2cee2d93aa2c8c207d4f75dac4af89cbc88eb503562a346153593d31929d4f97

Analysis

max time kernel
252s
max time network
332s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lunar Client v3.2.1.exe
Size

1.0MB
MD5

3d561bf3b9ecb7eb922b6fbb6ef717b4
SHA1

6b804d38d974b85f7fe708280850c0d10404ef44
SHA256

2cee2d93aa2c8c207d4f75dac4af89cbc88eb503562a346153593d31929d4f97
SHA512

06c5a00de2dc835ecfc2b840e0236d984d149de062bb09226997d13f1b2f263783a2ce094c21aa84025c630103d17fcdeb0cc617d0b9593c6a425a10232333e6
SSDEEP

24576:vWMkRwbMDhozjDu173pG1szLSvJwP7zCIdU05:GeIDhEjK73pfqvCP7zCIf

Score

6^/10

bootkit persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
427	raw.githubusercontent.com
428	raw.githubusercontent.com
429	raw.githubusercontent.com
430	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	逍壌枃嬱鼢傂修塄嘇謭偢淝覟蚋羮淃.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1758.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3248	Monoxide x64.exe
4072	逍壌枃嬱鼢傂修塄嘇謭偢淝覟蚋羮淃.exe

Loads dropped DLL 12 IoCs

pid	Process
1252	Lunar Client v3.2.1.exe
1252	Lunar Client v3.2.1.exe
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
3248	Monoxide x64.exe
1244	Process not Found
1244	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DA4AE1D-BCE2-11EE-B6E5-76D8C56D161B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.md	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\md_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.md\ = "md_auto_file"	rundll32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
904	regedit.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
1072	7zG.exe
2972	7zG.exe
2856	msiexec.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4072	逍壌枃嬱鼢傂修塄嘇謭偢淝覟蚋羮淃.exe
3480	IEXPLORE.EXE
3480	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2832	2812	chrome.exe	29
PID 2812 wrote to memory of 2832	2812	chrome.exe	29
PID 2812 wrote to memory of 2832	2812	chrome.exe	29
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2576	2812	chrome.exe	31
PID 2812 wrote to memory of 2628	2812	chrome.exe	32
PID 2812 wrote to memory of 2628	2812	chrome.exe	32
PID 2812 wrote to memory of 2628	2812	chrome.exe	32
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33
PID 2812 wrote to memory of 2572	2812	chrome.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Lunar Client v3.2.1.exe
"C:\Users\Admin\AppData\Local\Temp\Lunar Client v3.2.1.exe"
1⤵
- Loads dropped DLL
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69b9758,0x7fef69b9768,0x7fef69b9778
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1100 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:2
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1636 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:2
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3236 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3572 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:8
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3752 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3728 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2140 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 --field-trial-handle=1368,i,11166086299434709825,9511212542952397601,131072 /prefetch:8
  2⤵
  PID:2988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  PID:2492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.0.973405719\1816783758" -parentBuildID 20221007134813 -prefsHandle 1156 -prefMapHandle 1148 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21ea3e68-3222-4924-84de-3caae092d3cc} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 1220 12a7f558 gpu
    3⤵
    PID:2120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.1.1418800367\778875588" -parentBuildID 20221007134813 -prefsHandle 1416 -prefMapHandle 1412 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73fa8dc6-2818-4fce-a211-a9998c06a48b} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 1428 d71358 socket
    3⤵
    - Checks processor information in registry
    PID:2376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.2.2143242914\1865290626" -childID 1 -isForBrowser -prefsHandle 2000 -prefMapHandle 1884 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe6f6043-c0d3-47a5-8371-e0e81a41e4f3} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 1868 1879ea58 tab
    3⤵
    PID:2100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.3.949796299\185915724" -childID 2 -isForBrowser -prefsHandle 660 -prefMapHandle 572 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81b533ff-97ad-48c3-8c80-a3cbf9896057} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 2360 d6fb58 tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.4.994946963\1929820676" -childID 3 -isForBrowser -prefsHandle 2736 -prefMapHandle 2728 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {14bb41b8-404d-428c-9f50-87cba79e683c} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 2756 d61f58 tab
    3⤵
    PID:1672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.5.1619347668\1391453186" -childID 4 -isForBrowser -prefsHandle 3540 -prefMapHandle 3532 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00d1218f-2c8a-4151-8c21-e52bf0f5a2ac} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 3456 1d3ccb58 tab
    3⤵
    PID:568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.6.763859102\642588058" -childID 5 -isForBrowser -prefsHandle 3660 -prefMapHandle 3664 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afb0d629-d015-494a-acf7-c34bf6bf9c2b} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 3564 1d3cb658 tab
    3⤵
    PID:1980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.7.1337911075\1365042523" -childID 6 -isForBrowser -prefsHandle 3836 -prefMapHandle 3840 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ced142bf-5f69-4e13-9ed6-71b8a7955b2a} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 3632 1d3cc558 tab
    3⤵
    PID:1328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.8.218134731\714986794" -childID 7 -isForBrowser -prefsHandle 4256 -prefMapHandle 4252 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab016f5-82ca-446e-b047-8a7ab4a7d64b} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 4276 1ff15f58 tab
    3⤵
    PID:1704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.9.534776796\1887726700" -childID 8 -isForBrowser -prefsHandle 2892 -prefMapHandle 3140 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c48a6b88-a91d-4ee8-b280-a21e21d71ca3} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 2772 1fe3b758 tab
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.10.1417670907\587917825" -childID 9 -isForBrowser -prefsHandle 3636 -prefMapHandle 3812 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35ae66ed-2f3f-4d6a-874e-656b869f4c25} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 3740 1eb7ac58 tab
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.11.1105349127\221466105" -childID 10 -isForBrowser -prefsHandle 4064 -prefMapHandle 1900 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {361aa700-f8ac-4668-812e-5fc5b97cd2cc} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 4016 f00fe58 tab
    3⤵
    PID:3068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.12.1572221577\399048804" -parentBuildID 20221007134813 -prefsHandle 4600 -prefMapHandle 4604 -prefsLen 26731 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62335830-751b-4ccc-9766-e903f660be8b} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 4588 20219b58 rdd
    3⤵
    PID:2824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.13.373020239\409077910" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 4732 -prefMapHandle 4736 -prefsLen 26731 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82dd4c7f-6aa4-4c13-bdc6-51f7de800470} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 4724 fe73758 utility
    3⤵
    PID:1140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.14.350938417\1385052332" -childID 11 -isForBrowser -prefsHandle 4936 -prefMapHandle 4928 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5710ef7e-d7ac-4378-8564-fefa0d8cf423} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 4948 1e0a8b58 tab
    3⤵
    PID:3096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.15.478253255\1012609308" -childID 12 -isForBrowser -prefsHandle 4320 -prefMapHandle 4332 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e26ef4d4-4a9d-4e06-bbb5-c15e2bca37a3} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 4240 1e342c58 tab
    3⤵
    PID:3252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.16.1520632059\413073014" -childID 13 -isForBrowser -prefsHandle 8672 -prefMapHandle 8668 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4869d742-7027-4edf-975d-64e76f1b3281} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 8740 1e4f6758 tab
    3⤵
    PID:3432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.17.1781992236\1541252649" -childID 14 -isForBrowser -prefsHandle 8260 -prefMapHandle 8264 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8302894-48ab-491b-8fce-6440059b1259} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 8248 2207c258 tab
    3⤵
    PID:3696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.18.1299530103\1962500163" -childID 15 -isForBrowser -prefsHandle 5016 -prefMapHandle 5012 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {829b265c-808d-41c7-8975-31793d00b4cb} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 4996 243cdf58 tab
    3⤵
    PID:2820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2492.19.743435817\1875593787" -childID 16 -isForBrowser -prefsHandle 4232 -prefMapHandle 4280 -prefsLen 26731 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {653c5e22-02b2-495f-bc37-64c74d16bde9} 2492 "\\.\pipe\gecko-crash-server-pipe.2492" 8232 22035658 tab
    3⤵
    PID:2504

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30918:88:7zEvent21667
1⤵
- Suspicious use of FindShellTrayWindow
PID:1072

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\Monoxide-main\MonoxideMBR\monoxide.bin
1⤵
- Modifies registry class
PID:1604

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Downloads\Monoxide-main\MonoxideMBR\qemudbg.bat" "
1⤵
PID:2164

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\Monoxide-main\README.md
1⤵
- Modifies registry class
PID:1012
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Monoxide-main\README.md
  2⤵
  PID:1992

C:\Users\Admin\AppData\Local\Temp\Temp1_Monoxide.zip\Monoxide\Monoxide x64.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Monoxide.zip\Monoxide\Monoxide x64.exe"
1⤵
PID:3596

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Monoxide\" -ad -an -ai#7zMap7823:78:7zEvent5388
1⤵
- Suspicious use of FindShellTrayWindow
PID:2972

C:\Users\Admin\Downloads\Monoxide\Monoxide\Monoxide x64.exe
"C:\Users\Admin\Downloads\Monoxide\Monoxide\Monoxide x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3248
- C:\Users\Admin\AppData\Local\Temp\逍壌枃嬱鼢傂修塄嘇謭偢淝覟蚋羮淃.exe
  "C:\Users\Admin\AppData\Local\Temp\逍壌枃嬱鼢傂修塄嘇謭偢淝覟蚋羮淃.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4072
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml"
    3⤵
    PID:3548
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
      4⤵
      PID:3520
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3480
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        
        PID:3884
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:2438147 /prefetch:2
        6⤵
        
        PID:3756
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:275461 /prefetch:2
        6⤵
        
        PID:3700
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:2700291 /prefetch:2
        6⤵
        
        PID:3780
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:2569219 /prefetch:2
        6⤵
        
        PID:3740
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:734220 /prefetch:2
        6⤵
        
        PID:2868
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:930826 /prefetch:2
        6⤵
        
        PID:2280
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:3159061 /prefetch:2
        6⤵
        
        PID:4036
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi"
    3⤵
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:2856
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\fr.txt
    3⤵
    PID:3088
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\id.txt
    3⤵
    PID:3924
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\lt.txt
    3⤵
    PID:3124
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\nn.txt
    3⤵
    PID:2368
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\7-Zip\Lang\sk.txt
    3⤵
    PID:2296
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml"
    3⤵
    PID:2176
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml"
    3⤵
    PID:2220
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml"
    3⤵
    PID:2500
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Common Files\System\ado\adovbs.inc
    3⤵
    PID:3784
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Program Files\Common Files\System\msadc\handsafe.reg"
    3⤵
    - Runs .reg file with regedit
    PID:904
- - C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe
    "C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe"
    3⤵
    PID:1140
- - C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe
    "C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe"
    3⤵
    PID:2000
- - C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe
    "C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe"
    3⤵
    PID:2308
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.bat" "
    3⤵
    PID:1740
- - C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe
    "C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe"
    3⤵
    PID:2404
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif
    3⤵
    PID:3036
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275464 /prefetch:2
      4⤵
      PID:3888
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:734214 /prefetch:2
      4⤵
      PID:2948
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:406548 /prefetch:2
      4⤵
      PID:1712
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml"
    3⤵
    PID:3532
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml"
    3⤵
    PID:2332
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml"
    3⤵
    PID:4088
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml"
    3⤵
    PID:2828
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml"
    3⤵
    PID:320
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml"
    3⤵
    PID:856
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml"
    3⤵
    PID:2200
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js"
    3⤵
    PID:3688
- - C:\Program Files\Mozilla Firefox\maintenanceservice.exe
    "C:\Program Files\Mozilla Firefox\maintenanceservice.exe"
    3⤵
    PID:1860
- - C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
    "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
    3⤵
    PID:852
  - - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
      4⤵
      PID:3076
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml"
    3⤵
    PID:4020
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml"
    3⤵
    PID:2308
- - C:\Program Files\Windows Photo Viewer\ImagingDevices.exe
    "C:\Program Files\Windows Photo Viewer\ImagingDevices.exe"
    3⤵
    PID:3008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js"
    3⤵
    PID:1920
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\settings.css
    3⤵
    PID:3188
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css
    3⤵
    PID:2664
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css
    3⤵
    PID:2392
- - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml"
    3⤵
    PID:3248
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js"
    3⤵
    PID:2576
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js"
    3⤵
    PID:320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:1556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 244EB163203315B2A7AD71DD57F4C903
  2⤵
  PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69b9758,0x7fef69b9768,0x7fef69b9778
  2⤵
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7a1dc1.rbs

Filesize
3KB

MD5
820d9cb5792fe05a01f0c6fe3152e610

SHA1
1bd02a7204d51ea6bef19fb94b6704ca1def201c

SHA256
e3cb0a1e07c0203415303b9dfdbe3ab09502f8b24104c7ba7b2cad257b87562e

SHA512
8f0a94e6d165dc9af39fd1e83e08586eb78e54162759dbda749ab0a12feecaebfa251c08571b5d7056b1c7aeed2a07ca33036567529ec85b203242977b6a765f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log

Filesize
162B

MD5
bfc37fac6b3e18296729f65c57ea5716

SHA1
c925e6772ad4264786bdb72fe6327002a53acca2

SHA256
1a026a000c59f7420d6a6697ca27f778d40a966488da4a9e15b1d5e6fb63ba58

SHA512
9b66d9bb67a52305965d20732ca6c6b18449a121acac0ef0c41b2894399186563d036ebcde6434200373592cfeb3298e54593c5a23c7f0c90ca9a40e73a20f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c15da6d24951a3eb86edd3a3ed0b08f3

SHA1
412369337ee4dbd6e61b33a8a46d42928bcf1eb0

SHA256
eb7ba0f586d8645d885e1fc75c67c5e89bed436ff2735b535e4452841c6588f4

SHA512
9a475f10e8ac975e21e841fc10d156b50e0dd80f23a5e15798f961db4c2e8b1d824fde21d60204f939c8c22897a9d97ad1a0284c3a5b42bb5ca2a7ecd481b997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be43785e1a54a9ee74305570fe45df9b

SHA1
fdfa3b97b7ea9961a88c841558baaeb2b91c229f

SHA256
e2c16b2e1165d16989017237cf81d3653838228882ccf0306d964e5900fed41e

SHA512
e5aa9df58db2525b380dee6fda04ac61f840a2a1abe613436f905cd11b64b43445ac2314525ce0c1cd0df1d7f9a1800fce7a3828d859bcf9c0353b1c13db1ff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98be2fa3044f11f0356d1461f3cbe46a

SHA1
f4bd3fd610a25c11018d6780bbebcecf5faa6340

SHA256
12035ebcfec8690273af18c81a37ab2b0fff3dc95eb94c00722d816371e97927

SHA512
7ab499cbad79d202a95547b5195d25e16872e3a988471473156f14f852a874a11233442f5361195cc1ed4bbe979a82bb21612f4cbb599b7d00fc1413f248c4d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99e4562c72db2b32eb70f1fd83b68ed3

SHA1
4775619fd99e3cd636410a45de96d44c7ee56971

SHA256
7d672a3fdcc16abfe4ee63c11a46e7ffe9a2192cf410dfda52b118358516c12a

SHA512
ebc66c8d4502d7fbb0c3c24731bd7e742725d8600e0eefcb0c2bc994a1e185c1b88de4c10102caab1e6f9ef2e81b3c1c33764047138afda3ee587406cc2b91b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06a109083e5af9cfe162d8469bb76174

SHA1
f5bb5a3c167c3fbe0752857202bfc35f8b61b242

SHA256
9262d7e67d51ddf09032ad201f77e768e410e7f9b4d1efd02d8e0334c3f772a5

SHA512
8465ecdbd455d476d9a6fc4846cee4bb77824a8345f3702b700d3877c4406e66dd303b84b38635ca495479009f5932a428f25bdb0801a5dbb2f5fa15ce9ebf0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a19caf73420d7f9383e1f2aea37c8da

SHA1
2ad14e885f93817805361a9de7364e1eac992b93

SHA256
0cb12036cb6fd03bbbe5107607423d3656e6ed9fc2f3ec5cdf9a68fa6546b4e4

SHA512
016a13256d52103d9b701f43bceb6d828f3a61dae4f2453cffd5ada72ca068c1b239828d270f68cec4cae8c8c65e18ebf3a4e090d63d916183abe6f180ff950c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32753bec2d1758411615f10f785cb26f

SHA1
b1cf2f0d6dbf6fb9aef721e9ac64bb72cc973bcc

SHA256
7a54b015a1d6b06085f7aa59eee68ceac3e80529cd1f212a6bee3a6c9f8a138d

SHA512
285c85338f67bb17bad29ac54f9b250b1c71c222428340683b98fdbd3ddaf7735354fa71a9c8c8c82ebbc6aefbc1a647518ce41cedef78cefb48fae47a107316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1bf3efccde1fb954e0babc29f2644298

SHA1
00e342e9f0f1d5dfebbd929a753b41a6e0312871

SHA256
7c46ecab6f2c627d98804ae1f43896a3daaca9d3fa6457a09bc82a9f71780547

SHA512
63711715a944cadba0f5cdc0728da9141200390840663c52f6d45227e87a00e3c01f4dae9f69185540374e5ae352e38e029342139f0dfee981cb464e1d9fd6e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c45f2d59a73326458eb4d800787fcd24

SHA1
8406176cf6b94ab48a26a31fd8431118b7648f13

SHA256
cb783e246fe82ae15c0e4142164b9fb610d48dc954a0d7d9ec4b972250118493

SHA512
ddd9d8797fbb7921595e0ed530059afbccaa405e4263c011960932a26ec5d41704933729a701abd428284fb65dbd60847f98ceaf7bba72f94a2a240a545affba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5d9c6dd3-c4a6-4af1-bef5-b3498d2ea471.tmp

Filesize
231KB

MD5
ccbe90413b8192d55770ea5037d8206f

SHA1
08149db08c4dacc0c735be72ff98ff28ae2bb38e

SHA256
662ec7fe8995f66764a424507af0e62f35be61a5f640be5a0d4160c665495e2e

SHA512
90183a80831759afc9844357912e900f4b29a8408e4a6f944bf465b7c7e3fbefbfef19bdefc2cd2cebfb9abfba42e2a040a72859e97e51b816d686e28b7b2a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
39ff684cd3d1d94c2fb6b46100f307d8

SHA1
132f5fb5a6dcae572dbd0ff97eb367dbbb9c87b5

SHA256
c872f03f360cd719310fd2303105d47b8ab815561280819e5fd03241e8029959

SHA512
419b717a78bfa29fc5f8d45515e1c50cbb2afb8702b5b152c9833c63b25f951a70eb0f2c7b32d6ea1ca747175753e853d62629ef51eddf91ea59072f6e8a0cd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
40KB

MD5
1128652e9d55dcfc30d11ce65dbfc490

SHA1
c3dc05f00453708162853a9e6083a1362cc0fc26

SHA256
b189ff1f576a3672b67406791468936b4b5070778957ba3060a7141200231e4e

SHA512
75e611ba64a983b85b314b145a6d776ed8c786f62126539f6da3c1638bf7e566c11daf18d1811b07656de47ff8b50637520cf719a2cacc77a9d27393fc08453b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT~RFf76bb63.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
f60c09326368fce9b348fdf82433c6ae

SHA1
fb01a1832d9f9f4eba6494e6ec42eff80f7e76fc

SHA256
09acae05718e3ca6d5622255f71c4fb3af2b2d9ade8f954e4439650824e57595

SHA512
875715580c1164ede43ed7d803b6bea441ca5f2c6c8d90498bed3c791a8f1d788bfd1e073c7f7b9f159bf5f131c5d4337a7348ef00a909ee913005f26bbc5599

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
698aaac7420ba749a6dc748f8ec2a00c

SHA1
8821a4f716b9c1dce0577724fb11b18fd20424a8

SHA256
78037c546934e0c22191a144d28ea28493f03fabe7572da7090d9a3009883714

SHA512
09556613a56a140e96b1280b3a2652b544d9654e20bd1917c3177cd45f9710a904865ccabd6382eb218f353e2a60ca98a01ec35a6d3c554cfb0604d0cdc03cbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e4610c150207e86d56785cc9950c5131

SHA1
0ab92c88faadb140f51e958da483e4e40e31988d

SHA256
728f462291934f9fef0d4225d33bb5bc415163936eabc9189091fc756f470992

SHA512
84083f34f247b6f9e33aed3228d1523d047214ba71a38b10dadb9d77130cce1acfe5270cb9992c4a466beaf94be2dfa53d37e198e249192a8dc260e80e95ec70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
05448cf0b613c87bbf0954c1a6905092

SHA1
eb2b9b543d23fd284e7bff3be2e5c954fe2deb38

SHA256
91269d81e6316e86896a7e483c20aa43adfa549a7a20942f212d371ee2a7b8c5

SHA512
40244323e60aee08423dd3b12c576ce113cab709e4f35ebd9b6499b255d26d3ade08cdebc73d369356ef3c0eda1c77e71c0a41e3e028ebd4311fb7e3f179dcf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
2a0996b5280b08e5a8bd3df5becc5a3c

SHA1
47d488d881dd620f64abf824331eb43a66b40fd5

SHA256
dbe01ed66247714edfa0cff36532cb8713236560f91f8371af3447269b3ada18

SHA512
56b0065306dd4e692ff4ef14864a9160b60a2c6c442188745fc26ae663c49e90538288915850f50ff8a68ed58c2c8a18054987ff1b3648f05c00ff3e65d135da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
09a37255267bce815b8265e762dd1bf0

SHA1
c00a4a42f3a1b5485cc4e531db0e68cd1a04ada1

SHA256
2bda9954360c096fda31386506eae1d30ed140f34cf0f728bbe8772ef17716ba

SHA512
96c2321f2a560d434806647b5742627730891c48cf3230a4a9fa5e6a1e8cee832ef1b6d0d64204f09ba5411be240b0c1ec892ed2402c5b64151fc668cfecf380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3DA4AE1D-BCE2-11EE-B6E5-76D8C56D161B}.dat

Filesize
5KB

MD5
dab27cac75657efe5a18c25ac57913e2

SHA1
0ac90032e273b2e082b22e6af0f7cea1f993f6b2

SHA256
5ce17888fd5b4be5105effce2c01650e2446fadd77e87d8fd30754c6b6beaa63

SHA512
4dc125ac3226313f43f894e013724b90bc8c8c30012460363bb816f5c8dff67bfd381dcdcbb3c1fa7073fbb010b935d79444af33a5efe5926a46b5ffe7b4193c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1J1BPYJ\xmltreeview[1]

Filesize
16KB

MD5
407429efa2eb0d6c50c930c7e1367daf

SHA1
0fb34d09426168cc2b0753a8f39851b071275cba

SHA256
75f2444fee7ad83ad241d06c21244173cc282c54daecce1b23ac4c435ef3f6a0

SHA512
4e8a8f9a772038c8d17af1e86460af8524c983969422673f7474d93ef893c3cccb48cc7b4f15cf3edf020b768e05ff9f154f19ec4b36bb0f400be49b8549e9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC238.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC3C1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFD59077EBDAD976CE.TMP

Filesize
20KB

MD5
3ef3b39235217ce249e5604a9b32d0ab

SHA1
7096ecb878de5810c8d05e9f343394027db2cb14

SHA256
ebe8d1b3d112f0b8414866f9ec30c638834849834f7f0094333b73270c9e9b8a

SHA512
829b047cf37c8480ceb75ba09f47bd901c7b109545d8c264295641f73b1f8bdced83f24fadffe4447a1481112c546af7da30ee852561c4599c9802d8742c2753

Download Submit
C:\Users\Admin\AppData\Local\Temp\逍壌枃嬱鼢傂修塄嘇謭偢淝覟蚋羮淃.txt

Filesize
260B

MD5
7f5e7dfd384687fe4b90962c3dcf252c

SHA1
fa908d1af473c4c9488926fc453434e6562bc91b

SHA256
22e800669674960a15e05919beaf1a63a34d51448d3daae763170f1932908788

SHA512
703babade3c3364e551ec6bed0c5fbaf795569cf1a770467a72dfe6ae4069383981a422f8f215d82ff5299fd260e8d294fac81ec878f54bb703974bd9e803c3c

Download Submit
C:\Users\Admin\Downloads\Monoxide-main\MonoxideMBR\qemudbg.bat

Filesize
184B

MD5
697a945aecb9a17c17e069494203626c

SHA1
21882479ab81dedfb34cfbdc96c5e200d79d8cb8

SHA256
4bb8969e62c0b32572c400402c95281f35648aa4737a752808cf071d8aa520c8

SHA512
524425cbd2490680a4779cc70496a4d1cff1db74732c0bde6996af7de471ca55e7e21e7bc52704e649ff5b0520d019eb5bfcbd07e4b669217ca85f902562609c

Download Submit
C:\Users\Admin\Downloads\Monoxide-main\README.md

Filesize
380B

MD5
5241f58327a8277c8a8ff44460e33f3a

SHA1
06a104af21a773601ea22e18a490f365094cd36a

SHA256
8ce9d00578284fc4d78d9a39fd706bcca819b1d8107194c3eeb918b56fd5d72c

SHA512
ffb0967a79f3bc0077c360cfed86da2c238e3d7ab49fb1ede055ba4c19c393a55e227c7eaadec55f6a50989ca02b05632779cb0c6a1e45c2cbfe9d3992a054af

Download Submit
C:\Users\Admin\Downloads\Monoxide\Monoxide\Monoxide x86.exe

Filesize
289KB

MD5
5c378b11848ac59704c2000b4e711c30

SHA1
6a46c53fd89b1f66d3fdab7653181e8a3e56d418

SHA256
bd764fe2f9734d5ac56933ce68df0a175bfa98dc0266ae3cd3a5c963267ea77e

SHA512
c6fe33ff3825e9018abea99ea49dc5221f2abd96bd1099def898425b82c05f9b9ca1aacaba0b7ffb7d09a7d097eae9937abdc13bbf3e7643e24e37edc7841c48

Download Submit
\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe

Filesize
227KB

MD5
20ab37eb01439415c3bd225aeb7cc6de

SHA1
21f288e3dd35603aba1294a60933cd0eed75929d

SHA256
4045dc6b43a4d908dacdaec78becf31d39af033fff238d8500fec6a71066b39e

SHA512
9cf0318c93cd71bcf3e44c27a1b1ab9eaf483e40fd3ff6472b5d64f86974475929a7ebd4591899adb50fc48b35d5096c9a2af84d94f1929fc8b60a96895cdba9

Download Submit
\Users\Admin\AppData\Local\Temp\nsf9BB4.tmp\System.dll

Filesize
22KB

MD5
b361682fa5e6a1906e754cfa08aa8d90

SHA1
c6701aee0c866565de1b7c1f81fd88da56b395d3

SHA256
b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04

SHA512
2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4155.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4155.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\Downloads\Monoxide\Monoxide\Monoxide x64.exe

Filesize
330KB

MD5
692361071bbbb3e9243d09dc190fedea

SHA1
04894c41500859ea3617b0780f1cc2ba82a40daf

SHA256
ae9405b9556c24389ee359993f45926a895481c8d60d98b91a3065f5c026cffe

SHA512
cfdd627d228c89a4cc2eac27dcdc45507f1e4265eff108958de0e26e0d1abe7598a5347be77d1a52256de70c77129f1cd0e9b31c023e1263f4cf04dbc689c87e

Download Submit
\Windows\Installer\MSI1758.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
memory/904-1055-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/904-600-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/3008-1115-0x000007FEF5380000-0x000007FEF53CC000-memory.dmp

Filesize
304KB

Download
memory/3008-1116-0x000007FEF5380000-0x000007FEF53CC000-memory.dmp

Filesize
304KB

Download
memory/4072-604-0x0000000004350000-0x0000000004360000-memory.dmp

Filesize
64KB

Download