c50bfe8359f6673970f1c3f810418c79bb01e8c95491c7be8e38f9ebe53a443e

Analysis

max time kernel
207s
max time network
212s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
30/03/2025, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XToolUnlock.zip
Size

30.9MB
MD5

b06d5213d4ff33e2479c7513cc69c52c
SHA1

c734d32e41acc3a24e78ed8bd39738857b9b5c76
SHA256

c50bfe8359f6673970f1c3f810418c79bb01e8c95491c7be8e38f9ebe53a443e
SHA512

f5d46f2b86f243bc5f97496ab0f68844c81fff3ba08082fe82531dc44ea9ead067e5728a8cbb9936c68ec4ef1183d1f2fd7800792369689a5d0fae37ecf08d9c
SSDEEP

786432:XgXoEOoXLbBiJLAj2SzZTYGWN7WFQT/Az43eowDgzZHc:/hO4JLGXYBBT043e8c

Score

8^/10

defense_evasion

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
35	5024	firefox.exe

Executes dropped EXE 2 IoCs

pid	Process
2360	winrar-x64-711d.exe
1728	winrar-x64-711d.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\winrar-x64-711d.exe:Zone.Identifier	firefox.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\winrar-x64-711d.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1512	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3404	powershell.exe
3404	powershell.exe
3404	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	firefox.exe
Token: SeDebugPrivilege	5024	firefox.exe
Token: SeDebugPrivilege	3404	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
1920	WindowsTerminal.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5024	firefox.exe
5024	firefox.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4864	MiniSearchHost.exe
3608	OpenWith.exe
3608	OpenWith.exe
3608	OpenWith.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
2360	winrar-x64-711d.exe
2360	winrar-x64-711d.exe
2360	winrar-x64-711d.exe
1728	winrar-x64-711d.exe
1728	winrar-x64-711d.exe
1728	winrar-x64-711d.exe
1920	WindowsTerminal.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 3952 wrote to memory of 5024	3952	firefox.exe	97
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 4400	5024	firefox.exe	98
PID 5024 wrote to memory of 3600	5024	firefox.exe	99
PID 5024 wrote to memory of 3600	5024	firefox.exe	99
PID 5024 wrote to memory of 3600	5024	firefox.exe	99
PID 5024 wrote to memory of 3600	5024	firefox.exe	99
PID 5024 wrote to memory of 3600	5024	firefox.exe	99
PID 5024 wrote to memory of 3600	5024	firefox.exe	99
PID 5024 wrote to memory of 3600	5024	firefox.exe	99
PID 5024 wrote to memory of 3600	5024	firefox.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\XToolUnlock.zip
1⤵
PID:3460

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4816

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_XToolUnlock.zip\Manual.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1980 -prefsLen 27097 -prefMapHandle 1984 -prefMapSize 270279 -ipcHandle 2060 -initialChannelId {d3d66bcc-f233-4131-9121-e94297e7b356} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:4400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2420 -prefsLen 27133 -prefMapHandle 2424 -prefMapSize 270279 -ipcHandle 2328 -initialChannelId {edba239b-b544-40ae-a967-c3bac6b611c7} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:3600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3820 -prefsLen 27274 -prefMapHandle 3824 -prefMapSize 270279 -jsInitHandle 3828 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3832 -initialChannelId {bf04acad-4d3e-45d7-8e66-b1422239ec90} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:4256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4012 -prefsLen 27274 -prefMapHandle 4016 -prefMapSize 270279 -ipcHandle 4088 -initialChannelId {4cd9af8c-b0f4-4dc2-8dd2-4bed36d43763} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:3604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3252 -prefsLen 34773 -prefMapHandle 3156 -prefMapSize 270279 -jsInitHandle 3160 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2836 -initialChannelId {8e612849-371e-41e1-97a2-bae2ee3210f0} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5016 -prefsLen 34957 -prefMapHandle 5020 -prefMapSize 270279 -ipcHandle 2580 -initialChannelId {29a3fea1-4eac-4105-98ca-276838affad0} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5568 -prefsLen 32978 -prefMapHandle 5580 -prefMapSize 270279 -jsInitHandle 5584 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5592 -initialChannelId {9ca7e877-24d4-4487-afbc-f91db051c011} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5744 -prefsLen 32978 -prefMapHandle 5748 -prefMapSize 270279 -jsInitHandle 5752 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5760 -initialChannelId {2be61e96-630f-4b7f-a2e7-24f5f475ec05} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:5628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5932 -prefsLen 32978 -prefMapHandle 5936 -prefMapSize 270279 -jsInitHandle 5940 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5948 -initialChannelId {4aa82a7b-3a80-4b5a-88db-9c6f89f427d1} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:1388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2800 -prefsLen 33073 -prefMapHandle 5560 -prefMapSize 270279 -jsInitHandle 6364 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6372 -initialChannelId {403489e8-0030-4d74-ab40-e37e64a36e2c} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:3340
- - C:\Users\Admin\Downloads\winrar-x64-711d.exe
    "C:\Users\Admin\Downloads\winrar-x64-711d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1420 -prefsLen 36625 -prefMapHandle 440 -prefMapSize 270279 -jsInitHandle 7896 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7788 -initialChannelId {dd534635-bb11-4353-810f-689e453a77e5} -parentPid 5024 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5024" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:5088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:1668

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e1e212aeacdf4a33a2103295fac34068 /t 4432 /p 2360
1⤵
PID:5648

C:\Users\Admin\Downloads\winrar-x64-711d.exe
"C:\Users\Admin\Downloads\winrar-x64-711d.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\bf5e92f7b7a94ebf829a21dbcae66f72 /t 5448 /p 1728
1⤵
PID:2824

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wt.exe"
1⤵
PID:5004
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1920
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:5056
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa30 --server 0xa2c
    3⤵
    PID:3328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zr0euw58.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
8cfc2fd5c0ff2eb85fdc0305fccf9613

SHA1
9819cc05b71da4405aa0105c1f21ba8ed556f1a9

SHA256
07cf396d0afa4ecf3923275145b42229480d541d7a55438306cf4ca51522afaa

SHA512
c62f4c76933d499a29061ef382ddb188c4f4876c11d867ee70a3964d752470f560d80499b1b21ac8daa7efae607cb00925ec7eca2a3aa6d091cb2769f7af39aa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zr0euw58.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
0f4e22d7b628c04f5e77e197f8272a42

SHA1
befe199fbd1d5562fa49ae78651bbff5437bdd4b

SHA256
079f8044e22dc04592bb584ef33032a1a3fdc9295ea6e1b9e95dd082957ee022

SHA512
2070967e774fc8274628c5f5ae59459b0f52e6db9a5f568a5433e75c208a1a9dcd0ea918f5386f249f4cb141dba4994296a7d64fb789bd3814245ac7c5823b59

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zr0euw58.default-release\thumbnails\09320a67a1d06270f4b057e5400ba12b.png

Filesize
20KB

MD5
1561d66eea8dd9040b83afe854bcc3bf

SHA1
b6bc85f71cb35982fc2c75742ce152399f0067a7

SHA256
598fa02ed54150af58087fd68d482e5a2a2d3edfc74a717e70ddb1dd82a8a129

SHA512
7d8e439eda4a7be3215127390c5d77eb7ca15fc1670a744aa8cdaf50bb2cbec00aaa11c63ea44ca5fb4a428c1a0b1d7b40bee7ee576f78a2d90ce19153d43050

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\2b974382-e304-44b8-95b2-45f5fb04a50e.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
4d3c3d9ad00895d9426cf59dec06a7b4

SHA1
4bb8d8be9b20d53fac4ea12fa0bf446b6270debb

SHA256
07e2476928c94105eec0ec8b10925e0f26b7eea9bd5d65d0ff960d1022d85281

SHA512
0ad7c544c1c4b2d9d9169a8b60ab32b44d5cb43488a5f2486108480f6f17b2c5e7dc00cb75e14cbf148c138876552ec57b401ff16e755bdd92bb8b77c715bec2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
f89a0dd4ee4929eb62b12c3abed24775

SHA1
1eea9d8c1aa2d753ba7fd3fdbf06cd2df3e69ae6

SHA256
3163a399cd9c4930c1440dd87c314a2644c10b772a0172035c61da7570337f67

SHA512
2f130544997993d5269246a5f443649aaebc0ecdf727e469a394255858b265bcec6368caeed64f3b1355046f3e1fa996013c558c4c2f732d953317604ead7fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgo3re54.dle.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\AlternateServices.bin

Filesize
8KB

MD5
2bfb6b43aa57e23ffd9dd608e5e85587

SHA1
7d0902fc20af4540b7a78f52f97eee9ccde10419

SHA256
43c2edcfe77f7bd890caf3f605145b171a5a980be12fedd6d2099f18b6a61222

SHA512
fc4c5782bd39f7bf5c65900469e8b2b310e0f4b560aed4a4c0fc6fe0614ea4900b801f480fb348dd4f5daee0a501319684cb3fe6e8b220081f8107b808c0e512

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
014e402daa747171920f7f0b7b499e19

SHA1
e619881454abbf7629bd2cf0e097378df846186a

SHA256
8dcc544ddabc5c6b287ae42410d3463e5116d252ea2a9498ef4b4c5ca5389b43

SHA512
2c2e66e4e14c114625ac304f148d52aa4869411fe5078f9778c188aec7b674a0ed656fb4487996e05627763acca9a4558bcfc0df9068b285e0df3fc1c79560ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
0d3f4ae1d7333d10e3a09672785b7fe3

SHA1
3cfe5a8d680113925047acb6742a3994e7ce10d2

SHA256
6eb7646c6018819208804fa91c9184d132ea4adff94084291f038f2e649a2e8c

SHA512
d9650d9589fbde662025ba985f4b90d02b7f719c3a9f5d3028fa8f1f0a4cc6670fb20ed3aeca9ec3e3baa894d9fcf77a736e05f76d971188b94578586f6f22a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
bee8ef8b8deb9ce9c7d8e16f018885a0

SHA1
763cbc903fcd3e4443954b978702aefa2c18109b

SHA256
74fe3a42bdc140091a3f5e63f770fe14d5ac6d9dae48ecc9564ef364fabf4cd0

SHA512
33b970833d2d11c2fcd4c0dca03413abaf09ba356045bddaeea8b5e46d08320145f9ca0e98f3e2cb738ed417582e2329ab1eecdfcfc4070b4e1cea448f65ae8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
64b24ea6615350446f3b2e87525e2a4c

SHA1
3634f4206a4a474f788012094c243318e6ea5681

SHA256
db1ff38585a1fc22991d2358aaf63ae5206a710121af8c5100ceb5bb271fa6dd

SHA512
ea60cb6413088e17e1b72d217dc6759610831046808daeaae816d48f0ffc42b339b3e9beb8774b83d24d182a4a0bd60558acfb50a61e6f85ee6360a3277f5192

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\events\events

Filesize
4KB

MD5
73754fb13a4248c5947902000a43f9de

SHA1
71f64c5d03fb4fbb6f2c5bb5042cb70a4b2bcf36

SHA256
0f2188d87ea57aec193fe400f39d302a5055cc87081f747c9a9087a626cb007f

SHA512
c324e706c051b8c2694e7decba7b17bc3ffe29d90de7b9a7ad4961fe7bb3b0eb666d0b15450324a70eefdb905940bbe12169297dd846219d557015cc9a545bd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\2fc0056f-9578-4f75-9fba-bf37742335ba

Filesize
235B

MD5
f190f49caed2c38e0132f4a9cc1b23e3

SHA1
f869a4e171e5d0b0e0b0c0d3373f81c9dd29bb19

SHA256
1b380bfa780854546fc1e26d3ca419e652e521a1d6183b0754de9166becb5c62

SHA512
ba3a00a09ded18beb190f2d0ea7a89ead0fea8b763cbafd28ab44ebb6e15f05b3fe8e59da53d09ede42e215a609bd82f55acb696f46502ad8175b32410ca9506

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\630fcd75-1aff-4ee4-bbdf-32d610f6a129

Filesize
2KB

MD5
1f5a7ebe1ae9d7ee4fc2282db8fc9233

SHA1
69dc5addd8d181e1001c35cb6b0386b87e4e0c5e

SHA256
2feb007997207428fe5c5508a8f6babb43ba3234bf4106417019a98eac2a962d

SHA512
043fd34fd9c29d562d4b40ca67fc0614483364dec6525b8edb56acfa44f566f2ec82e35927d19a7194f5eaeaa6c7e400a2dd5bb64693d4b12bdde48b9ea00607

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\c27be508-fa2b-4334-a33b-24949238150a

Filesize
883B

MD5
f5876cd40b28815dc1d4bd780b0ac949

SHA1
5bfedf0d4bd8df77ee4a719bd3546d366883bf53

SHA256
8b97c018b7043bccbf3a3b12f0698b561729f0c2705df1c583490fac70dffb89

SHA512
4d0110b783c78f51604b69dd19637dd7a7af77b392bfc1856f7088a881eeefc00b273813e298addde4fe656d226689640d935f20e87c37600ca0b9dd079100c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\d4603075-8818-4c05-b986-61664a6690bb

Filesize
235B

MD5
bbe9617e1f55bf76cdbe8da77350ebcb

SHA1
e38a8b001006b4b17d0f9dad42fcc529c1cbf562

SHA256
23adf9405764a2ac72bfe839a7eb022d72c8e6567d02d29a933c87509f7f966d

SHA512
142ab914e3913323c4e1667240fa1459ccd895a72958418c6c11adf7d1a9be0eb9525d979dabe2ec5664675a4906293701d85b7d000c61997419eeeccd62e1cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\e39edcb7-0b8f-442e-8a2e-db8106d3d10a

Filesize
16KB

MD5
f16c30bcd8af2b08d1320b843416f97f

SHA1
cff37c9280a542f12c5e8651b5755428cb874d0e

SHA256
09ec6c524a077856be0a3eadd82d399f3c27711514ab238543411aed6f544eb4

SHA512
4970986dfe3a262130de1f2671d138aef1fb0a210a485ddaea8a7bacb0eaa525e367db724b01c62a071db8e6e4be1667f1d3129c9b9a6d03774df3d68c691fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\datareporting\glean\pending_pings\f74af4ce-7e00-4f37-8e9b-61a9477e9c47

Filesize
886B

MD5
01c057fa40ef8da01a050e584de9abc8

SHA1
60491ff3eb5cacf15d209daa2b82ae9885e0f7c0

SHA256
1d3fcf912033eb05353e77d1fcdce5b346cd1df8f6c57960ecc3e8ff1182a541

SHA512
f9066409600580795e0f372fee0c901749f579692bc53839bc6438b97290c2e218df3cbf220e02d748c4951d4d9c8d877a94e70ffa61afeca78f5a59ad762faa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\extensions.json

Filesize
16KB

MD5
42b1b1c2acf96a2dc6368df6186e1c1d

SHA1
4831b01b96230e8ade08a41ad2e51fb03f77fbba

SHA256
89393d01703a9c0eba692e345c4082b0f1347e3f686dbf058b39563d23f0fe40

SHA512
88ae1e3f49bb5989ea6171d27021db891e59ab74c5141cb77f8259fbdb41c4b884cd914b69ddb0ee54f643b0e7aab3226aaa6eb120605ce5b17e06a643c1b0ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\prefs-1.js

Filesize
6KB

MD5
f421b486ec2820b84125ce32d1978758

SHA1
8776d60e3854c329a60e76e16f4dac823a8d01c6

SHA256
60d2724abc8ce104ef7dd455d991459629f5630317132216677dad42a2f7ab1f

SHA512
e339ed5de466e8be2e0dff68dd937874ad525c319c8f6a14861a9b4530950c1947ce4b7722cb26923ff05cc4477a52bc6b794fd1108adb4a30d9c16ef40e3b84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\prefs-1.js

Filesize
8KB

MD5
15d4438f470e8f3c5b9fb9da13e68052

SHA1
43514266cba4a71da0f9c1899c2362d8c1994bca

SHA256
6e69308ed90c4d439239669d773042d438c27bd59292167c30da71e42c59dde2

SHA512
fac0a17cda93fdd22a6bd6fb037d867d9b1e4699a7d5e77ce0e9c7a3ceea6fd07de9e339a60e25f03cdd1db01b814490dad5d10e0ef17ca6e7c6723531d116d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\prefs.js

Filesize
6KB

MD5
91cac252ac1069ffe35ac80e6486a0da

SHA1
eaf703888ad673aab2b73b69a9bf747b8bfecfff

SHA256
adfce5880fc9e455a7e2c1b4d2d0358c856110d15cf1a978073e7843093f3eac

SHA512
02b12a7f2d24c6545bb2dafc8ce6bef0e2f9ccd8ac59f54404f55749c261b461a606cbf3793e7dc2107c37c0ebeb9abf4a7f86ac7073593caa1d3012ea7da36d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\prefs.js

Filesize
7KB

MD5
a82ea50abdcf15d29cb6a030036b4f88

SHA1
b14ab51b75b957d70b1276e8c9c1b72787048e99

SHA256
51dacc2c95698351521a082cb798dc8aa0a97e4baccef2b9290cc5f81a91e8a0

SHA512
6f4157b65c68493d6902b14eda1e0544077e1f8ad6659cefec47a72af844be0acb393297428bbedb4a52d1bb115c4a2e2780e55316e97e6cd1de53df01ca947c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
65b30e36005f17438cb6c6af2228d097

SHA1
424b8f6d8e178c9e567e3a323be7f15eb41b8c50

SHA256
2a8d3a6d27664043ebca0916ea987f27c0f17fa9b107a1f94b51b0a7675ba15b

SHA512
c445bf3c24d6a58cecb3b2d6f1b1e399791aeb81ac8e75cc2164584dfb60379df553be2fedc4139764996e8e93c076d14429464975983941a26013528c090da6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
e53f48a785a8874333862de990fdd0b6

SHA1
716e9368b9ff709aa58f4ec4527944a20eef3f07

SHA256
d9bc11a63705177b070f19c10c848acd9d64a738c2b742f4f7c242686d4854c1

SHA512
15446da056b5cd5a27b6722e60bc70058efdf2a7ce6d29ca88464e54c9150e703c11cb0ecc2394445fa02773727afb6d9b2713409c346d7a61659d264f001126

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
9e4b75c54f88546c9274279148841c0f

SHA1
a976fde7a7ff3fa1442d3d7cc1fa56a5f077263d

SHA256
3bb9a809901d6d1df7f9ff4ec687ceb9dcba176ee54321c646c5e501e3ca8f87

SHA512
8d2dd756b73c74c56aa944da6bb3e160a7e6f201f80fefbdff6a71a83b7c7eb5666b1abed69c8f49bb84080cd99afdf91dbdcf003dd7d698a90076443d25a145

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.9MB

MD5
118104d6c75fbdbd2d87fc8327d5b137

SHA1
e433a1581ce25812e2bad06cc92997c1b68153f9

SHA256
9a36c5eb79567dd5c40ab556a99291d5fe38d92f9d4ace7015b1138347c4fc34

SHA512
cd6cfe0a7ed20f483dd82f865a1b9d91635b5c2548168d98a3ee7880cec6dd49cb7ec4b691e88a5fa5078658f5fb3bca351b70ca42f0c936c2c789deaef4d681

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zr0euw58.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
86c2165d2e70e088490942b631a3c9af

SHA1
6a71ebca1b99879b3bd104d134f95b7f480b67e1

SHA256
823febb438e302dfffc1a67b0d6062571d1b42ef41dfc25210779949bef7a685

SHA512
e50c802e85c1f0c4822ff58060125509f647d4e25c00349d2e641ccd92e12fba9fcc3df6a19605d4c1eb4789712f45b803f5616ded57edc9139e351af6082ba0

Download Submit
C:\Users\Admin\Downloads\winrar-x64-711d.5vIB5ueW.exe.part

Filesize
3.7MB

MD5
ea877694cd1a0a44f64272407f7c44a0

SHA1
1d193042115b45ee4cb46130fe79c546abb0a54b

SHA256
f57e3f290ef6edb4363e207c1cb52447b5bcb3f3b74bfbab07a1db8d19745c8d

SHA512
762b89b678558f554e6df0e7672d72f47aefb705408016d195575e265cc76380264cfc787de26580447bf774fe4bc4450d3ec67d04019fe41f9841686f27c89a

Download Submit
C:\Users\Admin\Downloads\winrar-x64-711d.exe:Zone.Identifier

Filesize
150B

MD5
23b3a1f9ca1f4e28117a65ad336831ad

SHA1
3f6b8f2e250e99ef1b604d3d598bbc5521b370be

SHA256
d8ecf84bac0cb626946c9801a199097c78f4fb17cc0b37da2b1c2b71b931cc31

SHA512
83e35c3523f6bb0e3d73e3433d149cf52a7f1199b3ecabff5e27f6e06ba8dd3e77b828fdcb5e7edf643fea4a34ea21b59f23c4fc0ebc021cd0b1b404ecd34fb8

Download Submit
memory/3404-821-0x0000021B37D10000-0x0000021B37D32000-memory.dmp

Filesize
136KB

Download
memory/3404-822-0x0000021B38130000-0x0000021B38176000-memory.dmp

Filesize
280KB

Download