darkside | 8f89ead036fde496467f1ce100b27948d5a72aa316f645dcc79d5cfc739164b6

Analysis

max time kernel
101s
max time network
100s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
07/04/2025, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acer.exe
Size

56KB
MD5

979692cd7fc638beea6e9d68c752f360
SHA1

c511ae4d80aaa281c610190aa13630de61ca714c
SHA256

0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9
SHA512

d7b7b6a968e6d7b7f3e7f98decb6b331b08122e491bf0b0dbe243223fb177218a758c34830f20c47f2a799acdd146297ec7f930c2bb4d5c6830ce65c8274ea6d
SSDEEP

768:piN4q1eksgR4SiI+rxQ3rjFrXRRWxXyw/Afy8fIaJ/ZB49j9xOOLd9kvAx0:g4HHerjZX7pLjJKjSO5i

Score

10^/10

darkside discovery ransomware

Malware Config

Extracted

Path

C:\45b378cfa389121d62932bc9d4e6\README.091144a6.TXT

Family

darkside

Ransom Note

----------- [ Welcome to DarkSide ] -------------> What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data. Data leak ---------------------------------------------- First of all we have downloaded more then 500GB data from your network. Included: -Accounting data -Finance data -HR -Employees confidential data(photos, benefits, taxes, etc) -Marketing -Budgets -Taxes(sales tax compliance, property, income and franchise taxes, etc) -Payrolls -Banking data -Arbitration -Scans -Insurance -Reconciliations -Reports(monthly bank inventory, monthly financial, claims reports, etc) -Audits(DHG, insurance audits, etc) -B2B clients config data -Confidentiality 2020 -2020, 2021 Business plans -2019, 2020, 2021 years Closing (full dumps) -and a lot of other sensitive data Your personal leak page: http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q On the page you will find examples of files that have been downloaded. The data is preloaded and will be automatically published if you do not pay. After publication, your data will be available for at least 6 months on our tor cdn servers. We are ready: - To provide you the evidence of stolen data - To delete all the stolen data. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to get access on website? ---------------------------------------------- Using a TOR browser: 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM When you open our website, put the following data in the input form: Key: ug8lgpX3WrFzlEJ6HBWlwJnf7jemhfnlxBw9porj1uuYFTgKbxJQJLYiteQS7DwgZn7dH0fs7qPPWmZ6inPv5GTmSJZNAjGLVIjd4SoiyTdGyophf0zPBxx6uEAOJxM0Woo4ZGeKVoUDHtZsqZNnhMF7aPh54VnKpIJXiZDbZZw4P06xTuw1UMeiTE7wdg7HWZMepAVTzEI2W04RbkPFQHfUgEDcslDxbr83BvopYTYGKFRmtNUMH8OsOZQrOtv50xWDaOfbqxbzfHMJm30QGaGpgylJHQZsscz3XBnwIdvlwBJ9KN4DVgFgziRdvwJrfCP6YN1CYTOQgw1rzqmIU4G1xGYv7rE3jiBY1s4D3Y26SbppTceAVMu1mKx5CFIE3EbtcAsNtEqLHDbPnMCvU6Apwp17TXGob8xXJpEDBZhIzdTaCuybcprwcFNTOzccjbIH81W39MrcJi9mNO3kHRe5fxmIFKvc9v8aQDihGyC65DtdabyBjidXI1NyNONT4PTyrxYqgffPsNDFuzz2yMrXiTAwtAQPqny5BBJQsfVhpLXTtnLvWg1 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!!

URLs

http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion/162/thedixiegroup/LCfyHRcwffrYTblpZvoPO3XDbrYPcNu0wVAsH5p49LSjBfzTmtdXT48azXFlMu7q

http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/W57MRI9C7YZJUZEABBBYRQLSUTG22JZ9MAH0WT1ISHC405KP7Z2UWY3AI3J68DNM

Signatures

DarkSide
Targeted ransomware first seen in August 2020. Operators steal data to use as leverage.
ransomware darkside
Darkside family
darkside
Renames multiple (163) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	acer.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	acer.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	acer.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\091144a6.BMP"	acer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acer.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Control Panel\Desktop	acer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Control Panel\Desktop\WallpaperStyle = "10"	acer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 0ccaccb957b4279ffbee320bb07a2ece37352ba9ba8ca96988a805cd2b632f3d	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 5418f8398904aa5e9ad99f5f029536751cbef5c34a270cfa1e4e4b190796b94e	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = 6193099d2c4c83d279cd3df9476d289ec489730c0b104d13e102686d1216113f	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c9c2f41fe69e952151a52398713a8abd0925a2a70806708f56a805ea33fcdca2	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	acer.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	acer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = ea173bd189bd1377bd6dcb09bafce0a44561f3e88f68b3b53971c527d00c4940	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 9c7f0bc66d5b06c199e14f594787f9019310efa3b9af526d69a7863aae1e4150	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 4c010000f33124d274a7db01	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	acer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\091144a6.BMP"	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = aa004b4599e4da778b2d6a98b49e09ee66c7d00f6050c1d54e3f71cdf6d7d339	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d002e0062006c00660000000000	acer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 5c005c003f005c0043003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00320066006100370032006300660033002d0033003400630061002d0031003100650064002d0061006300610065002d006300620066003100650064006300380032006100390039007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	acer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	acer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	acer.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.091144a6	acer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.091144a6\ = "091144a6"	acer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\091144a6\DefaultIcon	acer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\091144a6	acer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\091144a6\DefaultIcon\ = "C:\\ProgramData\\091144a6.ico"	acer.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1428	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2700	Winword.exe
2700	Winword.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1452	acer.exe
1452	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe
332	acer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3100	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe
Token: SeDebugPrivilege	5808	firefox.exe
Token: SeDebugPrivilege	5808	firefox.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe
5808	firefox.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
3100	OpenWith.exe
2700	Winword.exe
2700	Winword.exe
2700	Winword.exe
2700	Winword.exe
2700	Winword.exe
2700	Winword.exe
2700	Winword.exe
2700	Winword.exe
2700	Winword.exe
5808	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1452	1384	acer.exe	83
PID 1384 wrote to memory of 1452	1384	acer.exe	83
PID 1384 wrote to memory of 1452	1384	acer.exe	83
PID 1384 wrote to memory of 1452	1384	acer.exe	83
PID 1452 wrote to memory of 332	1452	acer.exe	88
PID 1452 wrote to memory of 332	1452	acer.exe	88
PID 1452 wrote to memory of 332	1452	acer.exe	88
PID 1452 wrote to memory of 2284	1452	acer.exe	89
PID 1452 wrote to memory of 2284	1452	acer.exe	89
PID 1452 wrote to memory of 2284	1452	acer.exe	89
PID 3100 wrote to memory of 2700	3100	OpenWith.exe	92
PID 3100 wrote to memory of 2700	3100	OpenWith.exe	92
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 4656 wrote to memory of 5808	4656	firefox.exe	101
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102
PID 5808 wrote to memory of 5740	5808	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\acer.exe
"C:\Users\Admin\AppData\Local\Temp\acer.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3536

C:\Users\Admin\AppData\Local\Temp\acer.exe
"C:\Users\Admin\AppData\Local\Temp\acer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\acer.exe
  "C:\Users\Admin\AppData\Local\Temp\acer.exe"
  2⤵
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Local\Temp\acer.exe
    C:\Users\Admin\AppData\Local\Temp\acer.exe -work worker0 job0-1452
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:332
- - C:\Users\Admin\AppData\Local\Temp\acer.exe
    C:\Users\Admin\AppData\Local\Temp\acer.exe -work worker1 job1-1452
    3⤵
    - Enumerates connected drives
    PID:2284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Desktop\SaveExpand.docx.091144a6"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2700

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.091144a6.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:1428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1980 -prefsLen 27097 -prefMapHandle 1984 -prefMapSize 270279 -ipcHandle 2060 -initialChannelId {2bbb3eab-db1a-46f6-b678-5d96efb6d917} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2424 -prefsLen 27133 -prefMapHandle 2428 -prefMapSize 270279 -ipcHandle 2436 -initialChannelId {f41f3450-8358-4da2-8e3f-a91133d6fa24} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    - Checks processor information in registry
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3968 -prefsLen 27274 -prefMapHandle 3972 -prefMapSize 270279 -jsInitHandle 3976 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3984 -initialChannelId {be396b6f-5c0f-4d02-bdde-869d6e7d405e} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:2540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4128 -prefsLen 27274 -prefMapHandle 4132 -prefMapSize 270279 -ipcHandle 4220 -initialChannelId {24185961-4c2d-4327-b9f2-b079c960be59} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:1708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4676 -prefsLen 34773 -prefMapHandle 4680 -prefMapSize 270279 -jsInitHandle 4684 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4692 -initialChannelId {56ba5c99-1a70-41cf-be36-93b6243b7eac} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:1560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 2472 -prefsLen 34957 -prefMapHandle 2564 -prefMapSize 270279 -ipcHandle 3432 -initialChannelId {f441a2fa-3017-42c9-94e9-204c839799b7} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3772 -prefsLen 32899 -prefMapHandle 3776 -prefMapSize 270279 -jsInitHandle 3780 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5360 -initialChannelId {5bd36d6a-24fe-4140-8b17-c769ab352942} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:5724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5484 -prefsLen 32899 -prefMapHandle 5488 -prefMapSize 270279 -jsInitHandle 5492 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5500 -initialChannelId {582e01a5-7709-4eab-bd19-a71dabe01c66} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:1112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5672 -prefsLen 32899 -prefMapHandle 5676 -prefMapSize 270279 -jsInitHandle 5680 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5688 -initialChannelId {fb614ba4-503b-48de-94f4-d26843422c6a} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:3552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6136 -prefsLen 32978 -prefMapHandle 6140 -prefMapSize 270279 -jsInitHandle 5636 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5628 -initialChannelId {8a1cff1b-86b8-4f4c-a21b-cbc229055631} -parentPid 5808 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5808" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:5640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\45b378cfa389121d62932bc9d4e6\README.091144a6.TXT

Filesize
3KB

MD5
164aa420be8e0c2bcdef574355edaa32

SHA1
4336eaafedfc18a27cdf42bffad63b5a54ea8231

SHA256
b326d11dd90c2e4efb0a384981f71c2bd1a6faa0553d6389acb08945b699f73d

SHA512
fd1437bc4f45e3f4b5c3d0e7fca9383f45edceb5c8cb603d0b8ee98350a5f2468c2aabdb66f16bdee0bac49afefa4300a093a54ee43b1ff28a541ae612e34d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
396B

MD5
31dfdd91f49bb4b3e47e8c576367287b

SHA1
f46c3c80ead66f0e3ef8533a6ff6af24ceea3e0b

SHA256
caf4244ab2f393f964ad24c9803e3e6d6929a44cde9a686ede9c22f426f39264

SHA512
f5ca53bbc96accf51b9abf8c3b73e103c2ed2e3657ff2bc9ace25a5f02b70eafe5dcc101daf3b285872153485ccd0c249e31028de85873d596d8f2929cfe4475

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
544b2cf006c37243b38d87630e2018bb

SHA1
5c5fc38d64c2ac30e8d9295fd35e747d258e5534

SHA256
695ad0f8e9f9f83ec8075293da25436b72c7f1fafc778c805e73b31bf647b403

SHA512
050ca393a8939483d96b6d5e65e360bd45d47aa6e1865bc2d878d63e100a6b3f931c00bf544cad12f2a0ec49fdf7fc64f64818bc187e45ce7ebef1c5c3b4ce6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9a13864f732aa666467ef50aa47a8cf8

SHA1
45e3795ec867d81d854316123603029ebec21dbd

SHA256
ca7addce0f8dbc59f4d2447221c061ec5f680c8eb744717e67af533bdaa4d172

SHA512
8ac3d25790d6b306a51ccbb723801bc585feafd6f4c8e9bc238ef2b6b451b17d261a8f19b9b04dee5466a1ce83651195ea57a51a9e893b56957558d78cc97b55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
3c81d131b83958fa012573ed83690171

SHA1
e0778e295c111f4d44ce2e60f62a504ffa97d92c

SHA256
cb8e142f73f8ce9c28fbacbfc3d436345fd9feefb6f9b7beed57ce38f7783f85

SHA512
b63d7800b3b9cfff7896dddfe322dcbbcf5223b05c449a36d26b56ccda48c31cc60ba477b519a8f13b4d5018ff219381fcf1eb0622cb9a965fba4a4a7a49ad79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
4f40db05ea8d4db1238db9090c83d151

SHA1
43a640728af277e12b90fb7a94525a885a047b66

SHA256
74a9dbc65d49107d064d4ecab3d243932dea3966b53d9fb9203276e4424abe0a

SHA512
062ac39ee8497bb8655dc87f889b554aaa880251f357f305848025f776b9040f3335e70cfd112ee25a1be8248d6fbf12e36950ebc8ba93243442650d215095e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\pending_pings\079083c7-3030-4e08-b05a-11ff5a85f7e4

Filesize
235B

MD5
331d1792152d5c2429889f9737ec3db4

SHA1
a9873d659e36ca56152761991cbcbeccceac2d71

SHA256
e62503285030af7e61b8db9be35a5bf7c2332a3f1879e2f3c4be6517e03fde07

SHA512
b94567bf882f04cfe3d73e664eb271ee9924d7cc16380a55e20bb7574801d3e939951bb0c6ae71e9a6e1b8f8bc0d383f5ab478c7ba6931efd0133663b89c4478

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\pending_pings\09c1f9eb-df2a-4535-bead-85a34fda7c67

Filesize
16KB

MD5
a02068fd187e40b82c148d5bc5ce2655

SHA1
cd17c14181e898f8d0a537d2607578ee51758907

SHA256
3d1966dab699465311223848c6a5c46eaf0399c604d6a0328de873c86f8109d0

SHA512
4c91919b5e02c39b8c997596d6f511fa166b00dd0c418176aa160f41956d24ddd2a97aaa75e73902072d040f470a6fb87e014619ba92a70cc0be5f3273d42750

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\pending_pings\30e46d94-59c7-4029-a3ee-000bec0af3ee

Filesize
883B

MD5
8107cbc747265b6dc024722e79c70756

SHA1
a569ef161c0f1e5c43b2ebcaeb3fc5a8853d61a5

SHA256
ecf60e5dbb27648de68c8b709ea7b8a069755da1d7fc39de1078d30071617252

SHA512
109525876105ad6145b943299846e2d9feec83ae8c005ecbd434a925ed4e4c10c049648967949f7e5864b09ef08feef6d3c701ab6da673cc696c80d52aa585e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\pending_pings\3a827761-906d-42a9-935b-61ada2cc857b

Filesize
886B

MD5
38d7f136a7ac7219efd3b924658f03bb

SHA1
889ed9f5777004fad1260ba6ff44b9c3d8978e65

SHA256
bf26d1c667d8453ca6b5f5dc4001be555bc3e606f1d8003ec99ea486f40efbbd

SHA512
10cd8eaa24dcbe00aff7eeb7da1c696c0a98d9c4defe681df7ae9b79c62e19ddbc494f9cb65ef3b06d2f8bc9d2b0d6dcacf8af90e9f17861d1d71e965c536501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\pending_pings\714eb79b-0edd-403d-86a5-48f97ee261c6

Filesize
235B

MD5
d664cef05e342247e49fa5c6f35a5502

SHA1
5a8d092f1bdc1fca17a8efeb431da781443de3bf

SHA256
d6d26cc78ed6fe43a10fd1c551edaa3aff11fd77dcdc931131c63d8b070a80fa

SHA512
d9faceec65f88840a80388979300a16ecce82f4263290bb0369de22da88f4068f08a831a0977b55cb0143e2488fc36a83b3314b675ad73c8efaf5e8cf8d1effc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\datareporting\glean\pending_pings\e172de39-34d9-454b-8670-d06e604a90d0

Filesize
2KB

MD5
764a2b81236bcd7be717b88050458c72

SHA1
9eba4d0e5e743eb7ef150b4f28ba9212bb415224

SHA256
9b6ec1bcd8ae0427485c4c1fbbffe8f349047e1b3f66f3e66410a67ee0449d00

SHA512
499532c613d21cb72bb1cff128c34722dc1abb4f9241388142f49b473f571ed9afd877049e748dba244802b89de8bea5345956984f78ae2516b0c5c8d8c35cba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\prefs-1.js

Filesize
6KB

MD5
ff14447b330f2b0e2a39f26d3b020771

SHA1
a2c69fcfd1767a58a43209cfd09604018af02789

SHA256
4164af536f94ab399625e9feca89b769d47b076296ac7eb3d3a1429a18c8444c

SHA512
01fc99f8626696e06020644f0118fd266fb578eb4b04aac55b2dc16493c6df98f1c6e79cdb4ab2487d4a3d3c2e13b4b0e5af62420ebef88b42c53fc986d92caa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\prefs.js

Filesize
6KB

MD5
58dae66e48d4166266cbc6f5e972981f

SHA1
9f19fd24c9797249bb3d31f2b900dd517832039c

SHA256
adc92fa5e59a427a66090109cc9646711b06992986ffa997bf51c7ea60d75793

SHA512
b56622746ff7a71169618ef7ab4f1bdfc900746f13ddf28395cfc2dc3125a68116fc1f699b4eb3bcb825f8ec3178a24b6ede58c07bdcdaaa7742df9234f4a017

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\prefs.js

Filesize
6KB

MD5
52a0161bd29680e5676522bc00b66463

SHA1
47f9b8378eb235712ca92728788a220a18753df7

SHA256
e7f9c8a2801815905aa48beef9cdecb813d1ba12c6f35ea6da5fc4247db97f93

SHA512
c5dcebdd1b8b7dec2a29b825f96b8c90f49f811405de87eee6c4cd46b89402f89939cff9e198730145632731171d278982c4d6a352dd1fb002deb36cba67c10a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k4tz2e8p.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\Desktop\SaveExpand.docx.091144a6

Filesize
18KB

MD5
d755d8699b0ff64162526f942186628f

SHA1
513f61b3d1af3f50c4380095bdffa8aaeee225bf

SHA256
8823d14e7175bcfc0ceff104a20581edf2f506a29979ce9b499c2aa146fdb699

SHA512
0e9ba587d1688d65911a93ea3fac68ddbecc560a6aaaca788f8c0925010ab6deed58d6d86e039b8479e5db0d24aa4e1a19c78c3e12d12f29b3402fa45efec062

Download Submit
memory/2700-289-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-244-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-246-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-288-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-245-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-243-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-248-0x00007FF9C67B0000-0x00007FF9C67C0000-memory.dmp

Filesize
64KB

Download
memory/2700-286-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-287-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-247-0x00007FF9C91B0000-0x00007FF9C91C0000-memory.dmp

Filesize
64KB

Download
memory/2700-249-0x00007FF9C67B0000-0x00007FF9C67C0000-memory.dmp

Filesize
64KB

Download