88bb534525e0fb662e60ff3524897d1b92d86ef792615f916f93f27abb5ea4b1

Analysis

max time kernel
93s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
03/04/2025, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Size

146KB
MD5

c6c371198124b086a547407a7d36fcc6
SHA1

1a3108ecb72ca0da0c04bd5c29caebee0ffd795d
SHA256

a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c
SHA512

568da365e16e806593d5bb9ca335a4b1e7585148b29fe131d3fffb45275962991948de6700c28d3afb4302ebbb8570e20781933bdcfb3685cde325b64efc19d5
SSDEEP

1536:szICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDzp6HbSCkHdMBfusRDARJbWUyz:DqJogYkcSNm9V7Dzx19pODObWT

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\ni8pxbvnx.README.txt

Ransom Note

>>>> Your data are stolen and encrypted! >>>> Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Your competitors or law enforcement may get them on the web. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... You can request the tree of files that we have. >>>> You need contact us and decrypt one file for free, send a small file for test decryption with your personal DECRYPTION ID to tox chat: >>>> Your personal DECRYPTION ID: 6791ACA56D6F7E54FDBF7A5D3FB74F05 1)Download and install TOX chat: https://tox.chat 2)Write to this tox id: DED25DCB2AAAF65A05BEA584A0D1BB1D55DD2D8BB4185FA39B5175C60C8DDD0C0A7F8A8EC815 and wait for the answer, we will always answer you. >>>> DO NOT MODIFY FILES YOURSELF. >>>> DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. >>>> YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >>>> YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.

URLs

https://tox.chat

Signatures

Renames multiple (539) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2544	A2B9.tmp

Executes dropped EXE 1 IoCs

pid	Process
2544	A2B9.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-167299615-4170584903-1843289874-1000\desktop.ini	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-167299615-4170584903-1843289874-1000\desktop.ini	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\PPxl0_nd4mq3u9yt5hl_lfxxq2.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPljemt0d7_6xu7g8hb8p89heic.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP3054b5t5z4n7zsi9l2lqohsi.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\ni8pxbvnx.bmp"	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\ni8pxbvnx.bmp"	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2544	A2B9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2B9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Control Panel\Desktop	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Control Panel\Desktop\WallpaperStyle = "10"	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ni8pxbvnx	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ni8pxbvnx\ = "ni8pxbvnx"	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ni8pxbvnx\DefaultIcon	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ni8pxbvnx	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ni8pxbvnx\DefaultIcon\ = "C:\\ProgramData\\ni8pxbvnx.ico"	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5224	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
5380	ONENOTE.EXE
5380	ONENOTE.EXE
396	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
5380	ONENOTE.EXE
5380	ONENOTE.EXE

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp
2544	A2B9.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeDebugPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: 36	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeImpersonatePrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeIncBasePriorityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeIncreaseQuotaPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: 33	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeManageVolumePrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeProfSingleProcessPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeRestorePrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSystemProfilePrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeTakeOwnershipPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeShutdownPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeDebugPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeBackupPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
Token: SeSecurityPrivilege	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe
1688	firefox.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
5380	ONENOTE.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
1688	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 5264	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe	82
PID 2328 wrote to memory of 5264	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe	82
PID 3324 wrote to memory of 5380	3324	printfilterpipelinesvc.exe	85
PID 3324 wrote to memory of 5380	3324	printfilterpipelinesvc.exe	85
PID 2328 wrote to memory of 2544	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe	86
PID 2328 wrote to memory of 2544	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe	86
PID 2328 wrote to memory of 2544	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe	86
PID 2328 wrote to memory of 2544	2328	a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe	86
PID 2544 wrote to memory of 1960	2544	A2B9.tmp	87
PID 2544 wrote to memory of 1960	2544	A2B9.tmp	87
PID 2544 wrote to memory of 1960	2544	A2B9.tmp	87
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 2980 wrote to memory of 1688	2980	firefox.exe	96
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97
PID 1688 wrote to memory of 908	1688	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe
"C:\Users\Admin\AppData\Local\Temp\a17f22b67ecf9312bf59c8bb77445969bd6bbe61cf2b5ba98255f6cf30130d8c.exe"
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:5264
- C:\ProgramData\A2B9.tmp
  "C:\ProgramData\A2B9.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A2B9.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ni8pxbvnx.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2112

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{DE5ABE0E-898C-4E8E-BB8F-D4A625C81572}.xps" 133881161497540000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1240

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Downloads\AddBlock.xltx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2548 -prefsLen 24445 -prefMapHandle 2552 -prefMapSize 268500 -ipcHandle 2624 -initialChannelId {0e3d4542-e30d-4240-8c2d-8b6c0c4b65c4} -parentPid 1688 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1688" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2860 -prefsLen 24445 -prefMapHandle 2864 -prefMapSize 268500 -ipcHandle 2872 -initialChannelId {81ed67ff-5b2a-4948-9be6-dee1411d16aa} -parentPid 1688 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1688" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:2452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2076 -prefsLen 24610 -prefMapHandle 2140 -prefMapSize 268500 -jsInitHandle 2144 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2024 -initialChannelId {1ff754b0-7713-452b-825c-d155f6d5b145} -parentPid 1688 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1688" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:3236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2164 -prefsLen 25493 -prefMapHandle 2168 -prefMapSize 268500 -ipcHandle 4160 -initialChannelId {87f37864-5916-4de0-b1e3-caa6e65bb20c} -parentPid 1688 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1688" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2096 -prefsLen 25604 -prefMapHandle 2084 -prefMapSize 268500 -jsInitHandle 2088 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4384 -initialChannelId {f68f6414-b4d4-4563-961f-3fd3234d9574} -parentPid 1688 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1688" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-167299615-4170584903-1843289874-1000\YYYYYYYYYYY

Filesize
129B

MD5
e9bafa965db4c1ee3295b4525809a3a9

SHA1
a388b5092cf7a7fdcdc4d99d72741ec4abc0e365

SHA256
b0415b76bb7b601bef3594f3f2c85215a8eb34e67de1d861c476eb11ab95176b

SHA512
3dc713c792cb0667a11488f499fd58317c9fe891ed656fc340d3dbdaa9479671467e5575efb9ac464702148f31604c5380e0b1fccc781069b23c242043084717

Download Submit
C:\ProgramData\A2B9.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
96e6fc71caff8c5e5c57295ed97db1f4

SHA1
6b20c32ba43dc2fc41007e097f78eb1fe2d3bf37

SHA256
d96f205830491bb5ecaccb13d7325f70e3f85487023574f2c096f64b583f4b40

SHA512
8dc9af106fca1ccea4799c22dc3df0efd7dd8c8f1bef0a56237724c207eee79a2194e3989a142514808645dec15cdf49082cbbd6f37697bc8a3d6b42ba73527a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
1d87ae86279216ebeee14fc041747c98

SHA1
f2be09b3197eff22a2a9e0dfd004b60eab740bf7

SHA256
f0ac426efbd1d283836cb93a4d350dbcb3825225948d455b39c289af9876bcc8

SHA512
de2cd4fcfe6beef62aa8c173fb2b8d8f451ea0fe6ef41924661d70c3e6949931bd8f07ec969ac41f2e62c9b63c47869f8b246c2a8a0a3693f5c2c0ff494a1824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\46F6A9E0-1EF3-4B0A-9B8F-00C1ED4A0FAA

Filesize
178KB

MD5
4da277b0697365a69040e90c63d79312

SHA1
38f6e24e65873f529bd588fb3a82dd795173cd7e

SHA256
cc21845f70c9e3c6a9bf132a5f812baeba8cd1d66184fe31bd7b054ef416344e

SHA512
467c9c85d9b9bbbe3ce390ec4d41065733d41827bb78eee610c367db36708dd5c7673e9ea2eb429ada6ea9531cf995594c3f3c1339210655af79e6e8a59af86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Filesize
146KB

MD5
23bab91cd5ec9b9ead5c2856431936b2

SHA1
ff7a01a350696b6f478a299a41a30745ef063b28

SHA256
cc5b55423c4f038d74b010440a79dc34369a153fbddcaddc22c7ba24e791c6f4

SHA512
b07f502e70c5577a9b12f253c3dda8f92436c35f3d5233478b9e41944fb808868ffe5f07e4886fc7ee6fd280af22dd2e392dc8a4c9c09c3846c78b9c67041da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\remote-settings-startup-bundle-

Filesize
188KB

MD5
c574f32d3318e8cbcd0ad0f3ddfc1eea

SHA1
7378c1909cc5762aee581bdd03eb05406c688ae5

SHA256
7bf9faea3ac02539f6156d4870229f61a6e6ae7c835b33f7642d9a59035ee8b4

SHA512
77131fce620e80ce8ffd95a2769797d0ba83c2d31cc479a6b19690fd68b320e7d9fdfde3ebb71c8cb05957e49c315767108c4b064a6d0623b33b92d33d2bd42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F43F50A7-F901-4EFD-8A99-9EB69134C12C}

Filesize
4KB

MD5
bd790264dc716c10d0e93d252df66701

SHA1
2034baaef247127291432e8ffc020e2340cac042

SHA256
0db6c5fbf745ae1ff31fc6a9fb52192794915f7d054d1f7cb484133390aa6df2

SHA512
f66213f41f6fc94a3167ca420c9a512ee8084eeb4c2cddf429fb5c213d1a3dd93a1aeec9c2526c1ec74f74b43c23a5c1b42c4d1559c4341dfffd69101824e9a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fwevqv95.default-release\prefs.js

Filesize
1KB

MD5
7ac263e33d9d0c9249126d4f410a9260

SHA1
aef8581d8236b58e1ca6ab993d06ff8ff1aaf967

SHA256
9fc24bd230002367903d257def9b7c957531bbdf0778eaa84acc219a69400b84

SHA512
d04fde260142d03e7c0885bc8f7ed8a18c84c0aa77ea6b3c5f7e0dea59481fa86b3c3c69373ca8148efb77b57b62f742037a7369efe10510f5adef3cef04b6c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fwevqv95.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
48KB

MD5
b253531ec5abe224bebfb4eca721c7fe

SHA1
1f5544ebc32a8035357da4e40f6ed4f989d06480

SHA256
a7d03b2c73a8f0d808bdae39a168f387d79dd70636a9efeb45acae38d7877273

SHA512
7df570a58ba7122ecd5657dd0eedd0c7dbb4fbef2d339fc16d100e7d1fc1eeb464e006a49977b76cde87ddaee9683135adf0b7907aeb80d912c2c736955a91f6

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
16da1728544239b127f0eb420c6b1303

SHA1
9a0202071df60f43b3ae763ad995d57085091d93

SHA256
702504c2b672eb7dcb93bf123ffd1a6723e3eda45ca7cfc015514c319f51b18f

SHA512
596482fd4fb16ef39b1b11bc70b9ae1beb9ae3333341b08beb9d87b8c5ae17eda51b451ce6e67df3315f91dd1b6b7a3d432d15df434842e79af2e6f284bc4981

Download Submit
C:\Users\Admin\Downloads\AddBlock.xltx

Filesize
393KB

MD5
eeaf4b8de80bbe989dc488ccc2b52f2a

SHA1
9d736cf1f67db2def39d0a18e2ea913a4ff1f170

SHA256
7ea808d3288730cbc754130086d9523abfc3d5fe0cb5d5d572d788c393146e0c

SHA512
7a84e5ab80c7e33d9b809550c637f061bb17ea83029be5483a86a82ee8b8f54e3c1c44b496c0105e9fc1d7d03eedd444ca8607617985d1c4b78d74017de4543e

Download Submit
C:\ni8pxbvnx.README.txt

Filesize
1KB

MD5
33c8aa66688450d80e088ab3c7f6356b

SHA1
2f3c8973b6d703decf53e7c5955018686907e3f5

SHA256
4c43d73426c24d73519a63576e01aa4b5243664c3253f02cbfbc5b3238d22191

SHA512
f97f26200f11fe28c8fefec950d4c0ab3d245935809daed16073279b76f1f4069bfa5c1d9153cc641bb6376c24a26e6eef5d00a55db493f9535017aa0349785c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-167299615-4170584903-1843289874-1000\DDDDDDDDDDD

Filesize
129B

MD5
11f2cfd65c9516b1a2b91502a0dfd1ac

SHA1
4345c55d6017011076c4de191fa22509cc624ce4

SHA256
f91c4fbb5929d3248357adc7c1e6ea26e1199e10a1ab19cbe4f983880ac804bd

SHA512
08f82a57d48f0e0672e30ea4c6a6f7b6e2f81753fb770004464f8474eff06d66c058c7d8dba7a85b8bc2ad11664b5a83b659325304003fbe7099afb2607903a9

Download Submit
memory/396-3574-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/396-3570-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/396-3596-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/396-3577-0x00007FFEAA0D0000-0x00007FFEAA0E0000-memory.dmp

Filesize
64KB

Download
memory/396-3575-0x00007FFEAA0D0000-0x00007FFEAA0E0000-memory.dmp

Filesize
64KB

Download
memory/396-3594-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/396-3593-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/396-3595-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/396-3571-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/396-3572-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/396-3573-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/2328-2-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2328-3479-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2328-3480-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2328-3481-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2328-1-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/2328-0-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/5380-3498-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3567-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3569-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3568-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3566-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3531-0x00007FFEAA0D0000-0x00007FFEAA0E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3530-0x00007FFEAA0D0000-0x00007FFEAA0E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3496-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3497-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3500-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download
memory/5380-3501-0x00007FFEAC7D0000-0x00007FFEAC7E0000-memory.dmp

Filesize
64KB

Download