564ed18c74eb79156fe616e31f06cb2d945238aa095ba8b519820c23a72f979e

Resubmissions

20/04/2024, 13:28

240420-qqs1bsad31 6

20/04/2024, 13:21

240420-qltfasac6y 3

20/04/2024, 13:19

240420-qk2ehshf26 3

Analysis

max time kernel
384s
max time network
387s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

577KB
MD5

ab9889fc601d667eeb10c067df9f3148
SHA1

a3be9616239107acae7bb4992fe7e3cdde8da047
SHA256

ea72dfe525624db5c16274fdf5855ab2b31de39dc37f170e6758a6d14c7d66b8
SHA512

4443c9ecbed94338811e34704513e0b1c2a73349bc29620b2d706ab9c93ffcc3f1b01919e392473150a4745ba52f0b76107e18e45224e4b8af42f0406f5d3524
SSDEEP

12288:ahwRmxYqjV/l5WudgzJ4BvRzRIG8J7+eIC6wgx2w75xtu1tTsa:aImxYqjV/lUudM4FRnqJ+B17DtY

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
383	discord.com
384	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
381	ip-api.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6048	WMIC.exe
6776	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Seven(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Seven.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
112	msedge.exe
112	msedge.exe
1076	msedge.exe
1076	msedge.exe
5440	identity_helper.exe
5440	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeDebugPrivilege	4900	firefox.exe
Token: SeManageVolumePrivilege	5768	svchost.exe
Token: SeIncreaseQuotaPrivilege	6048	WMIC.exe
Token: SeSecurityPrivilege	6048	WMIC.exe
Token: SeTakeOwnershipPrivilege	6048	WMIC.exe
Token: SeLoadDriverPrivilege	6048	WMIC.exe
Token: SeSystemProfilePrivilege	6048	WMIC.exe
Token: SeSystemtimePrivilege	6048	WMIC.exe
Token: SeProfSingleProcessPrivilege	6048	WMIC.exe
Token: SeIncBasePriorityPrivilege	6048	WMIC.exe
Token: SeCreatePagefilePrivilege	6048	WMIC.exe
Token: SeBackupPrivilege	6048	WMIC.exe
Token: SeRestorePrivilege	6048	WMIC.exe
Token: SeShutdownPrivilege	6048	WMIC.exe
Token: SeDebugPrivilege	6048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6048	WMIC.exe
Token: SeRemoteShutdownPrivilege	6048	WMIC.exe
Token: SeUndockPrivilege	6048	WMIC.exe
Token: SeManageVolumePrivilege	6048	WMIC.exe
Token: 33	6048	WMIC.exe
Token: 34	6048	WMIC.exe
Token: 35	6048	WMIC.exe
Token: 36	6048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6048	WMIC.exe
Token: SeSecurityPrivilege	6048	WMIC.exe
Token: SeTakeOwnershipPrivilege	6048	WMIC.exe
Token: SeLoadDriverPrivilege	6048	WMIC.exe
Token: SeSystemProfilePrivilege	6048	WMIC.exe
Token: SeSystemtimePrivilege	6048	WMIC.exe
Token: SeProfSingleProcessPrivilege	6048	WMIC.exe
Token: SeIncBasePriorityPrivilege	6048	WMIC.exe
Token: SeCreatePagefilePrivilege	6048	WMIC.exe
Token: SeBackupPrivilege	6048	WMIC.exe
Token: SeRestorePrivilege	6048	WMIC.exe
Token: SeShutdownPrivilege	6048	WMIC.exe
Token: SeDebugPrivilege	6048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6048	WMIC.exe
Token: SeRemoteShutdownPrivilege	6048	WMIC.exe
Token: SeUndockPrivilege	6048	WMIC.exe
Token: SeManageVolumePrivilege	6048	WMIC.exe
Token: 33	6048	WMIC.exe
Token: 34	6048	WMIC.exe
Token: 35	6048	WMIC.exe
Token: 36	6048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6776	WMIC.exe
Token: SeSecurityPrivilege	6776	WMIC.exe
Token: SeTakeOwnershipPrivilege	6776	WMIC.exe
Token: SeLoadDriverPrivilege	6776	WMIC.exe
Token: SeSystemProfilePrivilege	6776	WMIC.exe
Token: SeSystemtimePrivilege	6776	WMIC.exe
Token: SeProfSingleProcessPrivilege	6776	WMIC.exe
Token: SeIncBasePriorityPrivilege	6776	WMIC.exe
Token: SeCreatePagefilePrivilege	6776	WMIC.exe
Token: SeBackupPrivilege	6776	WMIC.exe
Token: SeRestorePrivilege	6776	WMIC.exe
Token: SeShutdownPrivilege	6776	WMIC.exe
Token: SeDebugPrivilege	6776	WMIC.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe
4900	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 552 wrote to memory of 4900	552	firefox.exe	94
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 3176	4900	firefox.exe	95
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96
PID 4900 wrote to memory of 4528	4900	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
PID:468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:552
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.0.1922184252\1610862054" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e81c91b7-05b4-43c3-bb54-8c6892b4e9c7} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 1820 1ed434acb58 gpu
    3⤵
    PID:3176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.1.840788772\326297523" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e4fc0bc-a854-4dd5-9696-28ccf354c78a} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 2388 1ed36789f58 socket
    3⤵
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.2.87148967\1523521198" -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3028 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ee6c677-4d1d-49f1-8a58-962aa2809ebc} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 3044 1ed45cf1258 tab
    3⤵
    PID:3660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.3.1647273954\670960103" -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {411a35af-0f15-4f67-afef-71307f89250c} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 3708 1ed4846ee58 tab
    3⤵
    PID:5044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.4.1263811603\1306969528" -childID 3 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8d155f7-2a79-4a4b-b4b6-95b9e15a37ed} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 5124 1ed4a925458 tab
    3⤵
    PID:1188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.5.979015308\1698175005" -childID 4 -isForBrowser -prefsHandle 5280 -prefMapHandle 5288 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e8f214c-e580-4a64-9051-63de705326f7} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 5272 1ed4a925758 tab
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.6.1159667884\645081591" -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5488 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4c929e2-1824-4b2d-904d-3531be348b59} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 5468 1ed4a926058 tab
    3⤵
    PID:3740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4900.7.237674190\1019687716" -childID 6 -isForBrowser -prefsHandle 2812 -prefMapHandle 3892 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1288 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6e9bb1a-ed54-4beb-961d-97145a5025bd} 4900 "\\.\pipe\gecko-crash-server-pipe.4900" 5880 1ed48d8e658 tab
    3⤵
    PID:6040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4592

C:\Users\Admin\Downloads\Seven\Seven.exe
"C:\Users\Admin\Downloads\Seven\Seven.exe"
1⤵
PID:3924

C:\Users\Admin\Downloads\Seven\Seven.exe
"C:\Users\Admin\Downloads\Seven\Seven.exe"
1⤵
PID:3612

C:\Users\Admin\Downloads\Seven\Seven.exe
"C:\Users\Admin\Downloads\Seven\Seven.exe"
1⤵
PID:1792

C:\Users\Admin\Downloads\Seven\Seven.exe
"C:\Users\Admin\Downloads\Seven\Seven.exe"
1⤵
PID:1580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5844
- C:\Users\Admin\Downloads\Seven\Seven.dll
  Seven.dll
  2⤵
  PID:1560
- C:\Users\Admin\Downloads\Seven\Seven.exe
  Seven.exe
  2⤵
  PID:5384
- C:\Users\Admin\Downloads\Seven(1)\Seven.exe
  Seven.exe
  2⤵
  PID:6660
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe"
    3⤵
    PID:6728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:6776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/
    3⤵
    PID:6844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe169446f8,0x7ffe16944708,0x7ffe16944718
      4⤵
      PID:6860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5768

C:\Users\Admin\Downloads\Seven(1)\Seven.exe
"C:\Users\Admin\Downloads\Seven(1)\Seven.exe"
1⤵
PID:5584
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe"
  2⤵
  PID:3728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious use of AdjustPrivilegeToken
    PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe169446f8,0x7ffe16944708,0x7ffe16944718
    3⤵
    PID:5912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:4872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
    3⤵
    PID:6052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:5736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    PID:5464
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 /prefetch:8
    3⤵
    PID:5984
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:1004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:3768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
    3⤵
    PID:6260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
    3⤵
    PID:6268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
    3⤵
    PID:6944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2104177248183247450,4553879386223233733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
    3⤵
    PID:7036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
559ff144c30d6a7102ec298fb7c261c4

SHA1
badecb08f9a6c849ce5b30c348156b45ac9120b9

SHA256
5444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10

SHA512
3a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e36b219dcae7d32ec82cec3245512f80

SHA1
6b2bd46e4f6628d66f7ec4b5c399b8c9115a9466

SHA256
16bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b

SHA512
fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
e1e7a4909c70d4529111cf199519595b

SHA1
dc6afd26867a0d8cda3c6ce696c19f4e232bfeab

SHA256
ea311e13208d84db1faf1d25008f7242963097a6116ee309c51aa11dbcbbafd0

SHA512
0360ed7d95e17804866fcde2e0133723c74fded158ee064978146dc2a097552abc3b4726a2e046a612ffa0fb6487f4050348fd8d8199e329f94d4917740e8e16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
25fb846cd1cf9d5d7293f2a565c18bc5

SHA1
420879e7cba47a771ba3328c04fa13a477c3699f

SHA256
2746e8d79149d57813fc62313026b7b0c4c8322378062cc966ceb61230b2cd0a

SHA512
ea0ce8d4d55476950ef8bc1a9774fecb8642d144da914c80b09871982d5f317c8e09e0e2b3d7581c30d847559d46c61f679d735e13bf25580b47003439da61d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69a52b6cea922008dcc9daef6d1ce0aa

SHA1
333f9986b0813a56caae7fda4a9341789440374d

SHA256
1f1f9dceef0199c628077f7d9d37a4d7b275331ca587bb791c40445ff635fff7

SHA512
3de1b1619772cf5caf07cc5e3cdb52f9f735e77a3ad14de893755ad07f0e04491331ae8cdb27c6b3b3fd39283ad5db4158b9ad00c8b5f17b543dfa5c93b83769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63513666d99d75655f3b0bf6498246b2

SHA1
ed5ce5dce188050524d5c18fbc8264ff7adfa035

SHA256
fd7c0663d16038e8d899a591454bda95157214af4bc32eedf8cb958fdbc94b0e

SHA512
84f3cf5b103f00d9842d2deee2c2c0069dd55fc265293ba36a3a29b0efe78f1f25f9a2368c5a889cf410924c6b1e8cbc91965d38b9905120a0dfd662cd1c68dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e8c4ef6b78a7370927493f186793e714

SHA1
8d79c4fb9c7efd8b40ce9759daf705054dae3e0d

SHA256
45c17c051d5f7d1206c39f479ed843344b05d285b9ce9143510f8dcb02272f41

SHA512
04e67288dfe77e6ae1aa293a1d197d123eaf9fcd45abc3666cf30e4051bddd44f063bcbf8e39ee91a20acb009b4a0d99e1c0c11c552721ce9d3ed1089edcefea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
392330260e8292c73fb46a681d6a4ae9

SHA1
1f17d0334283acbe5127c781c0c54eae3e21aa21

SHA256
deae839b8ffafc31a3b9b98c134dcdb51d157eb67f04c7a6aaa30fe6751fc4a0

SHA512
9e7240bbd40006e8354bb5084898fcfc37480ed0441d7aaab6b5cdf51170aa27c69f9d2f122a3129063cc951503f5dea8d7abb9c5e9626150fb18992e695f25a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5cbf21.TMP

Filesize
372B

MD5
02f534a20c9219ac7522a9d4dd51a030

SHA1
1c2806d61dbdcbb19e68dbd83b61d2cb7b98dc15

SHA256
3301a089f9bb0158f8da52fadfa239a2c9ce7d1d0e106d42c9bc24d89a31808c

SHA512
1737cba9470f76403f8392cd137e5cf2e5667cc943f2771b3f15aab9e3bbfca75c8393f898aa3b1a466fc5e16dee9464a3e08a4531e2f4d95c4e9626c5a6be40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bbbd00cdabfa6cd34ccf1002d7df30c1

SHA1
ef5cdf1d99b3e114a18abb3d06e0bb8f1d9599da

SHA256
104975f01055a1ffdeeaa3747fb4bd2ffbe9752a6f1e30c0bd1f1faa6532c67d

SHA512
994b4ec24062caa78c95cf7cca1b8323c912bb4fdf2c24d179cce5d2476ea5c1f5c57130f3f03a0b3941b731fc6a9dc234bd188584862b5fe174a1dc35e9d69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f48ccefa53e6d4130aac0b7d564b63f

SHA1
7622dddf1887fd0105d79a454715215e1347303d

SHA256
2df7be24679f53c2fbe2fa4974fca91d9140e6540841e0f620c682dc08214c7f

SHA512
19131437484cca43671bade2654c6205e6411f4ba88d573c219ade9048fdd612248b7a0bf6331eb4bcd0c327b41f91b2d1f6e2a730247177af48174df0b244ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3840ff37efe703dd32ace71dbae263f1

SHA1
12206cd5f4f636d73c38b153cfa1d7b1898c5625

SHA256
8e04cf0a97aacc1ad7d3703055e7699b130bc1085731a4b2670b5560e2ddb4bf

SHA512
3659cf87cc6fb2b467749cee5518dbd6a669dbe5186c9eb29a8cf8303a871380abb77615d6953372a185090b2abdb38517d6b86e9a2213119783a7423d60e979

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4p84urxf.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
ea3e2a7fd601f3669068c0c03032bd73

SHA1
a8de43b9e6219eacca11b13295d38ad44d3b890b

SHA256
934be15639147a34fea0986a311577f05c520088d62de0fe16e6a42b82e31162

SHA512
d19559c9a0bd34677bd840ee559dc5729f25dd73285cea7779e547136d4e7dca12d19d6d7367627f2416bf3c5b9bd55e042a062ddf83705441234b69c0177e05

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4p84urxf.default-release\cache2\doomed\10586

Filesize
13KB

MD5
b14fa36c67be01c06770ae589fc35363

SHA1
de6526a48c93a36b6bc8fb5badc69616502400ff

SHA256
50a1dbed3a9b29f3dbf6abad56de4a491546f1dd17756f54aa069f66054b8e65

SHA512
9b9227f89738e9824dcbd32e73156aaa5958bba479e9760493b5d77ef51e36c8cf8f15720be66f208673a6980e0d0f2196e33c831208b1dbb3c5dd226ff8256c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4p84urxf.default-release\cache2\doomed\15916

Filesize
49KB

MD5
781bb679f17e8d645119935a3c9a2bc1

SHA1
a24e807f09ef9b546901eb8b5ad3f2fed92d409f

SHA256
8a4a6dde021544dd7d45aa1957c194a681fc92f572071bb4487e1978acca95f9

SHA512
a2e2f5c115727237c21eedcf01ffabef76f4a41fbc452651a0722ce211d6daeab14146a67077c14f42c4d635563c64f26db58d148e4e2f5925bb64fa6571f05f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4p84urxf.default-release\cache2\doomed\29686

Filesize
14KB

MD5
37e83570a83a5241f1bd9b5aeac207d7

SHA1
8a90e0fa46e9d535e28cbec391c6728256fbe729

SHA256
61d2267ac2285df333146f0e1842a015be23fd4480e481be3f93c49be09fdb67

SHA512
b1e2256a45e3dd8f5a92a160da950f40e07f77eec8ca3158a73718324bb2ddab930380cad17d0a2439b1a97a0e68d670df8e9a421aea8fc5809b9119e8094a27

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4p84urxf.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

Filesize
13KB

MD5
24e26991aea680b6da8159c35d9ac84e

SHA1
1258ba7c3271a8a5ac7bf2972f8524f9796ae1cb

SHA256
4f4087ff0bbd9c5cbeb4d255bb302d99ce0fcb1e7e6a1bce68fe895e3e9b91d5

SHA512
79743d7aa861ea1953e8b8b216275b1c75743c5824805da64f2c97fef46fbad1916fd6cf766ba6ae2ad49228e02f995062d4ae53bdf393b79d3f9f7d5a23c916

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
10KB

MD5
b5d4dc125aff8f4ac1aee7b79938e402

SHA1
20e53215985f5447459aad9ec67769a12ae7e63a

SHA256
00c3d2aa80319b33bc29f5571ac77d0bb5c4cf1bb987986423c1c1d274e139e8

SHA512
77c84f2cbd09cfed747f7b8d66ab6668118d10cd3bff94ce59ea6be780fcad785c4530cdbc4917757c4e5de6dc4e2143205704f939c381210d26241e87e7dceb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
12KB

MD5
169b3c66ac27340640fb3d0a0accd852

SHA1
6547aa682394ae20677244ae44cde3c379357518

SHA256
c3c4f30b81b1bd9905fc38a8d2612eeeb2999844537c7487f4e0e343dfcd1d5b

SHA512
9e5b7871db8eb8a8231ede10eebe438be4878f0c15b66f7105982c185b636bd5eb0501c7f8751ee4c8021fe48f920c257f215cf111cb860b3ea4df9814038ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\prefs-1.js

Filesize
7KB

MD5
3c43e4ece37f48ce43fd61a69c638024

SHA1
2aed3212f9e2bf8a2daeea11c12cd970b34e7d0a

SHA256
6af8aef4ce34ab7f751edaa35a90e1d8f270cf25643068c9ce00b5696667485b

SHA512
c93a4be5bc73ccd5d29e6a01f19062e5d03f2f8ec3fdeb28c01751be5c3af2de5fc27e4e800a6bb1c9b1f58550323d6be7fe89c9d2925043d6e64a8e493b6092

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\prefs-1.js

Filesize
8KB

MD5
1caf793121322488274d1e39483504bc

SHA1
425a69693696ab979de00999f05ddce05eb30af4

SHA256
690f7cf557d1c32cd455f306409ffc6584dc84ddc590053b76b35936c1eb5602

SHA512
ed09b88215ecb868de5883e0c3e4461b5d98662026109834d82b3cc3af59e681d976b617c2c091e5f6259065ce3ca303500e8366253755700807e52be9ab3ab8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\prefs-1.js

Filesize
6KB

MD5
52045fe09c9a38ec9f722b54c4de7e59

SHA1
d29c89dacb193063be6eb3296017585f1fa6a412

SHA256
775b0d980709e90a1be97c0cfb97b5bdebfad6353b8786db2ebdce433e988042

SHA512
5806f05e0862dd7e8ad84ea3a8a62075a2ab5a51485038a37c2f41ee6d5fab445c0c7a09d1d791cea4322f79fb824aeedf2f39f3cb2273eacdb5053e2a3ac723

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8b6cbafb9ea45e80e3e3a36726849e90

SHA1
6f8c48bf9d47ff7360ab1fb441bf94503b460660

SHA256
356a752bad3f4bc645ff7abfb38b0c5e67aa20c6a7354e58aa2cbe0320e42beb

SHA512
59c7ec434d0176baf974e93106f40571b338ccfdee263687b9db5fe921c36ddeb313d9bf73b5abf0edc94b8e830a1a0cf63b14166b9e5f791f4e5732a252f170

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ad76b8bce6f23f078828bdcb3cc9af43

SHA1
2973a7ad3e81fcbf10a0a1a0a88c052f1c4a64f0

SHA256
b346ebbba827d38662bd84f98c0f72a3f004743ac2dbfe7c4247a9dd78e7dc92

SHA512
ceb66eca09209fa7b066719838d7e0e97eaca2c265fe8ee1a9624ba5cbb4b1b7e9e4866f46646cec248e5919d82ed1bf8f0fa1e31950799c9b58a1d9537f945e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ec1587d264d2cacc6cfc3e4d57be1d1a

SHA1
4232aa8a5f4f1e2618bdb2f1348f2f8485bd328d

SHA256
92d0951ecbcd257e5e28f085de952b15390bd1b93b5058f53da6ade05afefcf6

SHA512
89046141aff26aa21805cc959ddc2ac6df9fc76261893862fbb37989ce07d14fbe72d366c88381d2617fe6a69933fe88da7c8cbfc20fe46df16f3506f7480a41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
79c51dbb4740361ef97ce8db786ab39e

SHA1
e38b19bcd5bc829900894f28f227ba07f7e7df3e

SHA256
d823bad1affd64fba7033ee54f526b3326bfff8893403dcd91eb988365031001

SHA512
d146a3b60af13f589aafed4eb49f706e44367617933b0147e84b2d7c0a7511d3a18476c6df8f9565ffa5241c600d36f806a846758edf5939822d1da1c9fea8ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
74f399c10b27ac5abcd10e1b5830a040

SHA1
d188465119c04ce912386c7909d80dfd3a8e9afb

SHA256
17576d861a4ff88ae7fa3b6a9912a5df7b11151e86b35ce0406acc8747607ed6

SHA512
25b1408b98a579a2626d6fff44f7ee425d21c09bcded9159d8bb69498714ad9dab93b0440a99f895a5847b16e2fd2dbf3cbdab185585bae4c3e5a239ea88f0ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4p84urxf.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
5307b46350b9a429c9dac7e8fca5ccf2

SHA1
8f77962aa662774c42dd3c501d200e0d7cb0c968

SHA256
bd0c8c69d76a9afb10f8938ed7012cf396161507554edea6888a28dd2906e4f8

SHA512
e0e5eb6ad79d229798a2628cda1099ab7fde259bd2cc462a6a4d99e64f28d604e65eebcb02706a16cdeda69f4bf0d03c488169c533fb11882c00cafe899f20f1

Download Submit
C:\Users\Admin\Desktop\EncryptedLog.txt

Filesize
53B

MD5
bc63f4aa4d350ee7d1ba73b8fb2f4491

SHA1
f955c22cb3c639f6cf2b2b2e63bc6af349fd35e7

SHA256
f8f41ec302644c6d13894a5f59c2a302cb87167a9eaa3d87a4323e87de632a87

SHA512
198b999ee2a1e521f54e1ebd83e543e738eea8cca8bab26b464b80e7840f662ab33e1ec8824f6a1156ce5e6dd8b60e3624e554af12b643ff65d43ec5142faa20

Download Submit
C:\Users\Admin\Downloads\Seven(1).cd_0SghI.zip.part

Filesize
2KB

MD5
1c3785d1fc6e9feffbff14f0b3e8b862

SHA1
057b0051a72a3b763bd837fb8279344fd5b05bd7

SHA256
c8b38147591f9a3b4c0d52f8f7187acd33bcc747ef68f0681cbb88f80c470543

SHA512
421a7b7e0e5899496b7cbd31ba632a0355c1c8e8fa309660d5f2803a3f174cc25728041665355155eb6d9dc8131bbeda067f28d73c33a2a99549e0437bb0afda

Download Submit
C:\Users\Admin\Downloads\Seven(1).cd_0SghI.zip.part

Filesize
645KB

MD5
9ba27a2238c124c530c66cadf2975fe6

SHA1
6901d8437bbb357ed302abeb54d58387dc3267f7

SHA256
f6863b321e47e1088212c0ce3f16c9070331d26d7f198752a49bd2ead395719a

SHA512
fb8e00d32e0c8c430fb6742516aa9a8362cb19a7e76c07d118baf75cedbcebd118150c25b7021ffaf806e91aef6945b939de41008b4b008f957dfbbd7b1ac0f2

Download Submit
C:\Users\Admin\Downloads\Seven(1)\KeyAndIV.txt

Filesize
48B

MD5
8933fd5a504146f2d0d0b375e5953ce3

SHA1
ab58a1ad9e68247f946a7b7938076723b0207e39

SHA256
057fae20bead6e112203adb947934c5f4a5e04ac660f657efd305770ab08c67c

SHA512
353d07ea147b558248e72f508cd80cb96cb7867646d541bfaf9957442dacaadd02caca61cd7dd8681688def46b5c1a01a7570a194bd215f15c441ed050ef4890

Download Submit
C:\Users\Admin\Downloads\Seven.iilt_BTw.zip.part

Filesize
14KB

MD5
a430605701c44d04844e3daa058b53f3

SHA1
01425ffb2767b7468f638d4179bf892cff56eb5d

SHA256
4c36913588c8ae7931ef98f76f2d0807022477a31ca550581ef8470c3cee428c

SHA512
6077b19c043190c42964550065951579f2f3cad2ae8067f4913e0f37143fd2d165f1fc5ca172312597ce9bf804326346721da0b33a25bba4eea8032645a67834

Download Submit
memory/1560-281-0x0000019410C50000-0x0000019410CE6000-memory.dmp

Filesize
600KB

Download
memory/1560-282-0x00007FFE17C80000-0x00007FFE18741000-memory.dmp

Filesize
10.8MB

Download
memory/5768-2399-0x00000231EDF70000-0x00000231EDF80000-memory.dmp

Filesize
64KB

Download
memory/5768-2415-0x00000231EE070000-0x00000231EE080000-memory.dmp

Filesize
64KB

Download
memory/5768-2443-0x00000231F6520000-0x00000231F6521000-memory.dmp

Filesize
4KB

Download
memory/5768-2439-0x00000231F63E0000-0x00000231F63E1000-memory.dmp

Filesize
4KB

Download
memory/5768-2441-0x00000231F6410000-0x00000231F6411000-memory.dmp

Filesize
4KB

Download
memory/5768-2442-0x00000231F6410000-0x00000231F6411000-memory.dmp

Filesize
4KB

Download