d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234

Analysis

max time kernel
1746s
max time network
1748s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-01-2025 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.0MB
MD5

c8eeac24eca23bd1df10b02d5430432d
SHA1

39194c57c0488eca2ca7600d03783f6df4957688
SHA256

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
SHA512

e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f
SSDEEP

49152:PjHajM8yMboA7HSP/LRVTRoxy4cUARNLBQfnysp8OQmY7jRvTepmgChCkjIvaW:P0ByMPGP/LRVTmM4qNLB4kjRbWChCkOR

Score

9^/10

defense_evasion discovery persistence upx

Malware Config

Signatures

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1988-1582-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/files/0x0007000000028055-2036.dat	Nirsoft
behavioral2/files/0x0007000000028061-2072.dat	Nirsoft
behavioral2/files/0x0007000000028065-2084.dat	Nirsoft

Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs

Web Service

T1102

flow	ioc
232	discord.com
252	discord.com
272	discord.com
275	discord.com
251	discord.com
287	discord.com
289	discord.com
226	discord.com
274	discord.com
295	discord.com
323	discord.com
257	discord.com
296	discord.com
76	discord.com
79	discord.com
145	discord.com
193	discord.com
204	discord.com
246	discord.com
310	discord.com
212	discord.com
243	discord.com
249	discord.com
276	discord.com
279	discord.com
312	discord.com
77	discord.com
78	discord.com
253	discord.com
254	discord.com
281	discord.com
298	discord.com
152	discord.com
205	discord.com
288	discord.com
309	discord.com

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-849517464-2021344836-54366720-1000\Control Panel\International\Geo\Nation	WinRAR.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000027f8c-1555.dat	upx
behavioral2/memory/1988-1565-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/1988-1582-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Executes dropped EXE 8 IoCs

pid	Process
4376	WinRAR.exe
4828	WinRAR.exe
1988	AppCrashView.exe
4588	WinRAR.exe
1784	WinRAR.exe
4364	WinRAR.exe
2352	WinRAR.exe
3792	WinRAR.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 64 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\ExecutedProgramsList.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\DoomsDeBunk.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\amd64\SystemInformer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\memory.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\BrowsingHistoryView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\echo-journal.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\newmaceta.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\echo-bam.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\EDDv310.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\LastActivityView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\SystemInformer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\Everything.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\SSITAUserAssistParser.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\WinDefThreatsView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\DoomsDeBunk.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\WinSearchDBAnalyzer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\Fortect.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\JournalTrace.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\JournalTrace.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Winpmem64.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\AppCrashView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\DeathRun_Scan.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\memory.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Prodan Service Tool.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\newmaceta.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\SigCheck64.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Prodan Finder SS Tool.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\JournalTrace.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\BrowserDownloadsView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\dskinv.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\Everything.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\Downloads\prodan(2)\AppCrashView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Everything.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Fortect.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\SeeShellsV2.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\EDDv310.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\EDDv310.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\SSHelper.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\Fortect.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\dpsanalyzer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\newmaceta.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\echo-bam.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\LastActivityView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\dpsanalyzer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\EDDv310.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\textscan.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\dskinv.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\BrowserDownloadsView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\newmaceta.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\prodan.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\BrowsingHistoryView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\BrowsingHistoryView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\DebuggerFinder.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\JournalTrace.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\memory.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\amd64\x86\SystemInformer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\LastActivityView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\AppCrashView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\BrowserDownloadsView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\DebuggerFinder.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\echo-journal.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\ExecutedProgramsList.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\OSForensics_v10.0.1016.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Screenshare Tool (No Minecraft - 64 bits) (1).exe:Zone.Identifier	WinRAR.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppCrashView.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\WinRAR.exe\" \"%1\""	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-849517464-2021344836-54366720-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\WinRAR.exe,0"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\WinRAR.exe,0"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-849517464-2021344836-54366720-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\WinRAR.exe\" \"%1\""	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\WinRAR.exe\" \"%1\""	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	WinRAR.exe

NTFS ADS 64 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\LastActivityView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\die.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\ExecutedProgramsList.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\DoomsDeBunk.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\echo-journal.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\DebuggerFinder.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\ShellBagsView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\EDDv310.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\Mui Cache.bat:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\Downloads\WinRAR.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\OSForensics_v10.0.1016.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\echo-bam.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\echo-strings.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\memory.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\dpsanalyzer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\amd64\SystemInformer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\BrowsingHistoryView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\DeathRun_Scan.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Fortect.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\prodan.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\SystemInformer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\WinDefLogView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\scanner.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\DebuggerFinder.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\Mui Cache.bat:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\DoomsDeBunk.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\echo-journal.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\ExecutedProgramsList.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\DeathRun_Scan.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\FTK Imager.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\memory.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\Everything.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\echo-bam.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\BrowsingHistoryView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\Downloads\prodan.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\SigCheck64.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\WinPrefetchView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Prodan Service Tool.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\DeathRun_Scan.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\DoomsDeBunk.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\JournalTrace.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\die.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\Prodan Finder SS Tool.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\Downloads\prodan(1).rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\Everything.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\echo-bam.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\newmaceta.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\newmaceta.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\SSHelper.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\WinSearchDBAnalyzer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\amd64\x86\SystemInformer.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\FTK Imager.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\WinDefThreatsView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\echo-bam.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\DebuggerFinder.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\JournalTrace.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\newmaceta.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4364.6809.rartemp\prodan\FTK Imager.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\memory.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\UninstallView.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4588.11896.rartemp\prodan\EDDv310.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\dskinv.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\DebuggerFinder.exe:Zone.Identifier	WinRAR.exe
File created	C:\Users\Admin\Downloads\prodan(3).rar:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4428	AnyDesk.exe
4428	AnyDesk.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4828	WinRAR.exe
4588	WinRAR.exe
1784	WinRAR.exe
4364	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: 33	712	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	712	AUDIODG.EXE
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4376	WinRAR.exe
Token: SeDebugPrivilege	4376	WinRAR.exe
Token: SeDebugPrivilege	4376	WinRAR.exe
Token: SeDebugPrivilege	4376	WinRAR.exe
Token: SeDebugPrivilege	4376	WinRAR.exe
Token: SeDebugPrivilege	4376	WinRAR.exe
Token: SeDebugPrivilege	4376	WinRAR.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3136	AnyDesk.exe
3136	AnyDesk.exe
3136	AnyDesk.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
3136	AnyDesk.exe
3136	AnyDesk.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4828	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe
4588	WinRAR.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3136	AnyDesk.exe
3136	AnyDesk.exe
3136	AnyDesk.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
3136	AnyDesk.exe
3136	AnyDesk.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4376	WinRAR.exe
4376	WinRAR.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
2104	OpenWith.exe
2104	OpenWith.exe
2104	OpenWith.exe
2104	OpenWith.exe
2104	OpenWith.exe
2104	OpenWith.exe
2104	OpenWith.exe
2104	OpenWith.exe
2104	OpenWith.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4428	4008	AnyDesk.exe	82
PID 4008 wrote to memory of 4428	4008	AnyDesk.exe	82
PID 4008 wrote to memory of 4428	4008	AnyDesk.exe	82
PID 4008 wrote to memory of 3136	4008	AnyDesk.exe	83
PID 4008 wrote to memory of 3136	4008	AnyDesk.exe	83
PID 4008 wrote to memory of 3136	4008	AnyDesk.exe	83
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 2472 wrote to memory of 4168	2472	firefox.exe	88
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 4904	4168	firefox.exe	89
PID 4168 wrote to memory of 3524	4168	firefox.exe	90
PID 4168 wrote to memory of 3524	4168	firefox.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1912 -prefsLen 27199 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d3e694c-7907-413c-a7a4-17787b1150c9} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" gpu
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 27077 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e45b5dc-2493-4d0f-8d4e-4025391527c6} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" socket
    3⤵
    - Checks processor information in registry
    PID:3524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3048 -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2960 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ecf8c01-d967-4c11-a758-34198b2dfda6} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3788 -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 32451 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeafb94b-57cb-4836-b398-457d8e6f784b} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4172 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4544 -prefsLen 32451 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7cfb9a3-d9be-45a1-8062-b96f4f2035e5} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" utility
    3⤵
    - Checks processor information in registry
    PID:3120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5316 -prefMapHandle 5332 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {527f38fb-5868-4809-b6b1-53d166725a0d} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:2440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5392 -prefMapHandle 5368 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9340e79a-29c9-4ea5-81a6-8ab2b4ed5a27} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 5 -isForBrowser -prefsHandle 5504 -prefMapHandle 5672 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f341f65-fc3c-4a2b-8296-cb6b4ba09c44} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:3596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6244 -childID 6 -isForBrowser -prefsHandle 6224 -prefMapHandle 6228 -prefsLen 27176 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a5c6f4-8875-4193-b8b0-b9b189c8c1c2} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3228 -parentBuildID 20240401114208 -prefsHandle 3412 -prefMapHandle 3260 -prefsLen 32629 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac269e68-43eb-436b-842f-d3df5fde6446} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" rdd
    3⤵
    PID:3748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 3396 -prefMapHandle 3400 -prefsLen 32629 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {620d3cdc-458d-4486-a3f5-aa100f2fe3ed} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" utility
    3⤵
    - Checks processor information in registry
    PID:4520
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6572 -childID 7 -isForBrowser -prefsHandle 6556 -prefMapHandle 6568 -prefsLen 27176 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d47836b-f9d8-4beb-8c71-994a5f456732} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:1288
- - C:\Users\Admin\Downloads\WinRAR.exe
    "C:\Users\Admin\Downloads\WinRAR.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d0 0x2b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2104
- C:\Users\Admin\Downloads\WinRAR.exe
  "C:\Users\Admin\Downloads\WinRAR.exe" "C:\Users\Admin\Downloads\prodan.rar"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\AppCrashView.exe
    "C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\AppCrashView.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1988

C:\Users\Admin\Downloads\WinRAR.exe
"C:\Users\Admin\Downloads\WinRAR.exe" "C:\Users\Admin\Downloads\prodan(1).rar"
1⤵
- Executes dropped EXE
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4588

C:\Users\Admin\Downloads\WinRAR.exe
"C:\Users\Admin\Downloads\WinRAR.exe" "C:\Users\Admin\Downloads\prodan(2).rar"
1⤵
- Executes dropped EXE
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
PID:1784

C:\Users\Admin\Downloads\WinRAR.exe
"C:\Users\Admin\Downloads\WinRAR.exe" "C:\Users\Admin\Downloads\prodan(3).rar"
1⤵
- Executes dropped EXE
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
PID:4364

C:\Users\Admin\Downloads\WinRAR.exe
"C:\Users\Admin\Downloads\WinRAR.exe" "C:\Users\Admin\Downloads\prodan(4).rar"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:2352

C:\Users\Admin\Downloads\WinRAR.exe
"C:\Users\Admin\Downloads\WinRAR.exe" "C:\Users\Admin\Downloads\prodan(4).rar"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
abb3d96eec6579b8289c75cd669fcf10

SHA1
b3a91290f2a81f01a1a13dd38e657a7d47e7c5c3

SHA256
b6b217de239043d4fdacd3685028624af4ace509bf81583f456939c86bd67dec

SHA512
128b0a656b0523b6fc9cb6a4c0805f5d9ab329602f3b507b673daf205ff62ff62264dcaa429b7c8206b5776cc5afc8a13a9b384da99470fbf0b8fc880b96c730

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
497f195a2e4493a04031c2d050f034fd

SHA1
e742e9ef78f59e7986c87af51d7368aca1994c96

SHA256
4a71499d1a0b9a58c1bcd130cfdb6d78383cb2d1117673eb509783301feda8b9

SHA512
73a6e66c7f8089e8c5fa3417d45b1ce52d555dbeba1481be88776e7bb895026edbe90114eb6ae727137e79d91f281453b970f7de78ff0b8007f93a08b1663606

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\doomed\10868

Filesize
8KB

MD5
b35eea255e9f717b2002721987e5c0bf

SHA1
ef3cc4adff22c0e10f6667963fd6157f24229ecd

SHA256
d1719217b1160a69b9689981ae0b9c5822d68308bc8a3ab70637306bbe653aa6

SHA512
f288074f3199ecbe4d07439e88a96bbd689794ab788610ee4aaf8aaa1e164d56b084e0497f064176876db50714db6325bf97d6e8b7c97c558635d86d6c5d4aad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\1E674701354CAC1C866AD30A8FFFE5A3CE9D2AF5

Filesize
11KB

MD5
af2ec2824fccead255711adb4c2b6660

SHA1
0d89a81a6eff771f7150b6b357df50e3b9b7185e

SHA256
c2163c9b4c516e4cb83ec81dcb116b09a7f5a960fa72d2526d08b2faa78ca2c3

SHA512
1a5c73414e507355b142e236155a0f328ca91249a4c7f2ba6d2c7fbd877d78b499aacbf1a8eb33aea45514fc7e80fc40e47d901877dbbfbf7b4bd37f50fdf84c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\6A892364966A90C069920F8A72606B768421C0F7

Filesize
24KB

MD5
c94a988c61c3cf637dd65282dbd467db

SHA1
58554bc9f39521bcb08865d13e27ef225a4269a8

SHA256
f3f1594e5c4c90886529247f3ad7918204f57a30261955d4f6146d3fb1c795d1

SHA512
27e4d1d916c942ef9cfbabab43a2d6a285d7acd7ec48d1872da77d0f29ba1700cf0eb200fcb771300841bd568e3361c9392ffc6cd42ce0301e86df8babe68438

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
13KB

MD5
dafb6966cc9e95baf20bef8cad7391be

SHA1
af8802844593e5c2bd7f7e5bcba0ad6fa60c7d45

SHA256
c45c3b82d8b6bf237ecdbb37c6e326bc5652294bfb35ca66b2db9f7efe7eeecf

SHA512
08b04c4578ea973af189d9ccdb6da4ca0e8aed2481509908e3c70db2011eb0e74c82edeee8d16c85ab9dcf457de4e3c8e8b47442c50fc118838a4aa1555ef0af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\711A1EB78C4E0475B51DAE2F21E4FCBDBD6915FD

Filesize
31KB

MD5
297a2ea2493e6c57bf2e723b5680169c

SHA1
42bfdf4755eada8c1255572d56dfdca2af3ecbbc

SHA256
14421d4dc06c5ce09e9521311bb84827c354e4832cf96d1f8157fac0ac2551f2

SHA512
56ee802526f654459e6728ef421ecbbbc4841278216f07a975707a36883534a379002bef404f4f02ed5f138f8c9a374a0d1d4f404cccc48f034b86f595454a5a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\D18FB7DA89F8DD4E7A2C97703A1647E8C981D05A

Filesize
13KB

MD5
adb533ee8ef0cca7746109266506f6fc

SHA1
d6b8d7a773386b73904ef11d043fc50437f423c2

SHA256
3695b4299c6df55de8a74f1a9ee21df8ad93ef6ce05e264daa83706b8c01c733

SHA512
38cb6f9841262c6d1e33e433a195e451b640cfde45c13777f674a9986167a3657d3d9810620156e07aa5c0ef15a3f8877e3ec4239137b1728802a89fdec901ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\D458BBF0DEE61870B6EDD64D02D19BE3B398438E

Filesize
13KB

MD5
5cec41d09d42557190390f73d6fd6f64

SHA1
d9d4286f2472c63c462f559829388039052a83a9

SHA256
8c7a1c14f932c3735bf61c9af24e490b311606accd12b59ada5597bf9d4d4d52

SHA512
4a0b276b79aeb52ee4afe3000b658d71690409b101eecd0e2140b6a460cf95d3f236617b8aff9d7602cef053eb2767281a0616319a09a45546efa8041a7cf58d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\E7E89C5FD833BCC3DD2E30A6D7BF5F862BE85E8D

Filesize
224KB

MD5
d22ba7929532eb044144da57731ac3f0

SHA1
6e9f46916b64565c8ca9c710eec42c75b389d2de

SHA256
36b795590b77c7db386ccf9ab9095ed993b53f0c5c1ed5093c09e5c0203585bb

SHA512
df20e1d35cb15070f927995059e6563c6b74c6de07924008a4ae9deec695169d6785ed49f560a65bcaed57e333ad0980fbd1cb785dcebea1049ea39588cc3808

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\EA91871E71E6DCD05C08A0C34B6C7FAEBDB5BF23

Filesize
147KB

MD5
05b018a1a57a142a089f7357cb78a044

SHA1
5e5bac889699a95463575afa564a228c6028f917

SHA256
89e399cfe7a0d14ad98d133f8ec332816924604ded2a1adfc868f5e5cd59a6d2

SHA512
749d4bd142f2d533f7636a5f9f795a52ada437f8dd6a7df09751b2517885c8ba59086ac1897206744cee75f0ce4302feb87b25e9917c47ea09d9a6ebae1a609c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\cache2\entries\F545D0AC3CC01342FBD4DE8D18257C1BC0866C7E

Filesize
12KB

MD5
8cae48e97d6869b9f59782aecbc6f43b

SHA1
84f004e4727db6067c91a734d745b186a9696a2d

SHA256
fe57ef8ef4344e767b1e45171890c9d52efca3bd6148bd6eea4052f3c1279b1c

SHA512
0f196f24e43919cd08486cb5b2c31bbb32ba0f99e18e7da195b2d8c7b46988ce61f0119c595ee96050f33b0e628d3178e3268c85cd890c769748d4256c2f250f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\jumpListCache\pgvkyFEmrsHfr8uRAtZHxcDTJEmSq6A9OP2VVuYV4EQ=.ico

Filesize
609B

MD5
6e62ae713951b6193d202ddc3d2152cf

SHA1
abf75bd80bd84ed39792adf69dddb5a8b3b84bb4

SHA256
e5dc5320473de19e5255f32d0f9f352fcc23a03c254e82511999deac249d91cd

SHA512
8dff4541bb496449c0c0e93a1c60108dff8e8f7cea437b8027ce51bc22881a687597c511df4c32cabdd1c165aeb46b89c410e58563e18c449e84eddbbfa8725b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\thumbnails\8f1dfa9456c62962666f44076246d93a.png

Filesize
35KB

MD5
5398fcd91745d63dfadb1b4a98b5e9c3

SHA1
f7f66e76d2fd14e632961430e5158602a23049c9

SHA256
5b0cb3c0d05fc94e829759d66d33c0b31be8dd4ae9ee6496b3c819f86ee58409

SHA512
6f49adb8ebe4167a2c5add672e535ce6bb3012ba1fa9e5376f1d79474d391a33cb7cfdffa500f55d5ab703f79e0298553cd3c42b59ab7235360e9fff1ae8e521

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\BrowserDownloadsView.exe

Filesize
470KB

MD5
f921a63ef5d30bc71908b0f859235e2b

SHA1
5502a32af43ed5210a6206563d5d817407574b25

SHA256
632e7f78f684e8f76f36849787901dc86b337d820acbc5947310c8c3d178c3c1

SHA512
dd80bdbc6bdacf32a9e9327911eaf98c685e1054275efd27408e20719ce0a3fb6aa936199a73a12fede8cec42155c7f69ba80565920d51be1af1fe617f3d58fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\BrowsingHistoryView.exe

Filesize
558KB

MD5
1642b26deb2ed4d9573712ce2974e85a

SHA1
733a7d59fd23610057c9e6d6c700461bc8517b01

SHA256
cdfb491344d29901d508a8f88dafbc237ffc53e6980106f325764809f58f8505

SHA512
d3fc350e17368c4b73196a7d4d29b62107ba1dd8df4b453fc112921fb8211ecb894df1df44e61387c070e4dffb3a97a53663b32f084a1068bccdbf1983a22452

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\DeathRun_Scan.exe

Filesize
24KB

MD5
bce0cee3c3c8d193e11e9158cc8fd19c

SHA1
1154febbb1e0cae8234a759d9c3c7cd50878a56e

SHA256
733890f26201c4b626e4f3c1852159cc934fd5dc689c7d488c9e94219e6c9828

SHA512
944e8fc45c2fc3f5ff768d98cf9902e73aac3e599e80f2879eaa4a3249d04463d251e0f7ef6ecff1d72c19be1310a3f7fb64947027505b72c0773516ceeb9b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\DebuggerFinder.exe

Filesize
10KB

MD5
5194fce64dc34c2a07bf8a50ccf718d1

SHA1
bb48d96330f57a51909ed4be1576e61fd1c0a508

SHA256
3806925a31bc7b151b8cd80d9ca668f4a930f603c114fb0881f2058184a1547e

SHA512
c3da593cd7cb378f482d52609d9ef336f8be4ab2db2c6b798c8c8ea0097c6ac825f192b9a5c87c5d7e36ff6cb3d592aa194722419ad5fa2937f1c5d9132a1151

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\DoomsDeBunk.exe

Filesize
32KB

MD5
eb95854c6ea8db7ce9afd1c992ac00b5

SHA1
991666071c9a34525d26d9a153df11d58c387e4a

SHA256
c8874bbdd773fbf926a23a0423bfe70a0fd397bd2ff4a2cb5bf7b6f9f56f308e

SHA512
8ae7e68fe2b95782d30d323171d5881b5d64a823ce9c172c9e5ef0aa87f00e37b4c97164a8b00676da56d3cdec375a75fd1f840d780a56bc22e030255c58964c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\EDDv310.exe

Filesize
202KB

MD5
ee4e8097da5dc038ec3c9b2cb9db4700

SHA1
94d250eca8cd73fb62541e59ec9e6191f71f22a2

SHA256
de3fc8f41d498d2108dfd52de8e6200c6271bb45f3fbd6da5e4c7c648a5bb5b8

SHA512
84926df7496d855a5f26f3db9ccae338457c7ad08ff5e1801c3586de5992d8c2f7369486704ac61b3c490430ffdf3dc2a2709a66e4daee327bc4a5f81cbe3de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\Everything.exe

Filesize
2.2MB

MD5
59872dc7c88df7d0b01f9e93e5a4489d

SHA1
b0458bfc15492416e15f3a8f77f9fbbac856f261

SHA256
c194acec8a66c7c73438098e673328bbab594ab489401823038bc3a97ec70a72

SHA512
c5a6cf1ebd4bb7572cb5fa2d3f7c07abfad869c80b7eb8346f1b9b02f908ad8d60bc2d66e2c643ed162abf1ad844cc994a5151b8dd7771b12efb0e395a6fe01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\ExecutedProgramsList.exe

Filesize
81KB

MD5
7366668cc7eaa1068a38cc2761217fc4

SHA1
a6790473129e7298185ef4ee4e0badbdecc50040

SHA256
e3af98717bf1cda7dc4aacb5b34d111ac237604161cd96f7929ec33f2ff260b6

SHA512
5af36447a1d29c2024b83cf08bb9cfc2c360e02d819eb7b238e1e9f774aef6e5930f5f33b9f64d62e4e958911493338a0d95b58b22b076c4e9025abe6f3f0b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\FTK Imager.exe

Filesize
24.5MB

MD5
4b79aa3c413823db9a6f9f80f0d39e70

SHA1
bb2a451259e07dea7e994ee664235a02a80df2dc

SHA256
98554618f7a5812a41407048ee4b379dd57944337250d3ae514eec03fafd3307

SHA512
f5e96fca7b298f299c1d27b82fc4322de958fa915f0c59de8c720150d8761ff79e27e3d0710c13ea1fcea743794fa6facd358c21520f4f6bc95f75e24d0b9e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\Fortect.exe

Filesize
714KB

MD5
01712de1e76332696b79c25ee32c9704

SHA1
eaccbc242d11208d882e5e17b1e3c02adb78af33

SHA256
e531f1e904c4a4093a7cc9a960704e428d4bd1f6dd000aa06ec5aabdfc5f4cb7

SHA512
910d60cd5a90b93955da2186a9b23bf862b3aa8e2fc385138a89ab6ec9d0af91e16eb55b158dc22663f2e3f86277fc6e3e237f9a2a0cbf9c24d6fa562f4a60fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\JournalTrace.exe

Filesize
106KB

MD5
779386ff00b119b91f1ef5e36168edae

SHA1
006588d6a5c531d0e9ff497cbf3bab32744e15d0

SHA256
46873781a5c80ea676f0ed8024b31423f22918d9f4723aba49b22c8e597ec0e6

SHA512
7c1686cf33e8989064c8be404b0eca65609b30e7fbe8d7cc0b90fcefecd44ae024efdf3a65f4e08376c166b118a46eda550f563423261badfed91f7e5db96a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\LastActivityView.exe

Filesize
130KB

MD5
a19eb1487622a13402c0d63eede58f59

SHA1
c662772fcd96c7d6decd629af28f26014c506a30

SHA256
b1b7a772c927b4d3e2e4d59ba69e3fe955506ff80cee0947d54c6b3fabef6860

SHA512
6b7b676ebac4e3127a63cc1fbde85144d551c7d38330c516ccb0aeaa7558155eefc1dfba3f3d7b18510f8e099c37fa2504f1ff00607f52187a03780fd7f75f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\Mui Cache.bat

Filesize
1KB

MD5
654fa83144364653fe34005e9f2b379e

SHA1
893aad9bd69d506c2d9cb09dea143143a907cbdf

SHA256
cc24ebb3f3958da6468f80ef77285761778b82dce266030ad011ea81ec1170c2

SHA512
d0141dbe6dbfa5411921896dbbeed0ad2396ac8a09b62263464c174a71341d8b7771348f2f891f4f0d38c5b976e6e234f3cbdc29ab32eed89b900a7735bbd800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\die.exe

Filesize
12.1MB

MD5
28f323511b574955f02b8b8f449f364b

SHA1
4f4b4f433229f088a95b73b327965edbe82c1526

SHA256
233abe8770c31bedcbd35da6a60a39e259e08cdf9193c335f1789f4d5c8ab592

SHA512
1b60a4788415305ab59cbf1ee4fe1ecb0e13ed6e6726b8288cec64cb316fcc0c12ba5120ac192a9614f491e0b8fa45d814e6312f52fa98e2934847bd4e4f7d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\dskinv.exe

Filesize
1.3MB

MD5
76b106f32f5689d9667cad50594f2c14

SHA1
b770a90495b51873226a43e0e3a676f049532c1e

SHA256
f1aca4bcb0f48af25275d81015827dfa76d1f18d1e3fafbd312a4853d9168955

SHA512
c7a7744744e001c0344910ca78a46f0504e34c5e971930daa9d4150da4b4c269a8e2c5441896de313199618dfdd8e085af8b166755cea5f8a6464fb38f0b6d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\echo-bam.exe

Filesize
23.3MB

MD5
bf95aee2495260a778f350e5317a50ed

SHA1
494467b02f7ede5661391d75834d1d1672bac73b

SHA256
bf64f010dfe1a051813c942b89d80a558998d4392f6e2c97e80fc0a9c8c98b2e

SHA512
cdfca5a00d38716a9f366be86c9191d1f95ef5518eb37c4a2be6ab5bcbb5b1e0e4a9bc4e12e9c7d2496430ca61d7ea7a3a1d5f2bffbec9dc62815cff5ec3e7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\echo-journal.exe

Filesize
23.6MB

MD5
4572a97faa9feed1a3ade72edad133ec

SHA1
97ffdbc73ec98fa348b076a09b46d3fd0d8bc42b

SHA256
707840b4415d86ce3ff48bb5c61273edbf7cd3d25cefe75d041c7bf9b077b3f0

SHA512
fe99ce21614aef0a32923bb46e9e893a7c3a9b9d75cd441fb3ca883b0c533ce8eef2120bdc6c26d0be8073cbc8bdcbe6787baae40865a4af2749dd3d15adc8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\echo-strings.exe

Filesize
24.7MB

MD5
9c9ff6eecd063089c5f2d0d9ef92ccb7

SHA1
8600a6cce52c690ee0c295d67823562de393dfe2

SHA256
7b2b8696eb5ba65a7780eb7a8d22e374624796febc2b9d3219d673d3076a7f71

SHA512
e7cb91b0d2c8c1102d55d209562d73002b5ba1715cb78ebd51e9187e98735981d1bc9578bb784061afdb79d079ee639a08014d65836cb8882226f8872ff019e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\memory.exe

Filesize
25KB

MD5
d12ecf58a06d888f5d8d54aa28ece7ef

SHA1
6822e1a67a04f5c5e6c1b8986895bba996a83a0f

SHA256
ab1369fe925f98cc70d67b8270168dcd2ddba907a807ebbac126d20b2d71dfd7

SHA512
c3e29908f9007ba8cf5c59a9a3c25e8a2bef085b95bbc559843bef90fad916b9c0fa3f1b044d648c73d2d7bf8a1e56522524001c4d21932ae2d5629c5694ffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb1784.38606.rartemp\prodan\newmaceta.exe

Filesize
5.5MB

MD5
3b208fa38cdff42ec8afa2ced1b37bd3

SHA1
48b5b63bad13b1fb9af4459350c960d1765504bc

SHA256
0f9aa94769bfccce65feb2402909a2279621a975092648479a6855f2fc18d796

SHA512
49e2b8e0912b18e486870eaa6a582de423a7f628e3e7a56932a7dfa55929843a8bc1cd93420ec87cb2ebf976be27b96bab711c45c241e96e9551ee6f4a212d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\AppCrashView.cfg

Filesize
481B

MD5
e104b2c618aff4d4e1abc27c63f58e74

SHA1
093bc571b9a8e4eff94970fc76c01911546ff7d3

SHA256
f088d4195390de4514e56df2f1650b65c22032f335db97bf1ce3aa59a1f8d086

SHA512
e0235d90a4aadc715c164d94fc74dd1b92f84f164b8f0478583735719323bd5354c0abb895779e6f8f56c1be9860e9cb329f825113f55314cc2ded1b54839009

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\AppCrashView.exe

Filesize
47KB

MD5
161ba0ccab0498af2efa706f138982c2

SHA1
faf6902fceab024797f3fbecc70123e41c79053c

SHA256
80c117c4d78882ae897c979cd3b478184573cadd83bc5f3c03b8c8a55ae8a5f2

SHA512
cfff4f8882576d9cc0675ca86b704faba5f8405ee647bb6dd7718b5c2ea98b4669c75fe57c6a08ccf98811efbeda23611e4be1d201fb2712224039a8c18934c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EXb4828.48999.rartemp\prodan\DebuggerFinder.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
35104266b521f4a94c0a925c89aeea67

SHA1
0df9b460fd2a495de27381b365c2b931eca0c74d

SHA256
be24c3b52a8bddcec8ccaf4aa3efdf3247fb0cea52d07f5a43618fdeed881a25

SHA512
aa938ec482c3aa44e8ef8aef711f5b4a00774d9230e2c670f166b498ed4d1ecdc23b3c21fbdf7a9b8db5a56e6cb7d35d9709c9e596ee65d6e8df55962bc76734

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
ecb800020f87f4312d4d6f035fb04c9d

SHA1
85d13fc956e85105fc62e00dbb6535f4fe742deb

SHA256
c5a76131d12b5ef3a27cf7bd773674a732c1ed4743204de8bb40edb538800ef7

SHA512
0c6d2a9a180ec3570f88a8f8eef33ba253b61517efc8c81ee17e04bec248939a2d586f7f40ecda329db59aa255d1930963d244462e6032dd3793ca4ea92ee860

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
980ddf41e84d58129cd088d0a878dbc4

SHA1
a3b2d9f17bc033ddca2c75b0b4b767ad0093b219

SHA256
a813ef2be4a1920ef39ffa2465362baa4664bfe1079f7a0875c43814e84b41a1

SHA512
7c636d0065d4e17c995ca1ebdefaaba3133d11659e5bec545b86e57745cb41a41f5ed8c3f957899605741e911eebd3c54efdc00307b710fb1265dd2d0743a242

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
4a7e8095c4373bc3f19f978af3aab3cf

SHA1
367944f502430bf60c542e12ce0d3c79c63b144f

SHA256
e0a52cc5b6c8ed08e3277e773937e3c2968a397c630e4131b296390be23d30d7

SHA512
54fc48561eb7032e1bb86e3b89bd8ced0bf42a017758ae5e4feabbc09cfb27a7277c09c325fef552223719a547aabb67b18fe68324007bff118450bffa6fe486

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
328B

MD5
bfdaeb2efc3ac9db7e73489c032bc4eb

SHA1
783e51cea6a9d421fdaca21eb73ba7d8da1fa163

SHA256
b191eb1fbe7e74a92feff606698f69f992f41e1eba6a9eb457cb9d4a3a963aa2

SHA512
5b5dd7237a09a584fb1be833cc426c5e3bab4fa7e325ac697c8b50df8282fdcf682656c61dd4f9f6ff28d0fe3d41c2e5e951db6f4288d2c1defd0d800d688f6b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
229B

MD5
e66787353fe13d974f200081778ae803

SHA1
8758067ec317de21eeb1ded166bcb31d38a6dbb1

SHA256
b4aa7b3da5a32dec327817ebbf4f29372449e2650b8d10acf6e9958628cbc67a

SHA512
21173be66533f0d60e3ba3ee7e21536310f2aaa73cec2986eda11a2d2d6736ddd53c533eca541f51d0db0386daa78221ca207811fcba616abb088314701bf7fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
252B

MD5
f10a8c5f6da7f81d57f1d91a294814f2

SHA1
831792d10462e63f20c6d40fcbfd45d3194cb1ac

SHA256
ff6e49172d07bce0218b8962e3715e2c39e8a3176cfe4d5429d76032ed7c96d7

SHA512
a0da0e539b8eceef5801e39604f30390f477205f73708843a23d26f0942f3327b3dea0e508db64eec2f62836da4e7a3f89aca64857c4690fab1fef02ac95170f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
265B

MD5
a98d2945b7d398edd6719c8ab4e2466a

SHA1
ee05a319f8cc00e2cb722c31e29040215c970353

SHA256
07796a0698c09892e15665a2f0fe1ebe5526bea15dfcdca9d73fa2caeff62a79

SHA512
270fd92cd58892bf2b98d46b59c6f19373e58f161a3f9383359a65117e5312aebf3781f078e1d16c310a54fe0b59912d2ac6432260ba332d99fe37a4ec4d434c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
e7559ba183109ca74cb5eafabbb6e2f4

SHA1
ff032068a0b7def68ab44f5bfae3fcec7ba6d2de

SHA256
b8199e9ba9b24f30489bab4a6fb7d934bbf94aaf030ab3dc62c331d279f581b5

SHA512
5860286252d8cc061a7f4a44d1cff5160ad96d1c6161ed4bd62c7fc83dfcee5567530689d9edeab18b1c3e672bdd1b70f6a385a4f0dfda1b989691bd02f9f8ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
47d27a2538b27492e39f0566ce967835

SHA1
556d03c7a8dc074ae8b0b6dffeb31e8b579f3a65

SHA256
031a065c0785fe8e5c24a6cfe8a525a42efbcc9c6197f2ccee8eccc6dabba815

SHA512
b84e7643de73bb2607c1448eddeee47485926fbd2f3c498651b8af8820c28aab903f1f8e4f699facb3accf899e4406d43f2fe42324a16773df60b45c668e181f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
95092b6cc1cd6243a54d1e0f35e3e85e

SHA1
cc42cd711bf0ad29037fb8ab89a9f7a7175688db

SHA256
deb8cf9e4aec1619e4b639f1c0a6ed850f03fd768570d5d98984bf90a2298ab1

SHA512
4bbfc885360d23003c88a4d3c56c918f51e80927d712ea752dd9d372e15de434e1e266a5eb23b91daaaf46ba2064ed3b35d0ec4240dceb1dbd017a097df50d10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
3bcd3af0b50d7ec85d4c17356fce0253

SHA1
daea9e07856dc74153921583660ecb09c267cded

SHA256
9dc9022c86d0c0a46134e0e9e9b3a31ac8b6f8d3492d659b23cef47846356aa1

SHA512
04b36065ab7998a1a1000141b1e0de08f05178645932236179d300e329fd1065e2d4c0b0ec18d170d59135ea9d7433a55037866e1803573e4d488addb2b2d21d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\AlternateServices.bin

Filesize
26KB

MD5
645beee09df73cef3e322ce3983a8c95

SHA1
faec0287a561808471a605dcf53d12a16914ed45

SHA256
9219b755341ff10a286ae5c8a12b067af93e753179c7d183ca03a4747d19fdf0

SHA512
884146ff810711947861d2298650eadf5f0fd50567acd96454fddc8c9a683923842e70f9b1da9ae5785c494e931edb14949edae7bfb663625590e231762418c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\AlternateServices.bin

Filesize
8KB

MD5
1c2dd9e2a9476ae0561a787c92bdcbd2

SHA1
1c203f89fab74b3f2014aea3f6d5fffba31dfcc7

SHA256
186e1deffe58895fa0754aeb75ff635ee8b0e444a45f8289d23013e08b4ac818

SHA512
2ce7d640a9498590454713b1d7dd69f2d7eb77fdefccc738bca9eec4787acefda5b83b39db33a6b1f4fbbdf72d313e83688d8f56e663f8945c38981641277554

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\bookmarkbackups\bookmarks-2025-01-28_11_UWLYGAu2J5+eiXz5J+S00g==.jsonlz4

Filesize
1009B

MD5
0a9065467e98e0fa6b206fd40e3ef897

SHA1
03faa82330a398a57874aeebcbd696b2d6974dab

SHA256
54554ae1154cb06782154336bf51826f77bbe57fd98010c48a944bb146c0133a

SHA512
149c6a0cac3abe84b31198f5b3b302bd2a3e433e41c524327c9a7510900506f550bed2216b1b06cf7f791680f4bdd999dc49d895566916a46c469e362245ce0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
9ff946c6cfb259f3f1d21b799bfdbba5

SHA1
2f7bca57bdddda913a9fa75412aeb8e05f0940a2

SHA256
79a4bec3da7c70ba7d93fffeba3889847ee5665d841f05ff0397cef117867fb1

SHA512
90b593b0847ec2cde5d6b22d8e2151e32a86819d9231b31cbaf66a69eee39601b1fa36ed17e46ab66ff13f1f407170b0bcfcdb3cf95e53f2942ee5aace77d58d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
95KB

MD5
73f546e41f79bc83e7d1bd127ae8173e

SHA1
2ae003b4a377de06928a0550fb766bbea7a8d031

SHA256
5345c273dd6034d6bee04a7c522bedfd0d8ca3595a813d5fd6a5dde6ebf43b3e

SHA512
2ea561793a2e72eecb3cad356844d48267d639a862e499b7cc204f4d57a53a3103636baffc4b6715b270c19b3cd12d77785a9864df4bfecc65e5bfd8fe01751c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
96KB

MD5
232f3c1ecc23af7f95e9549c2877bd11

SHA1
179782bb221666b4eac272af3fc9898b075170a0

SHA256
3f8752dc419aacc90a3a3060c8ef1931f3eb572490b8a38d28807eb70abb11ed

SHA512
78765167cf4f0291999773b6149af11460a197cfbdc49652ab01050a3cea935970a5204564b04aa58726b776b97b5e2e0b6809663d539128c2642255dffe263c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
100KB

MD5
1773c88d88395d06580268bdf890b8e3

SHA1
4ebc69daacca9b349ee43dc252ad4aa83f6ceceb

SHA256
c123f149c90591ed980f7c2c58f822d3d5919cfcd79d3708580db72dead4d90c

SHA512
2c3100f53adb46d31cefe2417299d57d9254e9b1ec24c76dc8d21e035bcec8406a59c9221b5221fea9c9b873a36c3fa679ad3d9663445ca86e3d6e4cf4af940d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
695075db092c96bcc5cc9ed85a9b5b33

SHA1
5aed91c7a3bfbab44e54111ff5e1095222214961

SHA256
2e1ad2b82b91755d96150993fda785bf97d6803773110e7689dd7577edcc793e

SHA512
72540878028116fd0fec030ef2806f35fefea77ef60842dd7330aab3afa6eaaa7c10ca50d1c9c36c4a967773cefdc85fd4131fa98efc3eb141dae29c3db2f009

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
60KB

MD5
d9b78ac43c92b1db478b6820ff0d3a4c

SHA1
9606091c71230fc8e7b1ceaf142d26b001c05817

SHA256
3f7c792a65962c7c9df25c12a7a3b781b833d3b99133da29b50e39d211de1a1a

SHA512
52ba14207ba9393bf8c269a14fe0cbf3b33624a563790558614537994dfc9570f47d6e7ad32173f0ae262bc505b143a5ae15801ce9cf70f56ceedec5334b3d3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\datareporting\glean\pending_pings\924e5438-47cd-4467-b569-b3bd2991ee52

Filesize
659B

MD5
49a9e2304d1ee8581cdc9e32e5108704

SHA1
b0fd2e23cc8edd790180acc010417f6a59620dc5

SHA256
0e005f4e8a512b8b4d5b21eeffab357b87fc3138832135a58b969de7d88738ae

SHA512
34b45486e6a73b976cbbb73af13ed368f7af46feded6d5dee20041d5055f8c6d2d045a6e7555571d2b02a9dda3710b9bbffc33f851a8a7ef3eeb9243c6765320

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\datareporting\glean\pending_pings\f8a701a4-6d8b-4e9a-b583-0c25b78f0950

Filesize
982B

MD5
6fa37d6f5906d152b6835ab12323b71f

SHA1
0ff49485762fec779ac041095ab4d02484326656

SHA256
ca667dde8dca7f669a26b54d186742a4fd04097a2e91b5be7aa6bd751fe9bdba

SHA512
82ce8a79c1f24b76b74be7c102fd30b6f035cc75d65b49f84fc4779ca937d4cef7d44b5e5a749a54021270ac2b745dbff6f885a2d6eb06c04493ea6688eca35e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\favicons.sqlite-wal

Filesize
64KB

MD5
3d7f9b5c50eda2b8073cd1dac5d507b4

SHA1
2d91c923d2b2999627949f4c00080c87054ed26a

SHA256
ebb861870177e5e475cb4dea0ba031a74676dbd6f8567f1371b3ec602c30ba12

SHA512
6d41c671896aae85edafab659f72b2f51cabcb77dd851cbdcfccf61a95a8bc99ca81c93ebfd23aaa7ca964ac34c491d8692a241bf69ca16a1e47d5eb8a7a1ba6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\places.sqlite

Filesize
5.0MB

MD5
59fb21d349841b4bb4425b911d89b447

SHA1
76101c725814a712efe67bf5cb9bbe55500e1895

SHA256
035ed996cd0403fa907ae51d3155cf49cbe16b1e76be647c9be6f6b6d6e8d24b

SHA512
bd06c24651ca9cf63ff3b01d64737f98c6a40bea2d37206bd51d7dd3dfecee192c5e748a67d4d8cd8933b28dd346256ae91c1691945d4a6a839bc99769720b46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\prefs-1.js

Filesize
11KB

MD5
ef7e1a11f9918e9867b950033c0582e0

SHA1
ebf5e0c030ff6a11e9aec4a0c92a0ffe29263d9f

SHA256
0e0f4f082f79012d8352b4dec0e134c137d940bc51a62e18b69c89ad4351d2bf

SHA512
d7bdf84c76a06d2fb2b042bcfb9b92dfeea680f2f667b5a171ecc6fa0b947f40847dff0d41180dbed256d97811bfc25a9f50d5b505d1db648dd64edb87205685

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\prefs-1.js

Filesize
11KB

MD5
e9f540048e125b85fd11a20fb0feace8

SHA1
c6996ee4c399876b7f94174220439687b5202ad6

SHA256
80604772e3aaee1a741a5e4212eab95beba05412f49340dddbd051da3b356288

SHA512
c93e46dd8216dbfc75216314d12c04791ad1287bb404602e636acd169816bfe5fbe7668404a46b7a5c69bcb28f9785fe07fd1550340c413c3e28000be9ca26cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\prefs-1.js

Filesize
9KB

MD5
dcc1a420be326c7e8b7725420bdf45a0

SHA1
3afaa00649aa15c588dc5ee005e9010bd9d52c4e

SHA256
49af2dcecd77f447119ca787de4d38b4793df1773010a0ed3b97b28ef0ff679e

SHA512
6afaa9900dcf0f8a329aca7cbe138be0d165e73cd0d650971593744258dc4f51a868f0706f0b538025e4792da7b74a278e0c3126b37ba31b3517f734a3162f29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\prefs.js

Filesize
9KB

MD5
daae6e2970eddb88da689a6e2feed157

SHA1
3ceac900cc897c5aa1af9a7eab9075c6296459e9

SHA256
92faca71667237d3c9daf923480708894277ec99e685b0690aea2497a4a312bd

SHA512
7335faa0f3e6ad289e7b4f357a711ada85f231aa0881258d53da7d3b9a4727a9e957fae714779b427f186db22bc5936e18147bc9ef23a20fdebd7c4d394a1fef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\prefs.js

Filesize
10KB

MD5
c42d474844d0d75622cc99f2e80dbf93

SHA1
1126ee1a22304abe2d419a997fd20b70ac032fbc

SHA256
feed70c5167296ff7a86c0cda4199d7c14b6faba4fdff236e961234fd616c961

SHA512
4a2524e71d7754c410d7a4dceb008d2b7b84f8bfb33149f7a1689da56a105e7e1a13fe6f18a22de29e1e477b28906c4805f5284f6de4e94de5b6456205eab49f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f8bd8802bcfe7617985779d459bf3ae6

SHA1
58d5aec8ac51fd150589002f567c214a4ca8a768

SHA256
37192cda79a452610927b07abba77dbea52320cdff0395314c5bad64887ba746

SHA512
0c4f4d0376856242f770cd218537f7a01c6bf3e7a3e4a16bf04d455596fa7693b39399872ca103589e392ad95a3d6c725a2157adfedd079995adc9b110493c44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionstore-backups\recovery.baklz4

Filesize
27KB

MD5
961704f2714e895ffd229eb7fc41f396

SHA1
e6ae16966919db7c7247ade996d80e4ae5155bde

SHA256
91b3dec3d1702d0bc64f92f5ade3337f642e9443e8f1ee46ea8c4c4647a7852c

SHA512
803c443666c25a70699a68586965e753396ccfaed4d42aea63216c93e23fdc5d50b80c50061be78a77a737d5f77c84c4070b0c17785f541c825c90fe0e0f690e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionstore-backups\recovery.baklz4

Filesize
27KB

MD5
531f8cd24261cb227ef0852d41a6441a

SHA1
a1f32f98529c07fb95ebc449336440fc780f8802

SHA256
d97338ea89f4638b323e6be2b4684ffeb4e2493cea77d8576968ef95f46270e9

SHA512
277b2542e39ee25e651d6f511ae542b9b8951a6ed2698bd192c7a8a4e79afe8d90af9fa43f097b2b658918a856b66db915e167424e2b75ca40e7748eeea7faa8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionstore-backups\recovery.baklz4

Filesize
28KB

MD5
be0f0ffbc0841a6c836c5b67967f155c

SHA1
8b6b5806cf9f2b0da16df526c93af81fd99bc5ca

SHA256
5bdf87687a10eaf0e0c31f33546e60898df52d894b35050ff4e05a8238703cf1

SHA512
ddcf28e58f2c95a770fd21b2d6225e7267650e99077c4e0dfecdd8fe5fc02aa0069071fedc95e510113914f243059667a6e4ae09bac8d15632302bdfb4850be6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionstore-backups\recovery.baklz4

Filesize
28KB

MD5
db00181ebc31e20766b2e2c40be02b57

SHA1
8a18c77d9dfc50c45918e791b8785cbf8ca7baa4

SHA256
1caba3d9086e1272b7774f830451b802674298ab6377bdeb29843185eeda7bae

SHA512
f3da6922f27c636df8805012c6e9aef80f0279dfe4bda04b8f12b268af9642d5a8a16217d85463ec9f33824471cb8056b69b5ad734cbb590cb586335cfc12346

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
5bb05918f8ad688dd6d21c9a732e60a0

SHA1
94c4f950c063c46faca65c954751cfaf31beb8bd

SHA256
3690bc66b0c106af3bf2c6776ec23034537440e5feceb9781938e8a2fe2f7aa4

SHA512
5ba709c992aee5bc675b250998419f2dd926e3e7f1242b909790b4426091e3c72a2c1d6ec85ec513edc21a2a0c504813de57dcb0b7d5cd5ca3c21c1f1f637428

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionstore-backups\recovery.baklz4

Filesize
30KB

MD5
99ecc0e696e994b25052faca73b9d88e

SHA1
a88971c9fdef5b4fdcedd9be6b028a3ed0ae8397

SHA256
ee91ccaa4a5afa88e4b2026273bcee104c86087f55b37fef11ad07a76be06d2c

SHA512
831825a1abbe86b32ca30714a22932716254dcc5c7d59c2238849164296c8fb39311484c7bd15c3510ff936b5c11fc5085dccb74a9f45033a394e849cbfa4c40

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\sessionstore-backups\recovery.baklz4

Filesize
28KB

MD5
ab3e539ffc29c6f2cdd609eebc31d7d5

SHA1
b1dcb8c794e41221b7e4467cc570b837e3439d02

SHA256
b70eb023fceaa11973a9121e2cbbc192dcac9d4eca05135e0dfdad9f515e062d

SHA512
bfca7ed3235059748532f6a6530bc5cc479b8cd3ca1eafc1b9ad30120e0ba1535106d025196ec14047d3b6fc15e96012f5759c21e07a22e177c829692ad11ee3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3n2hkb1.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
656KB

MD5
f7837f4fb3bec4a5a85efe0017e259ac

SHA1
c15762de4ba38c2e98081acb0fa2de91bfdb5000

SHA256
e87762b6dd3232dcc4bdf5409dc667c87381b19957961660a80c233ab7d60dd4

SHA512
5354b4730eb4826a62f14d62a1ea6831c5ec07189fdde0102457c22181bc742382120fa884aa5738b8a23932f1843b6489f57232d9a3fdd9de4694e441cd5d35

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
4bd7de4ae1e3418f9e47ef0bf968e7b4

SHA1
7381442429544d31bd3e370402256bf470e6c717

SHA256
c22e429d8347a25fbc514e971fc32b2b3dd592143ea7db6ebe3bec9bdf0d2ee9

SHA512
8bb6e6db9b9ff3571f351a6b7f422e284efcb8acdff8b61d3d528a1dc3fd9d86f5f5bfa9f54094c68c35ca911ca1b62a3fc2b5630a3c56dce636c102cd40207c

Download Submit
C:\Users\Admin\Downloads\WinRAR.Xt8XxoM2.exe.part

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
memory/1988-1565-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-1582-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3136-21-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/3136-467-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/3136-40-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4008-13-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4008-18-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4008-17-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4008-3-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4008-0-0x00000000006D4000-0x0000000000FFE000-memory.dmp

Filesize
9.2MB

Download
memory/4008-1-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4008-90-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4008-91-0x00000000006D4000-0x0000000000FFE000-memory.dmp

Filesize
9.2MB

Download
memory/4428-19-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4428-465-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4428-399-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download
memory/4428-58-0x00000000006D0000-0x0000000001305000-memory.dmp

Filesize
12.2MB

Download