33f193dbd25b5b0769d650ce926cd3b3ae0e7ce4802c0604a400bcc437a7a482

Analysis

max time kernel
508s
max time network
485s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30/12/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TFTUnlock-2024-v4.6.3.3.exe
Size

275.1MB
MD5

59d403d2d36cae162b7c81551aa2d1d4
SHA1

f5484188c614f178a034b510e7e28a93728c3752
SHA256

359282f3228aee35ffa9df86a6d8eec0b9bc7492ac14bdb2160c7e993788b87a
SHA512

d3ca3a4843b81e8d07c87037321aadd956477a7b00e0672bada0b0dec9352f2f883fef9f629923ef893800fefac1c864019887939568c38a0896bee8ee00c84c
SSDEEP

6291456:qy3Xe/Znta8YWK9OGBv5TDwo9bxzg36D903v7DH:7XwZtmWKoGvN5g8o3H

Score

7^/10

paypal discovery phishing upx

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
4296	TFTUnlock-2024-v4.6.3.3.tmp
2972	TFTUnlock.exe
4372	vpn.exe
2376	TFTUnlock.exe
1732	TFTUnlock.exe
4780	vpn.exe
4020	TFTUnlock.exe
1380	vpn.exe
3064	vpn.exe
3304	TFTUnlock.exe
3328	vpn.exe

Loads dropped DLL 48 IoCs

pid	Process
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
1732	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
4020	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe
3304	TFTUnlock.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
31	raw.githubusercontent.com
49	raw.githubusercontent.com

Detected potential entity reuse from brand PAYPAL.
phishing paypal

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d00000002b9bb-7317.dat	upx
behavioral1/memory/4372-7319-0x0000000000E30000-0x000000000247C000-memory.dmp	upx
behavioral1/memory/4372-7321-0x0000000000E30000-0x000000000247C000-memory.dmp	upx
behavioral1/memory/4780-7341-0x0000000000E30000-0x000000000247C000-memory.dmp	upx
behavioral1/memory/4780-7343-0x0000000000E30000-0x000000000247C000-memory.dmp	upx
behavioral1/memory/1380-7356-0x0000000000E30000-0x000000000247C000-memory.dmp	upx
behavioral1/memory/3064-7357-0x0000000000E30000-0x000000000247C000-memory.dmp	upx
behavioral1/memory/3064-7360-0x0000000000E30000-0x000000000247C000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4076	4372	WerFault.exe	104
1036	4780	WerFault.exe	110
2556	1380	WerFault.exe	114
3340	3064	WerFault.exe	117
820	3328	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TFTUnlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TFTUnlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TFTUnlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TFTUnlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TFTUnlock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TFTUnlock-2024-v4.6.3.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TFTUnlock-2024-v4.6.3.3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpn.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133799962329070524"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command\ = "\"C:\\TFTUnlock\\Data\\Tool\\vpn.exe\" -- \"%1\""	vpn.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TFTUnlockFile.myp\DefaultIcon	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TFTUnlockFile.myp\shell	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command\ = "\"C:\\TFTUnlock\\Data\\Tool\\vpn.exe\" -- \"%1\""	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command\ = "\"C:\\TFTUnlock\\Data\\Tool\\vpn.exe\" -- \"%1\""	vpn.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\ = "URL:psiphon"	vpn.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command	vpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\TFTUnlockFile.myp	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TFTUnlockFile.myp\shell\open	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\TFTUnlock.exe\SupportedTypes	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\URL Protocol	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\ = "URL:psiphon"	vpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\TFTUnlock.exe\SupportedTypes	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command\ = "\"C:\\TFTUnlock\\Data\\Tool\\vpn.exe\" -- \"%1\""	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\URL Protocol	vpn.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command	vpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	TFTUnlock-2024-v4.6.3.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TFTUnlockFile.myp\ = "TFTUnlock File"	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\URL Protocol	vpn.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command	vpn.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon	vpn.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\ = "URL:psiphon"	vpn.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\TFTUnlockFile.myp	TFTUnlock-2024-v4.6.3.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TFTUnlockFile.myp\shell\open\command\ = "\"C:\\TFTUnlock\\TFTUnlock.exe\" \"%1\""	TFTUnlock-2024-v4.6.3.3.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\TFTUnlock.exe\SupportedTypes\.myp	TFTUnlock-2024-v4.6.3.3.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\URL Protocol	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command\ = "\"C:\\TFTUnlock\\Data\\Tool\\vpn.exe\" -- \"%1\""	vpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TFTUnlockFile.myp\DefaultIcon\ = "C:\\TFTUnlock\\TFTUnlock.exe,0"	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\TFTUnlock.exe	TFTUnlock-2024-v4.6.3.3.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\ = "URL:psiphon"	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\URL Protocol	vpn.exe
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\shell\open\command	vpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon\ = "URL:psiphon"	vpn.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TFTUnlockFile.myp\shell\open\command	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TFTUnlockFile.myp	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TFTUnlockFile.myp\shell\open\command	TFTUnlock-2024-v4.6.3.3.tmp
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\psiphon	vpn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
4296	TFTUnlock-2024-v4.6.3.3.tmp
4296	TFTUnlock-2024-v4.6.3.3.tmp
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe
2972	TFTUnlock.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1732	TFTUnlock.exe
4020	TFTUnlock.exe
3304	TFTUnlock.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
3308	msedge.exe
3308	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
4296	TFTUnlock-2024-v4.6.3.3.tmp
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe
3308	msedge.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4548	MiniSearchHost.exe
4372	vpn.exe
4372	vpn.exe
4372	vpn.exe
4780	vpn.exe
4780	vpn.exe
4780	vpn.exe
1380	vpn.exe
1380	vpn.exe
1380	vpn.exe
3064	vpn.exe
3064	vpn.exe
3064	vpn.exe
3328	vpn.exe
3328	vpn.exe
3328	vpn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 4296	5004	TFTUnlock-2024-v4.6.3.3.exe	78
PID 5004 wrote to memory of 4296	5004	TFTUnlock-2024-v4.6.3.3.exe	78
PID 5004 wrote to memory of 4296	5004	TFTUnlock-2024-v4.6.3.3.exe	78
PID 2940 wrote to memory of 3880	2940	chrome.exe	83
PID 2940 wrote to memory of 3880	2940	chrome.exe	83
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 1872	2940	chrome.exe	84
PID 2940 wrote to memory of 3032	2940	chrome.exe	85
PID 2940 wrote to memory of 3032	2940	chrome.exe	85
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86
PID 2940 wrote to memory of 1412	2940	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\TFTUnlock-2024-v4.6.3.3.exe
"C:\Users\Admin\AppData\Local\Temp\TFTUnlock-2024-v4.6.3.3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\is-7E0AS.tmp\TFTUnlock-2024-v4.6.3.3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7E0AS.tmp\TFTUnlock-2024-v4.6.3.3.tmp" /SL5="$40262,287411819,939008,C:\Users\Admin\AppData\Local\Temp\TFTUnlock-2024-v4.6.3.3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4296

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffdb3f7cc40,0x7ffdb3f7cc4c,0x7ffdb3f7cc58
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3708,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4352 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4120,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5072,i,14207171711446683319,4447219549663123927,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:2
  2⤵
  PID:1804

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3984

C:\TFTUnlock\TFTUnlock.exe
"C:\TFTUnlock\TFTUnlock.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2972
- C:\TFTUnlock\Data\Tool\vpn.exe
  "C:\TFTUnlock\Data\Tool\vpn.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 728
    3⤵
    - Program crash
    PID:4076
- C:\TFTUnlock\TFTUnlock.exe
  "C:\TFTUnlock\TFTUnlock.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1732
- - C:\TFTUnlock\Data\Tool\vpn.exe
    "C:\TFTUnlock\Data\Tool\vpn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 1832
      4⤵
      Program crash
      PID:1036
- - C:\TFTUnlock\TFTUnlock.exe
    "C:\TFTUnlock\TFTUnlock.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4020
  - - C:\TFTUnlock\Data\Tool\vpn.exe
      "C:\TFTUnlock\Data\Tool\vpn.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1832
        5⤵
        Program crash
        
        PID:2556
  - - C:\TFTUnlock\Data\Tool\vpn.exe
      "C:\TFTUnlock\Data\Tool\vpn.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:3064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1832
        5⤵
        Program crash
        
        PID:3340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/ncp/payment/6V4DVDLQ9LJVQ
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3308
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdb3e33cb8,0x7ffdb3e33cc8,0x7ffdb3e33cd8
        5⤵
        
        PID:2320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,6765197851761809819,14853923604908188896,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
        5⤵
        
        PID:4852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,6765197851761809819,14853923604908188896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
        5⤵
        
        PID:2476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,6765197851761809819,14853923604908188896,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
        5⤵
        
        PID:1644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6765197851761809819,14853923604908188896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:4716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6765197851761809819,14853923604908188896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:2848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,6765197851761809819,14853923604908188896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
        5⤵
        
        PID:3096
  - - C:\TFTUnlock\TFTUnlock.exe
      "C:\TFTUnlock\TFTUnlock.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:3304
    - - C:\TFTUnlock\Data\Tool\vpn.exe
        
        "C:\TFTUnlock\Data\Tool\vpn.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1836
        6⤵
        Program crash
        
        PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4372 -ip 4372
1⤵
PID:2716

C:\TFTUnlock\TFTUnlock.exe
"C:\TFTUnlock\TFTUnlock.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4780 -ip 4780
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1380 -ip 1380
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3064 -ip 3064
1⤵
PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3328 -ip 3328
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TFTUnlock\Brom\mtkclient\Lib\site-packages\Crypto\Util\is-K51U9.tmp

Filesize
10KB

MD5
6f46b60b514a1ed30c2433daabe3f026

SHA1
55a0e2033a709e516ddbcd5616a6e3885b86008f

SHA256
967cea89f14c68d07e473eb1aacf37e92ef9b324344b5adb857251456d82740a

SHA512
8b07396779d0f1edf2dd6d48b4aabf1ed57fcbdbdc0c093dfcbb448eb1b9fa95a375ff24ac5a6913bedfb2465502b7301ec28ad8b3881b0388641d86274259be

Download Submit
C:\TFTUnlock\Brom\mtkclient\Loader\Preloader\is-EAOFM.tmp

Filesize
592B

MD5
17630d7cce9333d2da772222383f0bc1

SHA1
d56bc8751354b88b3b10356f2f1d3c139be1a613

SHA256
f7ab4dbdda43711e3d5196d3ff40470a0a048b2bea3746e25bce82fe878e80c9

SHA512
b9f2af61cb8f10708df07b55a7a7965ebaa2b5b288a5895f74d8c08cbd99c8ac4948e5b1dafeebacfed71621c7dd232d4df95c7779f28d7d76344bbe5afedfaf

Download Submit
C:\TFTUnlock\Brom\mtkclient\Loader\Preloader\is-L9S56.tmp

Filesize
1KB

MD5
dcaf1ab876c9c56941e235c8437b5b16

SHA1
3c340e7897993f787828289548a49d393854d749

SHA256
4e4d3dfa8e3e720149ec144a20f70c8f237ca5da744333fc726cfa50520e63f1

SHA512
4b7e41cf9b91f7bc21efb0a6c8954164d0772c16166baff191b8b193ac13a1c62e85e04b54ed21004b0e2ba83aa931c3464981760b3e3094b105945ae8335dfe

Download Submit
C:\TFTUnlock\Brom\mtkclient\Loader\Preloader\is-RBCUF.tmp

Filesize
2KB

MD5
3080fb142ef1e238c1cfbd0359b09f8a

SHA1
5815b63d8d3b72ff10cda3d7a5fe89cbc49a3724

SHA256
51cae7476a7e3c9b8837ef1f75fb97dab58c7ac04796ea9125c82a47938747b5

SHA512
c7e52247322575c21f0d8c6302f66791a178a7dd75945c61220372710f5e47d40d4343ddd5692adc6a833d0a47088cea7b3f74aad5a7c7b6ec7a8a0b9386d91a

Download Submit
C:\TFTUnlock\Data\Adb\x86\is-EHMKN.tmp

Filesize
166KB

MD5
3935ec3158d0e488da1929b77edd1633

SHA1
bd6d94704b29b6cef3927796bfe22a2d09ee4fe7

SHA256
87cbd1f3bf5ab72089a879df110263784602a574c0ae83f428df57ae2f8115db

SHA512
5173891b1dfad2298910236a786c7b9bbcfce641491a25f933022088c81465fb93fd2385d270e9a0632f674355538da464d1edacf511140d6f31d91d1afe64fc

Download Submit
C:\TFTUnlock\Data\Tool\vpn.exe

Filesize
7.2MB

MD5
b779b07bba4cd6857fd8da61c5e80028

SHA1
d525a9245a6f19bb3bfe04209c89d1abd43108ae

SHA256
c9f66d66f5b5536d86ccc8a549f1383901faa05d6a0f9105eca1bdea7107241f

SHA512
75e8d919d1243d14e6ac4e04b848449441391e73428e6021f63091e6c93750d2f89ec7e949aac3de5c30e614999c41003aa0bd3817d4692ac68cd40c1671b316

Download Submit
C:\TFTUnlock\Data\bin\Loader\bin\100\is-KJPLU.tmp

Filesize
1.3MB

MD5
19d84849cfd60db0e579ed8dc14ff462

SHA1
3a2207c0864c741ab7e52eb75c39d78e4b01a5d0

SHA256
3d003f9624e83735b40f74ff35e785a5e9d371099e6bb6628d9c0c599a8fef93

SHA512
9227f67c6e86e90505b56bc22be0b11edf85fb8aa577fc6b6295d460c39401b8c3e11f44d12733a2d73b2ef8fcaa11bbd8069603fa2838c476cad793fae1277a

Download Submit
C:\TFTUnlock\Data\bin\Loader\bin\52\is-PTSV2.tmp

Filesize
23KB

MD5
de95b9b1d8c87b5e3d975fd2b7fce605

SHA1
f7a24784cf7d608d062dcb9dc52ab52e87f38969

SHA256
1114975325c916817e4782d285645196480a6805edcab4ea29d6f476ab7cf6bd

SHA512
707d38770c9aed4ed80c469beec651748285c6488ccaae805bceb0f28450938ea1a4593abc7536b4139e5f0ee60ad6ce4aef01a73ba096cc0a6bc8973e0c69eb

Download Submit
C:\TFTUnlock\Data\bin\Loader\bin\60\is-HCIHS.tmp

Filesize
1.3MB

MD5
aeb58403af4b454f51739f0eaa4d679f

SHA1
a9ddf9d1b7c87c5d2e8a93b4fd14b893704b93e2

SHA256
a78aaf7f6af8adc8f23a4fc1842d9551ccd0afd6cd9c028b5781de89917afd1e

SHA512
18402bfb3cccf7ec606c26e05323320625330b766dad63ab272d3894516df9ae56dd1f67217707b93abee941f59fc4bfbf2079589ff98ad7c92857efe99805ae

Download Submit
C:\TFTUnlock\Data\bin\Loader\bin\64\is-GGKG8.tmp

Filesize
348KB

MD5
2f6591a7e80c7344c66470429c94fc27

SHA1
a68a92bdad2ccca9b2d12981924f1cd8b0a5113a

SHA256
e986855902b9ca54530270a811f3e3c958fa4c9cc9069fe1753dd1ad01280477

SHA512
543b947ff76d3165015c1cb1b95d929b7b6ad62482e11b8ad1a1f1332611d900de6d73de560af35c4fc2f2be36be6c3da25cea3892acab4b7d7102b292ffb8d2

Download Submit
C:\TFTUnlock\Data\bin\Loader\bin\65\is-8SEUI.tmp

Filesize
674KB

MD5
1b9cf8bce3b9ef42c859efc842130102

SHA1
04af6c6d76e9513e0ab962bc6214d3e7ce9a699f

SHA256
e2d5952cbc2dd49eb8bbd53f3e9de2737fe8e88eeba36a8227dc044c7fb83af0

SHA512
ea2a5e12493c01b6342fd0e4d7d9ab3fe7d0193685aab6269d65883a70f9855d57cd681be523008172a6441e41ac818dab6ff8c1c2ec868b2add8215efbb78a0

Download Submit
C:\TFTUnlock\Data\bin\Loader\bin\71\is-L2JPP.tmp

Filesize
381KB

MD5
e73e5a6a78fbb17fb9e9b74fa632ce9f

SHA1
cc61325be5f37249d75ff7d5462928c2dace9dc6

SHA256
7a7d22f7b35c31e8d239f9b3cc5e96bce378ab4e75610680036707563820bdcf

SHA512
aabbf8215fa12109afc7be025512cd339598566096e8abda46ee8fa5f5afb6a58e5930a15634ee21e015d90e39f6ecee3e700b2786d3518eead5ab4cf4428507

Download Submit
C:\TFTUnlock\Data\bin\Loader\bin\85\is-4QPQO.tmp

Filesize
95KB

MD5
6deddc643f5eb2a6438758f04352d993

SHA1
961e8b7e434704a6da51f305672430db8757e53a

SHA256
af43feb243f16ac0cb8d01f7d500dab9c638cca70287791f1374f31609baf3ed

SHA512
bb5cb1e6e39f1e8989d8146679f68f5728d4d044fb48c35e50902d64902340c1864304cfca66e63381640e066249ed4d56cbd363f7003c6ddc5aa15e57d9e4fb

Download Submit
C:\TFTUnlock\Data\bin\Loader\bin\88\is-FF0NG.tmp

Filesize
9KB

MD5
a2b14288b192ec6b120d0ec7374bf548

SHA1
1ea1aacd2a38e03d907767fe61d2ae73a023e176

SHA256
3fb1e385e442f2f3801365723971b9b865849f10a1a84e71eaedc0763d477e39

SHA512
dc6f1ed76cc09af943a4e7ba5330e9dbaab78b76358df9cad2ee0bbfffb0107804dc19bb756f55bdb1db81ee1092f1c85846495df8145ac11d2c1b01eda2aa2a

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-6SA36.tmp

Filesize
618KB

MD5
40f341c86f0651df0be0bba741b23fd1

SHA1
e6e2ea924913595285cdbbf47ef8075b8f0b9f0e

SHA256
5aa0604c5f330f18cf89dab083f9ce6ebbb72c4aacdd4980ef70bba2e1941fc1

SHA512
6ac215a59ace61b50a43559889b7063b007a4e091f22cd9f7a55e588be687d7913e827fc915c8650e8df96778601708579074d56b3b062b518956d972eac9a7e

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-ASB5J.tmp

Filesize
4KB

MD5
5e9262b876aa44a3086ce223e308c8f1

SHA1
7fcedef4fb44919f0c32f7debce114172722155e

SHA256
4c0504ab48f38865ddedde5441a662cb3cb79886abe83a87d566991e1518e248

SHA512
9e3fbe248cc1976a73f129566004fd5d4fe65bee9efd39b5890dd9050cf7bf2794e2eb0fa65c8fc72de0066995f2d8e194c8f6217569aafb171bb9712d3ea137

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-C56NN.tmp

Filesize
3.5MB

MD5
758c9e8fe470bc8542098dec5ba45acd

SHA1
9ecea233526aec7eb308be7fe790ed6af745c9ff

SHA256
da4f426c9b834d7689260dc99ada972d4ee134ddf41d0c9a00d30992a1c43fa7

SHA512
4b7eda28966dc7b852940b4d77e072927cdb22352769c7af92657b4f9581398a41e1e0643c61c00cc7c8f40f8049306875e36e0f605b2b3e5fea1cd4cbcecbbb

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-EDKPR.tmp

Filesize
679KB

MD5
b77a9d4be29b313cd158f25aacf97960

SHA1
0c87c0896cb3dbd857b4930654a0a1e9591ce718

SHA256
fdf2933342d510f9265663be58f1dc45a9ed9c6fbb99d0c536c4d3f9f7f7b145

SHA512
db5347c172039ff828f9e3010ab84f60528d62caea8caf43f916847e95a3789a8e495a6cb1a80a227bb263044434237cd5ee0177d5d5615b9275ae7586a93997

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-LT36U.tmp

Filesize
629KB

MD5
7b5a77d200acd394de28111adee5c695

SHA1
91d44d5c66cb4d7f6894ffdc7de5d8a297e965e9

SHA256
31bbdfbd6566dc828e66daacf3fa49949229cfda8fbcb08d7be58fc79781fe43

SHA512
7d73ad29b2b0d015b084138ec3db88db5812f61f48b8a29d3b562e396c8ea9b1cd3a6be1a29e20ff133b46a02407ccca5c69328110acdc215cc9f22bbd08777f

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-PKA6H.tmp

Filesize
69KB

MD5
d59667811fb29e150fc21f7eb6eb9b2d

SHA1
3910c5c7d963d820fde970d741f8a0552f420c59

SHA256
8f2b69604b887ce16dee32fea2050e55425e8598cf96f2ce940f33401710acf6

SHA512
4176eb7fff410cec4a2b828fb387dd56ac89ab83e3f4d0b5b3debc98ff7b57682d265af33d4e2fd9f6ab69200cc974b06e5824cfbab4dd4b9333fe807bfc2eac

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-PQD6U.tmp

Filesize
98KB

MD5
e1e30ebf3ba206091b17a03ec797d5be

SHA1
dec721d31673417ba2343c1a8fea94716b4b2cb2

SHA256
1f0a1d3586bc030558a741b59fa6ad35db31d58e59c3218e5f4cdff3fa2cd5b9

SHA512
8c7cfb2ce7fb0e0c3dbf273bd7bdc3099adf2c6caa98a7064037f06f0b95ae340a1c1d18aa4cbdefe349c8fbcf64db5ba4f955bade5c926e70cd7a7c6142f51f

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-QRMHF.tmp

Filesize
370KB

MD5
016117349051bc912d33724fddb4e4fc

SHA1
a187e73f28fb59d4b01e81d6946ada222e4fda97

SHA256
20e4c05ede0b695a90d7516faec31a9765d16ac8ae16a720f76fb62ac353e56d

SHA512
39f15076b6423c39ed3659a2ac7795c5dca2db24e409273520bcb6edc04d544f509efd7c5c091d1ef335e1be80a6693ec410aafc5a416e245659019a6beee868

Download Submit
C:\TFTUnlock\Data\bin\Loader\is-R9PJM.tmp

Filesize
648KB

MD5
3cbb118250d9139d72591a348ef84d7e

SHA1
4821a628619c810d847659cb07406841dc0f309b

SHA256
9d82755f41c580cde3677b6b89bc07e4b7e470a5fc9faf9a0a5f9e782d971482

SHA512
c26d94c466222d73736a75523d5355d2151c08631f6c91788c7feb9fa598d7b503bf7db48f353e445fea6f242d521e08df571b28f0a1eeb8f6d8367dec0919c4

Download Submit
C:\TFTUnlock\DevExpress.Data.Desktop.v21.2.dll

Filesize
680KB

MD5
dcb033d69eb9f66fedba1593ff181c9c

SHA1
468195e50529e916f058a2f931d15aee8aa06982

SHA256
e9ae2cef9424463e31601d4e19dd47ecb1f51152d61e8bb40f4ebdc781d72602

SHA512
0f3edc98873262af91427d77fc28d8e34c679282e0817b83628715236962375c0a959ce088debdde617cd6236a4f36bd28f1514a24e37c4536d6f5e90a6b2671

Download Submit
C:\TFTUnlock\DevExpress.Data.v21.2.dll

Filesize
5.1MB

MD5
f4202b30e32a23fdcc7cc62e3dec0ce3

SHA1
f91454fc3a8e98012df01f6f7b590443da8287fc

SHA256
b0e696517c5bd2acb157fa609cfc5ed6b52e376ade802411b7fcb9a605275c01

SHA512
95c8d977d6b8eb235d75d2ee98e9dc2bc36ae6023b32db9d4b630ba9148db814ab519ffb61b59d08e15251c8c96d7fbbfa98539ef1db3ceb647b29fd95dd3b40

Download Submit
C:\TFTUnlock\DevExpress.Utils.v21.2.dll

Filesize
17.7MB

MD5
3581794b220431421815a914d43073db

SHA1
0743108d0e01cfe4b3ad33bb016d2651626e1e05

SHA256
829c0e7796994ee78001dbbb627ed23d19a05fad61f127e8a04d3daf50f6ddd6

SHA512
d275498008ee792751c2b819399c4d9a9137a27e8773061b875032009201dea8f0d9c740296fb7f0e03e6431d0e582bbc2290d27babe8b017f9d7556045da0e7

Download Submit
C:\TFTUnlock\DevExpress.XtraEditors.v21.2.dll

Filesize
7.5MB

MD5
ad87923ec7cea1d05c8e11405d5193d2

SHA1
fbb7b399c69a3cf3292ffc5279e383f6baac9189

SHA256
7a7ac72d8bce8f0ef10e4f9188afc18123ac11dd5462b45205fc495362a74e92

SHA512
5c14e5b544dac9b7ed927c3b51063237eea86e1408bf245faf406e12daf26cc66e5303f0f1845259c32ebebd9dd7d3b6c011803ac3b97aadfa5f7d8871890ce3

Download Submit
C:\TFTUnlock\Guna.UI.dll

Filesize
1.1MB

MD5
8673eae95d67e5eb19f0eca3111408e8

SHA1
ad3e1ce93782537ffd3cd9e0bb9d30ae22d40ddb

SHA256
576d2de2c9ef5bc1ea9bdd73ae8f408004260037c3b72227eed27e995166276d

SHA512
65c4eadf448a643f45fa9a0d91497bb25af404c41a3a32686d9e99ba4f4e50783d73f5b13d5df505cc62c465be300746d84a2eaa8000531893cd0b19d6436239

Download Submit
C:\TFTUnlock\Guna.UI2.dll

Filesize
1.4MB

MD5
acec68d05e0b9b6c34a24da530dc07b2

SHA1
015eb32aad6f5309296c3a88f0c5ab1ba451d41e

SHA256
bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277

SHA512
d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700

Download Submit
C:\TFTUnlock\TFTUnlock.exe

Filesize
4.3MB

MD5
f685c3fd586ef676152373dfa9530688

SHA1
9e53ec44c5b147619f293b428601a6b74eefbe66

SHA256
623e7c7a6db7f76b7ee39d69159b8bef73015012757ebb76dba33d15bd73611f

SHA512
5b15c02af680760ab83db03a37b7bb136fbc6a08aae86c960345f59c33cf775926c5f83b99d37e7d2449865d04524267c9fe43f615a8ea0d18292d87acda2dd5

Download Submit
C:\TFTUnlock\TFTUnlock.exe.config

Filesize
6KB

MD5
1e6008f347cd25d170e1b9809993a4be

SHA1
ae81172f32b4a4124b7f21c6f12446865c866722

SHA256
5eeaa652cc7ee24f2822ab226cc58162f0619b34c4b328ebb00b6dc8d02ab289

SHA512
f7c10c9fba09fe1aad819100b7402e29fada0944419de606ed01ae85d001b6c44da25ecf6f39282902b9de1199ac373f43bc0841fa6b2b03a63f6316c368f32f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\963c882f-3f6c-4137-b89e-12e581a51721.tmp

Filesize
15KB

MD5
e60d8b44a0742b7072c6066aea3caad3

SHA1
53254de573d8f552c8f987d0f078f811b3d54556

SHA256
d147a1f784efce970e6e8c07441ea546f6ef80c42dcfb0f89a2d113016dcba83

SHA512
8c68816af9bd1852ebc10b9c7c66335f20b0c8bc40b92db6fbbc14760f7f2e4466dc16fdb5fa9a0f418a1052afe321e0ced3d8779664a430037fee21fa8cdc50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c85271af0fe7121f6a153ff66e9e1c4f

SHA1
007a4fb5754ef6968b149a3765f33f37f7d47617

SHA256
c9a5d9c8253a311c5583ab7c743de22aa9480c9fae2bd4c3ee51939a321844a9

SHA512
036ef494dab0082706c8c7fda536f9ed0282e0746e7df4c32b67b47a0ef59e67d6b98443f276605a7b41bf48be565d918221aed381c26a7c51588ac329fa9368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bf5b69ae886acd2b2cb5303daa2b4e37

SHA1
43e5b382d526fa7b2be5930ed040869112a77133

SHA256
39ff935b614f5e116594018142d9356ca501f70966788dfbd333cf7c7c2d303f

SHA512
035e66e4e8b9f83093040cbb565160da1b17ec9ee67dd8459c906ee64452712d0d34bef58be7ae6bd77bc38abce48c661ccfd263242a2e989f081bf1342bfb7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7fb79bd0883fb41cd5187ae1be2a7b08

SHA1
089b438bb7347e08c391b9a6d3a012fe3644e295

SHA256
7c3c060c39e080375fe0500d0d7b4f3938b939938e4a040a208d6f3a4e95b51a

SHA512
445fb734c17a0f1753602249feeff50a414d6544e31e639c1af90e58d329bc2758cfa38da27be68b2036b214469780877ece9d98ccd1d5da648efb436f28fadc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a07e703de13f4caae6cf28c4fcaa0239

SHA1
0c45cf9f548740abca51ed47ddad99bfb579a808

SHA256
1ce6e68b069e3ddf0bc5b1edc03537d3298833979fd5aeaf9da736bea634862d

SHA512
b0c3a748e7f7a36af0ecd43e335eb6f15a29ad87c07baed6c1bed25b8aed826b692c1fd566a8fe725a37ec75ee5f1f66f4c5b63d97892fe9f63fb52807a6ec7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb76a4122b9e1de69d6cee4fda2a4e75

SHA1
b6bcdc516a77ff6851c6a8587dd1f5be28326fa6

SHA256
399c5f2bec33d36442609f685d28edac0834c00495c106c69ff1cc540163c23f

SHA512
2437c4485c39827761ef4b86a91f9b8900bd2c540cd0d35c42a688b21224669bb85c7b1006563fac8bdddfd1e36f8b35832a56dd2513553a169d1bc7c4607e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c709dc140281aa0a245e6365246875a2

SHA1
e467f1fba45a67c782000defebc5fad92f05ac61

SHA256
651a3d4d04d2d87d1710093267d1c88f43f252511fcba7fb036c5355cb261f77

SHA512
f1b4e77c00ca3400cce02679e29e76697e8f352a317a803aa70c08e46c7e8888a455ed25307e9ecd383b5a2511ecaf3dc79bdad7f09a0f2a16f1c8794a808c8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d5bd3c90b761886032e7f31fc96fae85

SHA1
ae978ce7dbbf8ce8b416bd202f6c780fa22ba715

SHA256
3284520951bff42cea3637800920a45dadfcb86a83abc31be8bd7745a8fcc6b4

SHA512
c8ed35c47e172b86470d20b7907c154c4f7e9d8caeed6a18f293f2d7ed0e1a1f59ea61d7dde69097b214e01c7cf320b1a490a3e7a0684d4507926831b4823b72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbeb96b2e5b82677086ed26b564c1101

SHA1
f6b2f96f38c3a2431fe9c6abf1e85f5316c7bdc4

SHA256
a64b6de20c3a8cd7418cdc53cc2fb1c35b31f77e3bcd44b35152ae4bcbe6f4fa

SHA512
c70eb6b594e4b6feac3d628721b3a751d284eae89ce7581980432a365e20debe230aaeae60b35aeeffa1515eff134a6d0a8b9d315f5b6609a93fda0f8beb9655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
cbcd47e710044e928b9c353f36229477

SHA1
b2facc7a3b4c32e61150942cce983f987f5f0474

SHA256
7002442a13b3851dd1dd5e51cd30afb0a8fa5bfb46512675d472b86495bdb157

SHA512
9c497b66810b949c5134a5cc91e1b74485e9a1199b13d81a74864834e1b27d1272418ee8e39e19b9099b878cc1a94ca8c562d3af045bcb369d694103b07b1a5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
a311d0c293498f117966f908f772c9c0

SHA1
3467d6d05efbac2411466f6578b446647398303e

SHA256
6c158c315c2e466f1933d94ebdf0a907448be8f9e3931ede1b8694cfcc464a4e

SHA512
873a62f0d5618c34075b7f6ff8b8cb2436ededc2505eb1424afd76a7bdc759b40f0cf01d03f896ec6fad05e209f7ecc64a9821fa9e4d013cde79ea3211071453

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
ecd1f3f955a20487157172e56e4f0b1e

SHA1
39f520b708b1180ed52c0d4160732ce085ef5e05

SHA256
446bd07b935f3d022f714af4a46521d0059d6d7d5c2da5954c844caf40a44dfc

SHA512
d18d39adb74ab7422f5c3c6104201790a1479e6ebbdcf9d83008d399684dc7984ec94b7c9b5b6b3945c508d8ee1f7e469912087a6fd4144c1df0ae08ad61c42f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f689fef1c8b2e2352c4e2e7648d58578

SHA1
79e32aaa01c3fa0e9caa93ad153724763bab91e2

SHA256
e2de180de1f48b48c033f9f0801f0ba9159fd9c8b1e2a6ecc673a59b048b2f5d

SHA512
7372fdca4970c1f87772da7b30dd84cc9a56cb2bf005b86556243cb74057ebe50051ba3b0e0c87f946710ac65e5e06435ad8f21b3d76660546864997d89db100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b85412c55f55951b147b5b968e8f7c05

SHA1
b9a86b4d85d7c747e21899146acf347d11d7e0d1

SHA256
ef745222d35bafe93b0743fb99ec29a294f9849c5e7ba397900c5aa6918a993c

SHA512
2926b3ec5113b869dde9e280a7b3174d1f7fcd729e3113773daef82f1962fe95ba7add88d4aed70b0c919cb9f9620f2c6dab6221b5103a46f195f3b9a0e3a35f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
478a7761ee6ac6d76744e44b9458edbe

SHA1
ca1d64189a28a3e71cce4d3035d9bbab8120871f

SHA256
29d93e91439a490d941001803e33ab2c439ce2761c397131c74932ed67cff1a6

SHA512
9bbed77e4adc013c1140ecb851082c703a67e4d61c005b5ce617f512fdaac75755bb11c1d877969d5b623ca88ddbf2913cc018010c0b82ca34d2a50d753522bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TFTUnlock.exe.log

Filesize
1KB

MD5
44a71eaf03208237acdaf8c0d21bad7f

SHA1
5f7bd52f36f401203294add84f7f14e6ed612389

SHA256
6120a005ab4db869dec34c8d67de12517bd7da6bb74efacd8747e01d1ec2d959

SHA512
99eb8d7c10494dea723347311afefeb4d104e40f1f2e25490013dd845c4decf70d96970933aff32e8de75dd44507e527af27b50a3e8edfaadf3810855af76857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\56264fd7-4741-4fcd-82ef-a9d26f9e7e12.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
07a9d9a508ad46eea53ffcd1e287bc6e

SHA1
a04fd4f5936ba93087b588fa275e2177936635a8

SHA256
186f1b704d5acd55ac2135ce21d51a24ecc169576153eae6a2b9662d89c1a467

SHA512
0632a18ae6a8b663564e8b77d18cd2df5bdc7d2052e67038e7330c2194acd0caf4a7238b5aba78025c832386205cf4dc6808165de9cf2d30da648073ae0467e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
331B

MD5
dd4f5e6a7629dd59d838784635894a30

SHA1
a8f5468acc5de56baa63c70e2b56b392e7670bfb

SHA256
c7a38aa152f39eb02588f0c92671cc67ae1d93e3974e40a8b8c0c9563b9376f5

SHA512
1bd92beebd852373df365f0d5ca6bfce244d8073434b3dc2d67aa2c77c59dd48219187eb95bbf396e4f5be28e37ba573873c42fa143df8a7fed111dfbad98084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a5f557d86ad3b2718fb4a3e2e11c212

SHA1
e2954fd57bf1d5befb11a84d61e28ae4a57d3d27

SHA256
e65d8341034c85fded4804ee560abe640e186fff465a7c9f3b3d151c5e0c6330

SHA512
970834480bf20d0b280d7585061ee55c78daa0b184e40006486ee31f9fadb315469993f60aec1f237b73fd8754fac2a4b1e0f4ebb612ce61629197864120753d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1956a3e98292f7217598b87e48c80849

SHA1
9d0b1157fbd20f889d3cd78301c86591f9a8c2dd

SHA256
da59f3ed4cb5a6d5e7e6899d86bf2fd64c6fa0eaa6be2e437918fa09121333d0

SHA512
961d37e9f9821b796a093a4e6b2614e0775441140fc0f0ea17119ab04294211258074c9a6754ead3d265897971e6ed50ae6136013b6679272beddb4de0dad294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
12a528307c88fc26584827bbbcba51d4

SHA1
efe7ffa867805964fa4c687362615c8740a2c366

SHA256
3cdb6b22e3fd671023d21c112c6b1d4b69a8158f151b9950acbcb7a0263412cd

SHA512
e2e8b5ec816c683798df580074be3351368e8d57e76b0df8483a5eee6b05547a124272332b4906b01f47105b86d31def52b532a6cc27004cc0cc741ac286e064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SFI47NDC\main[1]

Filesize
2.9MB

MD5
ac187be6f074dc9a4e3f0361a64ace54

SHA1
6192502e6bc9f2c6c14e2ea9e99c7d6f5b19c23e

SHA256
8519bb73f549601ccc6214a07d8da441e9205527bad422cebc187bb097e4c6ff

SHA512
3e1e59498af8d43513899fe90466055a582cc2e2ce681d02c77972fd559a38bd893503c25401a4dadcc8b16f2c438c635c4e259a7c991f9c6488fa1523c8c4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7E0AS.tmp\TFTUnlock-2024-v4.6.3.3.tmp

Filesize
3.1MB

MD5
8c550a9a313f2d2961d1b98b1743efab

SHA1
d8f2ec5579a25e55beba830c4764995338e3009d

SHA256
938dd99e6bbdd45dab8b237fa0f1ebf297c7ddf43cd59081c4beb656052f51c7

SHA512
116eb1c9d541a1ad021f4ba5e8288f9e894f73346a715919fc36c4d50487273e0002401a445f1e4336d6e565aa1c37868a3394a0ecd3aa62acb35c0471bfb5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2940_1352433458\32a26ff5-6667-41be-b251-5ad71f80e520.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2940_1352433458\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/1380-7356-0x0000000000E30000-0x000000000247C000-memory.dmp

Filesize
22.3MB

Download
memory/1732-7337-0x00000000092C0000-0x0000000009326000-memory.dmp

Filesize
408KB

Download
memory/2972-7285-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/2972-7307-0x0000000009720000-0x000000000983A000-memory.dmp

Filesize
1.1MB

Download
memory/2972-7287-0x0000000005670000-0x00000000056C6000-memory.dmp

Filesize
344KB

Download
memory/2972-7324-0x000000000FD20000-0x000000000FEA8000-memory.dmp

Filesize
1.5MB

Download
memory/2972-7291-0x0000000007110000-0x00000000082D2000-memory.dmp

Filesize
17.8MB

Download
memory/2972-7284-0x0000000005990000-0x0000000005F36000-memory.dmp

Filesize
5.6MB

Download
memory/2972-7295-0x00000000067F0000-0x0000000006D10000-memory.dmp

Filesize
5.1MB

Download
memory/2972-7299-0x0000000008A70000-0x0000000008B1E000-memory.dmp

Filesize
696KB

Download
memory/2972-7281-0x00000000000A0000-0x00000000004EE000-memory.dmp

Filesize
4.3MB

Download
memory/2972-7316-0x000000000D040000-0x000000000D078000-memory.dmp

Filesize
224KB

Download
memory/2972-7283-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/2972-7286-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/2972-7303-0x00000000095A0000-0x0000000009716000-memory.dmp

Filesize
1.5MB

Download
memory/2972-7309-0x0000000009460000-0x00000000094C6000-memory.dmp

Filesize
408KB

Download
memory/2972-7308-0x00000000070D0000-0x0000000007102000-memory.dmp

Filesize
200KB

Download
memory/2972-7310-0x000000000BE60000-0x000000000BEC6000-memory.dmp

Filesize
408KB

Download
memory/2972-7282-0x0000000005020000-0x0000000005198000-memory.dmp

Filesize
1.5MB

Download
memory/2972-7314-0x000000000D0D0000-0x000000000D858000-memory.dmp

Filesize
7.5MB

Download
memory/2972-7315-0x0000000004A20000-0x0000000004A4E000-memory.dmp

Filesize
184KB

Download
memory/3064-7357-0x0000000000E30000-0x000000000247C000-memory.dmp

Filesize
22.3MB

Download
memory/3064-7360-0x0000000000E30000-0x000000000247C000-memory.dmp

Filesize
22.3MB

Download
memory/3304-7545-0x000000000A050000-0x000000000A0B6000-memory.dmp

Filesize
408KB

Download
memory/4020-7354-0x0000000009B70000-0x0000000009BD6000-memory.dmp

Filesize
408KB

Download
memory/4296-6-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-7270-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-675-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-542-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-529-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-6067-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-5307-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-7276-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-9-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-35-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4296-69-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/4372-7321-0x0000000000E30000-0x000000000247C000-memory.dmp

Filesize
22.3MB

Download
memory/4372-7319-0x0000000000E30000-0x000000000247C000-memory.dmp

Filesize
22.3MB

Download
memory/4780-7343-0x0000000000E30000-0x000000000247C000-memory.dmp

Filesize
22.3MB

Download
memory/4780-7341-0x0000000000E30000-0x000000000247C000-memory.dmp

Filesize
22.3MB

Download
memory/5004-7277-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/5004-8-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/5004-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5004-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download