

SHA256
72e1d605fe436a6ae0728ece84ec6669eaa4880195cce34102de91c4f71c2dc7

SHA512
cf32985e525e997fa6b5eaf1aba6d1baca6df544ac04b61359b439e4f53c3ac43ec23092efb4c3532ccc46f08cb6cda0f4f39784f0c627dc640ed4b65ce303f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
2fad400511af6875cca98acaf9a8ce2c

SHA1
d1cf0bc0beba5ecde393eb31228703d7dcfbfa29

SHA256
fd5a6cdb6adfc3faeb59400d7c9b06dde27f831cefd03328f3342ec8e511a03a

SHA512
e3c05e1f8ca687efb6e9dddff7804518a0662876a48b0541c96926fb8af37272c324a9d893603134e7e413384cb2f6ee8346f78f5e192f1d8f0ad0189d1e963e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b01efd0877d8bb4a5d754d6d5a5922cf

SHA1
6dfaecd4219afbb206185171c64c777e9c73ae21

SHA256
ef1ebedd446ce18b79317f09953ff8a6069f92749188b45945567c315388aa90

SHA512
6f5fce89b6dc7e6979fdb01493c0811bcd55cb945d7665cd9a23e93419a5aa28207b3f614461103f04b0406741e8020c35252fda5529e41e3e918e42fd89c086

Download Submit
C:\Users\Admin\Downloads\salinewin.zip

Filesize
203KB

MD5
19a966f0b86c67659b15364e89f3748b

SHA1
94075399f5f8c6f73258024bf442c0bf8600d52b

SHA256
b3020dd6c9ffceaba72c465c8d596cf04e2d7388b4fd58f10d78be6b91a7e99d

SHA512
60a926114d21e43c867187c6890dd1b4809c855a8011fcc921e6c20b6d1fb274c2e417747f1eef0d64919bc4f3a9b6a7725c87240c20b70e87a5ff6eba563427

Download Submit