77fc5ec417f5bd3837d0ce042658ab25765b34450e7c08d269b38eec193bff0a

Analysis

max time kernel
558s
max time network
564s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crunchyroll 16k.zip
Size

7.5MB
MD5

175b5d04ac39a76484ac7722c5f8b1c5
SHA1

fe75e3f718981b2de331e4e3e961a253f1633eb1
SHA256

77fc5ec417f5bd3837d0ce042658ab25765b34450e7c08d269b38eec193bff0a
SHA512

c52e61e6e25588dd583385d6115484eabdfb9a29a61b9268da4a2e978c32b2283db1c8f0db5f064f46d9ece4d449170a01e98c21b08e568cc07311b99c1e5ee6
SSDEEP

196608:zi5QY3cTQGfR+1+bRolV40B2tbhASBoJ9vq0Ha86BRvk:aq3R+1+ClV49RpBov88d

Score

9^/10

agilenet evasion themida

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Crunchyroll_p_.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Crunchyroll_p_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Crunchyroll_p_.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Crunchyroll_p_.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Crunchyroll_p_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Crunchyroll_p_.exe

Loads dropped DLL 5 IoCs

Processes:

Crunchyroll_p_.exe

pid process

4340 Crunchyroll_p_.exe
4340 Crunchyroll_p_.exe
4340 Crunchyroll_p_.exe
4340 Crunchyroll_p_.exe
4340 Crunchyroll_p_.exe

pid	process
4340	Crunchyroll_p_.exe
4340	Crunchyroll_p_.exe
4340	Crunchyroll_p_.exe
4340	Crunchyroll_p_.exe
4340	Crunchyroll_p_.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4340-1784-0x0000000000400000-0x0000000000660000-memory.dmp	agile_net
behavioral2/memory/1640-1785-0x0000000000400000-0x0000000000660000-memory.dmp	agile_net
behavioral2/memory/1640-1792-0x0000000000400000-0x0000000000612000-memory.dmp	agile_net
behavioral2/memory/4340-1795-0x0000000000400000-0x0000000000660000-memory.dmp	agile_net

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4340-1832-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1844-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1885-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1889-0x00000000057A0000-0x0000000005DB4000-memory.dmp	themida
behavioral2/memory/4340-1892-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1893-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1894-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1895-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1896-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1897-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1898-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1908-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-1923-0x0000000010000000-0x0000000010C35000-memory.dmp	themida
behavioral2/memory/4340-2088-0x0000000010000000-0x0000000010C35000-memory.dmp	themida

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Crunchyroll_p_.exe

pid process

4340 Crunchyroll_p_.exe

pid	process
4340	Crunchyroll_p_.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 64 IoCs

Processes:

Crunchyroll_p_.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Crunchyroll_p_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Downloads"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Crunchyroll_p_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Crunchyroll_p_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Crunchyroll_p_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Crunchyroll_p_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "5"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Crunchyroll_p_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Documents"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Crunchyroll_p_.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4"	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Crunchyroll_p_.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Crunchyroll_p_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Crunchyroll_p_.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\crunchyroll 16k.zip:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\crunchyroll 16k.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

firefox.exesvchost.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exeCrunchyroll_p_.exe

description	pid	process
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeManageVolumePrivilege	4440	svchost.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeSystemtimePrivilege	1140	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	1140	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	1484	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	1484	SystemSettingsAdminFlows.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4556	firefox.exe
Token: SeDebugPrivilege	4340	Crunchyroll_p_.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

firefox.exe

pid	process
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

firefox.exe

pid	process
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

firefox.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exeCrunchyroll_p_.exe

pid	process
4556	firefox.exe
1140	SystemSettingsAdminFlows.exe
1484	SystemSettingsAdminFlows.exe
4556	firefox.exe
4556	firefox.exe
4556	firefox.exe
4340	Crunchyroll_p_.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exefirefox.exefirefox.exe

description	pid	process	target process
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 720 wrote to memory of 5040	720	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 2304 wrote to memory of 4556	2304	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 8 wrote to memory of 4176	8	firefox.exe	firefox.exe
PID 4556 wrote to memory of 2600	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 2600	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe
PID 4556 wrote to memory of 224	4556	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\crunchyroll 16k.zip"
1⤵
PID:5088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:4176

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:5040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.0.384754470\1939765812" -parentBuildID 20221007134813 -prefsHandle 1772 -prefMapHandle 1796 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {754804f6-06f6-4bfc-a5ec-dc44ff51167c} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 1900 18945b8f258 gpu
3⤵
PID:2600

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.1.1760216931\1791180647" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb3d42c5-117d-44a1-b706-b5b5c105096a} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 2300 18937b70158 socket
3⤵
PID:224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.2.1424078387\174992319" -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36d14cdc-fd85-47ad-a63b-6419a7446441} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 3116 189488d9e58 tab
3⤵
PID:632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.3.339812968\2068283518" -childID 2 -isForBrowser -prefsHandle 1112 -prefMapHandle 1108 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45e9dee4-9cfd-4666-9125-0c178327db01} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 3532 18937b67b58 tab
3⤵
PID:1840

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.4.642084233\1412227977" -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f6d0a06-1de2-4fdb-bdd1-f73384bf4270} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4136 189499c9b58 tab
3⤵
PID:1540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.6.118025183\1088456326" -childID 5 -isForBrowser -prefsHandle 4704 -prefMapHandle 4692 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96e381f6-3446-4e43-994e-631bb95a217c} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4804 1894a654e58 tab
3⤵
PID:2428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.5.874996087\1991963319" -childID 4 -isForBrowser -prefsHandle 4684 -prefMapHandle 4680 -prefsLen 26657 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c61652d0-4048-451e-873f-8b735d781fe6} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 4700 18949592e58 tab
3⤵
PID:332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.7.702797275\790130107" -childID 6 -isForBrowser -prefsHandle 5260 -prefMapHandle 5272 -prefsLen 26738 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14ab1448-da10-4eaf-b8c9-fb054f2d3c25} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 5316 1894b2e3758 tab
3⤵
PID:4144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.8.906100755\346079048" -childID 7 -isForBrowser -prefsHandle 5228 -prefMapHandle 4640 -prefsLen 27020 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cceb06c2-3d75-4a5f-9884-e6a415a6e8fb} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 3388 189499c9e58 tab
3⤵
PID:1352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.9.1710228558\7018608" -childID 8 -isForBrowser -prefsHandle 6008 -prefMapHandle 6028 -prefsLen 28817 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3687bb32-bf91-45fd-ac49-e421fb939a40} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 5876 1894c0a9658 tab
3⤵
PID:4780

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.11.1061577551\427872499" -childID 10 -isForBrowser -prefsHandle 10428 -prefMapHandle 10424 -prefsLen 28817 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dafa70d0-bc2a-4ecb-a254-cb8f68e6bdc4} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 10436 1894d5fca58 tab
3⤵
PID:3556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.10.370975519\1334611301" -childID 9 -isForBrowser -prefsHandle 6976 -prefMapHandle 6972 -prefsLen 28817 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a4e12e8-fbf8-4025-b327-1e3631607843} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 10568 1894d5fe858 tab
3⤵
PID:1208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.12.1730309152\1018383" -childID 11 -isForBrowser -prefsHandle 6888 -prefMapHandle 6892 -prefsLen 28817 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02e37dc3-1179-404f-8656-31a40976837e} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 6876 189490bf058 tab
3⤵
PID:5856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.13.1930763139\1891821315" -childID 12 -isForBrowser -prefsHandle 10772 -prefMapHandle 10776 -prefsLen 28817 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e08592e-7afd-40f6-8947-ba5feb71ee3e} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 6748 189490bf958 tab
3⤵
PID:5864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.14.1261422548\1188852719" -childID 13 -isForBrowser -prefsHandle 6592 -prefMapHandle 6596 -prefsLen 28826 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ca778b1-486a-4414-80dc-45a30376df91} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 6540 1894960d758 tab
3⤵
PID:5268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.15.749981562\44613873" -childID 14 -isForBrowser -prefsHandle 10808 -prefMapHandle 10812 -prefsLen 28826 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {012621d5-5410-4c12-a0d9-045abea44a49} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 6556 1894960da58 tab
3⤵
PID:5264

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4556.16.162317702\2022895683" -childID 15 -isForBrowser -prefsHandle 5468 -prefMapHandle 5368 -prefsLen 28826 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {251de57f-4e97-4265-934c-644c48e94f2d} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" 6056 1894473e858 tab
3⤵
PID:5692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 1
1⤵
PID:4736

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3508

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_crunchyroll 16k.zip\crunchyroll 16k.txt
1⤵
PID:5396

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\crunchyroll 16k\crunchyroll 16k.txt
1⤵
PID:3316

C:\Users\Admin\Downloads\crunchyroll 16k\Crunchyroll_p_.exe
"C:\Users\Admin\Downloads\crunchyroll 16k\Crunchyroll_p_.exe"
1⤵
PID:1640

C:\Users\Admin\Downloads\crunchyroll 16k\Crunchyroll_p_.exe
"C:\Users\Admin\Downloads\crunchyroll 16k\Crunchyroll_p_.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
Filesize
149KB

MD5
ca6f3f457fbc990d4f9e7f76c85c61d6

SHA1
8ac281babdfce5d1b8c0711b25b398b3bd27e6cc

SHA256
a369d1b4bb3552300bfa49db39a9d31486432e4460b3965703c7125bef111a7d

SHA512
6a8349823954310931dd74b15563abdb3dde937e6e1302cf731a614f41c6fe1d487786f37cadc25d756fc8262815d8e1e9f5744cbcffded717baf8497ef3fc54

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\11967
Filesize
9KB

MD5
0c215df50e4d3e54b92c0e749abba04e

SHA1
5fb8c7a3800a5588de92e9fea2af3b74f4a4dc51

SHA256
3e60d46e52a51022841d11957848166fad7b62a4fa62681645594cadae2708cc

SHA512
f9949fd664862ee97e8112fe0a91ec09133002c14fc479696e395befe34ba34c60467af0d7ccec9dc68e855f726d110fffe58d2d9cdb05fe53b2aa01229e19ca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\14796
Filesize
10KB

MD5
fc0f8f037496ae25d74967d8aa206d30

SHA1
ff2076fe53b22e6dd2e60253020e0cd56cd4a7c1

SHA256
f246418a8e9caac1371c6362b3e6e87248bc09813ea4ac46babd831feb33eba8

SHA512
0f808a2817f7301516277e6c1e988d09def732bdd0031ece6c7695eaf0469d0399439335fe7347c2087c1e86b466ed5addc91e16bab7e06718a40d3f402c6f61

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\19083
Filesize
9KB

MD5
1ed9c5975417f91ba52d8516711d4a7a

SHA1
b9a0890b58aebb5821303d5a8d4adb3f5759a69a

SHA256
ba3d2eea65cd335d127fd5a85217448560a8b4efe2f8202b3668788e43406410

SHA512
61b6a5df24994aa1e006085784beef72bd5b2be8674443b07392fea0d1ddf4567d17cf3465d87587e806ed75b4c0929f6d3f236b007724e04247a9a0594ae038

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\28226
Filesize
76KB

MD5
fc0c6610d30b0919770229fd31d9a359

SHA1
a8bf77956f2b729b885feb77cfdeab53c7cd578e

SHA256
dea9e0796777510b5765c18299a6db503403550f3a468e692494d1ee41b18ccb

SHA512
8e0d6c121199f4e8cacd27473cf3980bfa421ac058cd51a74e81f81b5059434da9bc26850ad12985fae01068ff2a46903652b1aefc9e3275338fd320bb51a2bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\28943
Filesize
13KB

MD5
c273d8b681213d07447c43199208651b

SHA1
fee30d6b3cd0c7a2930d91dbf12c2f1594817920

SHA256
e8c0782e5bbebb79ccc2a2305e61b2432dd79e176d3444081e71e57485dce539

SHA512
2366cfb2c3a389752c05109f4e760f6d0a3089e3c64302e7c774262261d75c58b08d73ed3b01562ea98d4af61d78923cb14ab79b4199b4314c09f5544921eed3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\30292
Filesize
14KB

MD5
dd20f8a6e46ba42384fffe9fcf3d6d87

SHA1
ac57ab0e122b09a7d7c4d3acea10487ca1a86d00

SHA256
82a4ef6ce36c1176ee18209cca754c9b3923c7bc4f296fabef354640e079f429

SHA512
b1819781c147a66714cb2ec4bfb1aef28747781ad3746e251afdf72ef2c312f3f322cbc385a2f94f7454a003ae3a06dd37016f2071b3d41555f43160d80f05f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\30326
Filesize
186KB

MD5
ee7ec85f9ba8558d5d66d91b59c9b243

SHA1
fc0dca7e211e321b83f350b842b2e29c273f1e36

SHA256
80bf59e68f5c7d89b668373ab53e5ee046f0be5cef5623b62b7eba91b424924f

SHA512
4b9ba2e14c08329db608241c421c7b781ed83f6e9762cb93a9171fe8c06e7beb1ba743c80c9c7ebf5f683d6fe41839483c2298cdce6ba19fd4993103d636fd4e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\3108
Filesize
10KB

MD5
b882c894ae08d0de152a8d15b6463f60

SHA1
35f90ce893f1c71319d5dc329b40dae3ef13be6f

SHA256
632fbe892d42966ec9a8deeb160ce669bcb28199b961eeb39b23786346711db3

SHA512
4ed7bd41981f91fcd63e375fb2af436c492f08de912d2d925c27fa9dceb6fd2c39e7df8a2092928101f09a34d5318a08c54e2c322a1f6a4f47d08da0746c3cc3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\31543
Filesize
8KB

MD5
22348a8322ec3e62458bf448b0fb799c

SHA1
9aaeab8bd1730fd7fdf0456bd4b9d0848f6094e3

SHA256
48a6d173ecb80fb60536ce9ccb28862727c5650c8a1f4c4abeed2e110ac4468a

SHA512
009bc4c453e28e8f10f4e2cce00021f48ca496b3e93e91a26778a796ba07a24747941661e58fb50ec5416e6dafef6c9d930ae78d1483e4d55f425ee9186d5ecf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\3517
Filesize
33KB

MD5
abf14f9279b8883cfd8263e2decda98c

SHA1
dc1cfe7c2d54790e230025f68d213ba1ff728369

SHA256
7e61817b91e80855f735faa0a45c1091309ccda48b5689814e519601bb53f656

SHA512
073215bf0ecfe19e240d362f775d8b9e54330a85131661e91db33d898bb3e7b93c4f5084c6d1339bd241b0e6a77348fc5ff4cf5c2d321b511d275f9217500485

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\4230
Filesize
10KB

MD5
326252700c2eed9ed58d1de3a991bbcb

SHA1
64b5c80199c71c8027e12d38e348a41ee3a051df

SHA256
5f4f7f2da38e5ee2d25493bad1c18d0c9663b8f740df2fba6a14851f7a0e1bfe

SHA512
c5cc05e789f04135756b05251134a0d6aa0b36587eb3d2031678e220e5ba34aba58e00ba23ae6a6b09a097695e4e191cbd460b0770f3b9cff52a18e92fad0814

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\723
Filesize
21KB

MD5
076e031324894113d1311f70a858fe10

SHA1
a86b20a75f0f095b56647e433a4f64be72532ca6

SHA256
5330d40e173fc8e1bdd8ea70b8dcc3b55bc36dc12796d79f03661bf20ac32633

SHA512
ee420edce0d9e18c26cb475a4ac333bd1eb0310e57c78e68b6a543e50032e8b2a3bea80a053b557962d0f52ba41aaf8cfaee435aced0bead3e9fcc016d186045

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\doomed\925
Filesize
9KB

MD5
9bd16db3446f8d2c0bc61ff7aba8a433

SHA1
c5ca920d3220648ca5231c5d729326caaf2e06fa

SHA256
8ecab405e2d24fe94b936dd2f3e134e28519d0a892bfcfcbca1e2fb35469cf4d

SHA512
d8dab7842982fb638912802bdc28dbfcf431d500826fea25ab3f33941fd8d1191ced293d5a0adeb888ea129cc9a10a99b0b54e6fe0ca8ca16345340db31b4dde

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\250EE2BC03AFF526F1A1C3DB212A79DE3EB60D5E
Filesize
14KB

MD5
e4bc6829283ca7a1ab056d22924b33f0

SHA1
022fa22aed2c5080a77117ed6fcbb37a5f42f6f1

SHA256
a8ac1e8197e96bb7885078a0b19137cab6d04fb7ba32b3ac4ff25d5d2d73ed02

SHA512
3aed59e48cf8e99182a7c6e53f16885c1fb59afe50fb511dcf498e09b499d137b4c20cc75b3be9f9c06b12e8b153a5634108d1e15fe49158d7fff04e2a0575ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\4F6ED01124CC1B5A795719F030A630F669E84146
Filesize
14KB

MD5
aaa7128bada31939af77a7e0b2e6d18e

SHA1
eaadb4d296b027289908f856c782d6516f8c6d0a

SHA256
4f40d363da278b42fc7f833794af1ffa11386c307956927f92e9f23de297a9b3

SHA512
f9c30fa115a1b8e1f81fc4ff862a5dcdc0f726989d8b49aa4fe6be09f92644a47dc9d64fdaf017b149220dc9f388fcccc29b0e7444fa910103b636a66eb5f6c8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\cache2\entries\CFD9AA6A3EFDD3261167276C757693DA645C5A27
Filesize
15KB

MD5
19e453c0ffe790b3da902f88f2aab397

SHA1
5fb3b9fb5d4d8e0c08f4eefdc6b75e1ca3a9503f

SHA256
22975f6e4c882a120e6c15f646116b065433de1f20045e5874cd7dda5988ae4b

SHA512
1c65ef09de9b8c72ab9f749b73f53287b1fe4f68a46d16b1a5d2a5312550482e98d193754f93b89f14968fbef18d81c9051af8e0ff42417a630e9e41a8905a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb2DAD.tmp
Filesize
1KB

MD5
e19f1ab63874138c99d0047c27d478d8

SHA1
92290bd4c5c76da2b9cd7eeddc1283e7334ac968

SHA256
4dd8c4ac0e9b213fa9d160f893b170054934e43c9f9d58f5da5193355422bd6a

SHA512
cc30d9bfadec6050e4ab2e866b60fb67ce48968d1ae5de8f2fcbe40b048a418cc9cd00282878282744dd14150303d173a65e782c0ad314afd53c3ef76025d206

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb5913.tmp
Filesize
1KB

MD5
26fc5802d3da1539a5b4a4e9d1c0be94

SHA1
4451ad10ddd3a9910f3706e957ce32ae142fbf58

SHA256
d1781882a8f4ed09d0f0237271a72522b7679aca3112755c75f9b60e5db18840

SHA512
5dd81590049e6574e3e1325b637a4f2fb62bfc77635f8ad86b6125ff2a91f04a88182cc896e855b3054ed281545c6985e0db05c36ed55f0819ed5260ab27b44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb5991.tmp
Filesize
1KB

MD5
26fc5802d3da1539a5b4a4e9d1c0be94

SHA1
4451ad10ddd3a9910f3706e957ce32ae142fbf58

SHA256
d1781882a8f4ed09d0f0237271a72522b7679aca3112755c75f9b60e5db18840

SHA512
5dd81590049e6574e3e1325b637a4f2fb62bfc77635f8ad86b6125ff2a91f04a88182cc896e855b3054ed281545c6985e0db05c36ed55f0819ed5260ab27b44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb796.tmp
Filesize
1KB

MD5
e19f1ab63874138c99d0047c27d478d8

SHA1
92290bd4c5c76da2b9cd7eeddc1283e7334ac968

SHA256
4dd8c4ac0e9b213fa9d160f893b170054934e43c9f9d58f5da5193355422bd6a

SHA512
cc30d9bfadec6050e4ab2e866b60fb67ce48968d1ae5de8f2fcbe40b048a418cc9cd00282878282744dd14150303d173a65e782c0ad314afd53c3ef76025d206

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbB0F9.tmp
Filesize
1KB

MD5
92bfcb568bb0a74869f134d6ed8053c0

SHA1
45fb0817db5abdee31fef3289fa0c5bcf039ef9c

SHA256
eb84e17ff1e3c68294a89e1786a8484ba3ce049b494973399438ef8339d3fc95

SHA512
b82afc7bf48394cd1dce743220e007a82a3f8e0f9b689e81821b9058b3158e4c275d6f7c2816ba353b589b14bc6f7d05999d64b80ebff7e1e403e892690a1500

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
5KB

MD5
397fb3b91fb68283d6fc4845a7d9afae

SHA1
b807f8bd89b079a1146a355870176c9d692b0d9f

SHA256
3d9fc40e0595b6f9b725ff6bcd764a0b61e1e8e8548753c2e794d2c92a5a7a6f

SHA512
0911b6aa6e61ef8953d34dc3d4e3b75da1be509721007e392a3ed6afb5679222606c8d4acb286d6d0738c1e31c659d0059eb2c93f6ee591212f844a2db1c3035

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
7KB

MD5
d6ccc86d0c6adef1af80adc5ba88f108

SHA1
644de96a9a3280c9538b6e6610d0ea8fdbcbaadc

SHA256
631b61b491a11a1fd59746e4bd4efa84329f737fc82e0606d993b93c1ce04f7f

SHA512
4594a89bb295d81b3517a3335bf7735785eee7d333be9fc58579a9f0a0184825a98fd0ba9668be0e1a09c208bbdbec0db6b405e876a41dcdbc5e657aaff8bc71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
9KB

MD5
ded9e588005cd04f56fae9781a6b3a0d

SHA1
287f912c8a1c089987650adec35895b0c16e34f9

SHA256
966282f305c8379171a838c2c59544cf573f9a9016f8b8c0aa40e7cfa3e05f11

SHA512
3bcc12a16f1ce6966eb931ecb7d115a2d63ece8993a8f71a52e23e991d2d6584cbea58911857b6fd0db6c3bc11574d8abd86611f1f3b5ae30b1f4604046bd961

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\datareporting\glean\db\data.safe.bin
Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\datareporting\glean\db\data.safe.bin
Filesize
182B

MD5
1c3c58f7838dde7f753614d170f110fc

SHA1
c17e5a486cecaddd6ced7217d298306850a87f48

SHA256
81c14432135b2a50dc505904e87781864ca561efef9e94baeca3704d04e6db3d

SHA512
9f6e9bcb0bba9e2ce3d7dabe03b061e3fda3f6d7b0249ecf4dbc145dc78844386d047ee2ac95656a025ef808cd0fc451204dc98a1981cf2729091761661a3b49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-gmpopenh264\1.8.1.1\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
4ebadbfb7fff0fd55dbb0c9f9eb9d022

SHA1
6108406e27ef82b8dc9a83b5f1ad23b86073df7b

SHA256
71a6ace6cdbd924cfc88ad553bee467578c52706ef1ec4015b421b84bc9d4bcf

SHA512
10a5c4d7413dd6d3afebcc0677d098170aaeaeab8911a5696345565a7e84516d658107894184bf93cea5fa5e7316fe062392ea313037b1ff23ef64686e32d5dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
9e6cee6c67a3828153766b53c20a4224

SHA1
0c36f3696a98eb194c929bbc8c56001df1eef5ff

SHA256
04dfa25b6b7f02deac6ddd26ca592b66b65edfb52e1d03019497def7f917abb5

SHA512
8646c3454441102f91aef2d8f574096cbca1abb5d8f15398dc3ee0f9166dc937ea91d013ea1f9441588aba1801c00172ecc214f9ab48cd5aaecfc5108c1640cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
6KB

MD5
df5667f90efaa6fd98c7c214f5bfd469

SHA1
8f8e80a0f6460205a40821d0f49630e11cb11ff6

SHA256
676895b75a748a1992be7f7c270a3b77b3ed0cdea5624c65d22ae0e6cd813a26

SHA512
595dc24bdd162288e52657d9d7bb70eecb1cab15451c67d778008d5bd2ea55977c637282b1a6a1cb88076a468d46c36cf5e77090e456ff3d4840f017c285e4df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
14bf288814fa3a6c522c662dd4570587

SHA1
40070c24871aa4c2b1928383cad61b419a17464b

SHA256
5f34b10cef3b3c057f4bced98be650e7567494ffe3736b61b52d0e2c1afb6bf4

SHA512
11e602bb9b0f0787cbe98f41a6ec05d9ae86aa3df143c95cd5745e1b2ca57eeb1c203c362dcf0d4d4c57f648f95a8fee59fe06e6ba1d6cfa9c61e5fe91c58eb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
7KB

MD5
9d62cbdbea4e96f7f5ba381552bf9e2f

SHA1
d2563b46929fe11594c3b6e4de671f85883b6d52

SHA256
988d9a249bc406264c8de45c6e264625c09aa08b410cea4cbd1e21ce8ef64612

SHA512
c8fdebce91cf7df669e997f62ddf9adb8ea10796fc9c084f1e51904ec501caf1223c3ed9789570e7619e9d3191d9847f3689088a29406fa63b220a67330ebd22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
8KB

MD5
09e43cddac47ca4b5bf0d6cbc7d41fab

SHA1
f1ab64091f3aba13a79b242d8f482d3460313a3a

SHA256
adff06823665e9fe3858573cc5b4092ee2a9a460c2333922547b8bc9c57f75ae

SHA512
8c067a9621a67c97db562c57685a6452a0bd130a72e1061017242eb86ad56634c4164fc1a062c20550f6253855c0d3e7aaf055be459bd183ab8a7caf47daf778

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
8KB

MD5
5bc5239be82d9922b357b599909f99ca

SHA1
9e690fad0285230984b7bdf3776b883e839aab73

SHA256
937727b962a872c6e4fd218a22b7b2a415a8ce7081a40a11076aeb070951eb8d

SHA512
4619fd4a943bb166c3d71c5c67b036c8c2338fb6de252d06275821e86e75836451a05948587a70e9ef8d565a3fb118986a75cd54586365d2fa8d04f8c81e63d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
8KB

MD5
c4d644135af9a0b45c6b1c72abb9c364

SHA1
c282fee9d3d1b6dfb139ae2ce9838306cafe1070

SHA256
d797bc3e77d4100a6bacb9e20bc206cab961b0577b25c9619812d73e0866e505

SHA512
e3ceae06705b1516b81325cfc46127c6082ded3cf31c2f19fb735b45d96e41a902c5e2937b4922bc260241ec579a4926e986fb72b85b9f2bd97c9924084f5a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
8KB

MD5
a9d9cddafe19844dd1aed4de566d7393

SHA1
7795fe2c571462a4d476773f28d955ee4c603093

SHA256
aa6245743a1dd273e3acae287ac3ee38c3e6bd97848b5210f2e9371b3190d7b7

SHA512
302fc667e37d687390784e5a57343912ccbe3d67c280568535502aee20b2a6d8d35534b73dc6f840816ce275840fc2da3caa9f7f7ad0f5a3be42a32da7b8e7ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
Filesize
10KB

MD5
30e1ec11f5c2754a40b9b2d46ea90abc

SHA1
25735e81639d0193b4e19f4a76097786cae8a9a9

SHA256
8ee9d9e9a8ba837c5f047704632ac23ef9c2a9d066bec60d5dfae0362e6b2699

SHA512
c46fbc7196ed94847be78dcb2d6cbf9abaea3a2be422792a3869100e8a54235a5eda3fd00f3f6bb67ce0ce12f904d179afbf59c9a8254cde98a519e936bda6d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
8f2dbacd5096022e438715a93c1c2523

SHA1
ef5becd2b420c912e3314febb2ff1683ddccf472

SHA256
6caff93e5b2ff599a29abb25a825234dc16626cfde518159ddedccd3f6eb6a06

SHA512
26f31aa0cda9edd516715d20d5a327a902757046cd4eb06cd1a0baa103297b7e9cad7e8884e5b50dcb382d0803fcf5d6f77faa6b6665931b57cca4331166d2d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
d8589cb5bccff39dcdf04a80174e4dfe

SHA1
b7252133ba17aa755cb62548765975997c7f6930

SHA256
8f5abe1964adf33234a7e0a0f22412f97d10e1833096fe3a65885732d3662f5f

SHA512
b109523ffba5b3a4cd6731260d4c93f78465566b7149106a3c47c55e4480b67e8b28ea70619f884c28ed5ed15432d1d2efb9004a84b3ec215dd5656fce4a6bbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
2a8c8c1b4fd999fbd27a05061b7e9517

SHA1
27be06e9a84446b151ab25880aa68de0a4ac12c8

SHA256
26a2856063d8164968844f8909a0b7de479d80eddb713f6a521ebb9d3c343c69

SHA512
17f2ffddb11b0400196280ce45a1dada5141586c8554caa3159e5530d7998d24adb1426df7076f61692bba18f1f633e8e547e28c393dd2fb91984db7f56f1053

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
424KB

MD5
aefbcbf8a0b777c076a1f2135f4ec593

SHA1
ef41df80b8a6f80b0a2f2e1ff65c6733c81060bd

SHA256
89e3c62686eae2e7bd7bcce31934cba54db7cfa12bdc1665d9e3bf21ae4f2c65

SHA512
2fbf21b610f174486f675fd468c8dc81ce673294cb23ea7b73137d3cef405d0035da654f0a98328d1c128162c4e8bfca0132fed86d32d088aea118e966ea9409

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
424KB

MD5
90c94b1dc79fe0c2f724c417e9176c6c

SHA1
6d042346e4202a5788b5bb8984c8aa6a7ed24701

SHA256
060a83f75b343452e55fedf8a497bffbac5b1451e81eb98bc959524313129663

SHA512
26bffd3b9de4d4b3e377557b9c53d043120ce1ecc354e6e870b3088850b804d95266e48b082ea660169a0b96506ea157ed35ef495de696ccd82b54b8d62db384

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
424KB

MD5
0a0473c4d87c09a1259cedc0740e5f8b

SHA1
7f7240c5fe997937b26c083eecf23b91e3c35773

SHA256
6d97bd4a957f9fc0e5a1befcbb62f49df936c3bccb8bad4d01b2ad0bf8ee8b98

SHA512
851342d6a2e54c65f6ebd5f347f1e96ca3629a8eddff80b57ba9960c013a9f5776ceb6ff9fc6ae8b121911f7e96905ad824a53761606cfe47fd53b3e0c7844dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
424KB

MD5
47e45f23b6368ea58dbef5bdc3434ffd

SHA1
b8080c11666379dd7869bc2554fe41ad9cd2f104

SHA256
38d48317285f14cac0f629a6388f4120d6e3200be1e7b7ff7a39a6619c15ced5

SHA512
7969db7daec7c29a99fc2b3f946bf7b2a413a2239502de94296d6211cfcb1c3c382f3e8d747bb6b65450330c832b8ed21884092b264364d44bc055b051c86aca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
480KB

MD5
d7fe626edcb9779c114e333f71e8d6ce

SHA1
e51d3198365fc6bdfa9d7089f15d53ba96547365

SHA256
54cd38de3f5db0f35020c50f8c380617a9e8ab12e9ad8cd615ca5cee939ceaf7

SHA512
07f9ddb7855e5e0fc3f93bafa474403c79c0909d01d29c1dbdcd9b28980fe9afe40eca7539780d280e2a04cd3e89972c4178481d040e5b57df9c0f37758b1036

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
1.1MB

MD5
f3b77083f3b21f5ede2efd83ba8a180a

SHA1
73527c390b85e8e3c42dc0ffc86775f320d2fe24

SHA256
22324da605aac5a31cba4bb8c294c6fc7fa636c6740c0fc95be6e94d4e92a5b6

SHA512
111e564cceefd0c6db745b5df070677eb156415b1c19b3a6e7cfc25659f4477b12cdeaae3b3947c30d4a2592537652ea4a37f90d8be661606c0da590b7566bd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
1.1MB

MD5
6a64fc8186838f4a43d5e46091a4795d

SHA1
7f93a286860f12d13a6ae01b767339cee9a3724d

SHA256
0b8c494d5df0e121b66aa71d47d6884cfa503eb34619629b95ae3ca466fc86f1

SHA512
7c018e6cf360457492d978927e23c5aed5b4e9c0e666be008a324a5f420f267100652bb3287948a18e0aed8a953e21dc1031018a1b644e41b7e6bbd0b757eb14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
1.1MB

MD5
b76a78f74ba063a42a9f71b834f5d3ac

SHA1
f7bac2b9d1161be19efe9823c06e69a0d86f4201

SHA256
71db654011abef59da003148b7a30095f27fb8e38acac805e9d27d1a9b7447f5

SHA512
e180e6a7d0e220407a952916ce341d57ab38cc187a51d0cae504dcc4cd367c1817ccca5f55dbcb385f164a5b603bcc8ff28585056b12ee7bc6713a4cbe848190

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
1.1MB

MD5
49f9cb94eb17f942d8cdcf467ae3f00e

SHA1
9276132e054e5b0730831d3f47819fe6f65e44f9

SHA256
c3179a26db5a5709155d5a3061568955b14fd085369efe6f5bbbfbc29fafe11c

SHA512
69e35fa1b63c9f7dc38f7982976c4082a71148b6cc266af3c2475ec8b24f0a0dc40932c8ea5ec4d914347229de8f6151085028fa53efd64d058ccf508810640b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
1.1MB

MD5
62cae86da20838d446f1640cf1d32fe6

SHA1
94c3ab9d9281c5eb6fe436a6d50ed09dfe22bc40

SHA256
530cd130eb0b28ffb89bd3ccd9e1814a669d46b176aa54fc33b660e42d8de38b

SHA512
30991a49d7b30af2c69b7e59b71f8b758232e41696b2a8e3614de5c67fba393da11a9f9a9110b3cbc6ee5ab2caef1b3bd71824e6fad9b83b672146d3989fa44c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
1.1MB

MD5
dab56f94244bb1082c50c9fb3742bbe5

SHA1
d50cadcb7d741126583ecbda1ac149270fcb2a99

SHA256
6d03a004fefe0d226b930fb7ee0bdbc5f2f3de8f80bc8327dbe037d5e80d5887

SHA512
f88db9cb36eeb4f4443056b39040702d3bc13ad13f55df4c369dcef08056c02eb632185907a6930e92f8afe201aa6cfea228c0c362e42a626ba78ada99a28024

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
4.9MB

MD5
a1312139254ba9713b4a193209c62a17

SHA1
14e4cdeea31edd7100aa8b0ac582e1a74808ec40

SHA256
e4c78a6efaf786613381c539f6f9a2ce8757b238e57fa914899c2ed4e290a588

SHA512
47045378d9b355072e13029db2e5c0e7929e5059f7a6936002c1b589d125996290b57d5f3be96d3d6c0f510820e824dc7f6ef5c2958ea67f787b7ae80b25d6a7

Download Submit
C:\Users\Admin\Downloads\crunchyroll 16k.TTpaaXIb.zip.part
Filesize
7.5MB

MD5
175b5d04ac39a76484ac7722c5f8b1c5

SHA1
fe75e3f718981b2de331e4e3e961a253f1633eb1

SHA256
77fc5ec417f5bd3837d0ce042658ab25765b34450e7c08d269b38eec193bff0a

SHA512
c52e61e6e25588dd583385d6115484eabdfb9a29a61b9268da4a2e978c32b2283db1c8f0db5f064f46d9ece4d449170a01e98c21b08e568cc07311b99c1e5ee6

Download Submit
memory/1640-1792-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/1640-1785-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/4340-1889-0x00000000057A0000-0x0000000005DB4000-memory.dmp

Filesize
6.1MB

Download
memory/4340-2088-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1931-0x0000000002F90000-0x0000000002FAC000-memory.dmp

Filesize
112KB

Download
memory/4340-1885-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1851-0x00000000053C0000-0x00000000054A1000-memory.dmp

Filesize
900KB

Download
memory/4340-1847-0x00000000FFC50000-0x00000000FFE3F000-memory.dmp

Filesize
1.9MB

Download
memory/4340-1844-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1983-0x0000000000CA0000-0x0000000000D32000-memory.dmp

Filesize
584KB

Download
memory/4340-1832-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1795-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/4340-1997-0x0000000000D40000-0x0000000000D66000-memory.dmp

Filesize
152KB

Download
memory/4340-1923-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1892-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1784-0x0000000000400000-0x0000000000660000-memory.dmp

Filesize
2.4MB

Download
memory/4340-1908-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1906-0x00000000053C0000-0x00000000054A1000-memory.dmp

Filesize
900KB

Download
memory/4340-1902-0x0000000072D10000-0x0000000072D99000-memory.dmp

Filesize
548KB

Download
memory/4340-1898-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-2079-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/4340-1893-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-2118-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4340-2884-0x0000000000D40000-0x0000000000D66000-memory.dmp

Filesize
152KB

Download
memory/4340-3040-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4340-4611-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4340-4612-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4340-1897-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1896-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-4706-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4340-4707-0x0000000005590000-0x00000000055A0000-memory.dmp

Filesize
64KB

Download
memory/4340-1895-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4340-1894-0x0000000010000000-0x0000000010C35000-memory.dmp

Filesize
12.2MB

Download
memory/4440-464-0x0000026E906D0000-0x0000026E906D1000-memory.dmp

Filesize
4KB

Download
memory/4440-465-0x0000026E907E0000-0x0000026E907E1000-memory.dmp

Filesize
4KB

Download
memory/4440-463-0x0000026E906D0000-0x0000026E906D1000-memory.dmp

Filesize
4KB

Download
memory/4440-458-0x0000026E906A0000-0x0000026E906A1000-memory.dmp

Filesize
4KB

Download
memory/4440-442-0x0000026E88340000-0x0000026E88350000-memory.dmp

Filesize
64KB

Download
memory/4440-426-0x0000026E88240000-0x0000026E88250000-memory.dmp

Filesize
64KB

Download