44ecc6a7624b2fdf03cb9b419f111892515fb036fe23f88e51456dce69066046

Analysis

max time kernel
258s
max time network
263s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
24/06/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Stremio+4.4.168.exe
Size

112.9MB
MD5

763b10b7a9293ccc9307b650a01db702
SHA1

b033764307a4df6cc81c654467630f2df67297ef
SHA256

44ecc6a7624b2fdf03cb9b419f111892515fb036fe23f88e51456dce69066046
SHA512

f6f8d0a78cfaa2c440567fc0e636ab6129c495991f679c93ae0b7e211d9e290e7d4628891fef35f0383662bc2237e21410dd849f1d6074a8994dfd8deeee5e0c
SSDEEP

3145728:XddpqKUfzM8/I/6Uj2jDxXz8sGd1TiDlSugSbc+cYOsNCO1JTN:tdoK18wiucDZxG7TOlS/SI+JNCO19N

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
1224	stremio.exe
4528	stremio-runtime.exe
4264	QtWebEngineProcess.exe
1152	QtWebEngineProcess.exe
4516	ffprobe.exe
2284	stremio-runtime.exe
3376	ffprobe.exe
4948	stremio-runtime.exe
4596	ffprobe.exe
3180	stremio-runtime.exe
3044	ffprobe.exe
3452	stremio-runtime.exe
2772	ffprobe.exe
4136	stremio-runtime.exe
1392	ffprobe.exe
3616	stremio-runtime.exe
2488	ffprobe.exe
5032	stremio-runtime.exe
4824	ffprobe.exe
2672	stremio-runtime.exe
4292	ffprobe.exe
5368	stremio-runtime.exe
5452	ffprobe.exe
4320	stremio-runtime.exe

Loads dropped DLL 64 IoCs

pid	Process
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
3256	4528	WerFault.exe	100
2860	2284	WerFault.exe	109
3496	4948	WerFault.exe	114
1888	3180	WerFault.exe	119
2816	3452	WerFault.exe	124
1920	4136	WerFault.exe	134
4968	3616	WerFault.exe	139
1364	5032	WerFault.exe	144
2132	2672	WerFault.exe	151
5564	5368	WerFault.exe	166

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe\" \"%1\""	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\ = "URL:Stremio Protocol"	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe\" \"%1\""	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\URL Protocol	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,1"	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell\open	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\DefaultIcon	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell\open	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\LNV\\Stremio-4\\stremio.exe,1"	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell\ = "open"	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\shell\open\command	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell\open\command	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\ = "URL:BitTorrent magnet"	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\URL Protocol	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet\DefaultIcon	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio	Stremio+4.4.168.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\stremio\shell\ = "open"	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\magnet	Stremio+4.4.168.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 7 IoCs

pid	Process
3564	POWERPNT.EXE
1868	POWERPNT.EXE
1224	stremio.exe
5736	vlc.exe
3924	vlc.exe
6000	vlc.exe
5416	vlc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
1472	Stremio+4.4.168.exe
4264	QtWebEngineProcess.exe
1152	QtWebEngineProcess.exe
1152	QtWebEngineProcess.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
1224	stremio.exe
2860	OpenWith.exe
2376	OpenWith.exe
5600	OpenWith.exe
5736	vlc.exe
3924	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeTcbPrivilege	3484	svchost.exe
Token: SeRestorePrivilege	3484	svchost.exe
Token: SeDebugPrivilege	4676	firefox.exe
Token: SeDebugPrivilege	4676	firefox.exe
Token: SeDebugPrivilege	6012	firefox.exe
Token: SeDebugPrivilege	6012	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
4676	firefox.exe
6012	firefox.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe
5736	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3564	POWERPNT.EXE
3564	POWERPNT.EXE
3564	POWERPNT.EXE
3564	POWERPNT.EXE
1868	POWERPNT.EXE
1868	POWERPNT.EXE
1868	POWERPNT.EXE
1868	POWERPNT.EXE
1868	POWERPNT.EXE
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
1224	stremio.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2860	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe
2376	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 1224	1472	Stremio+4.4.168.exe	98
PID 1472 wrote to memory of 1224	1472	Stremio+4.4.168.exe	98
PID 1472 wrote to memory of 1224	1472	Stremio+4.4.168.exe	98
PID 1224 wrote to memory of 4528	1224	stremio.exe	100
PID 1224 wrote to memory of 4528	1224	stremio.exe	100
PID 1224 wrote to memory of 4528	1224	stremio.exe	100
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 4264	1224	stremio.exe	102
PID 1224 wrote to memory of 1152	1224	stremio.exe	103
PID 1224 wrote to memory of 1152	1224	stremio.exe	103
PID 1224 wrote to memory of 1152	1224	stremio.exe	103
PID 4528 wrote to memory of 4516	4528	stremio-runtime.exe	104
PID 4528 wrote to memory of 4516	4528	stremio-runtime.exe	104
PID 1224 wrote to memory of 2284	1224	stremio.exe	109
PID 1224 wrote to memory of 2284	1224	stremio.exe	109
PID 1224 wrote to memory of 2284	1224	stremio.exe	109
PID 2284 wrote to memory of 3376	2284	stremio-runtime.exe	111
PID 2284 wrote to memory of 3376	2284	stremio-runtime.exe	111
PID 1224 wrote to memory of 4948	1224	stremio.exe	114
PID 1224 wrote to memory of 4948	1224	stremio.exe	114
PID 1224 wrote to memory of 4948	1224	stremio.exe	114
PID 4948 wrote to memory of 4596	4948	stremio-runtime.exe	116
PID 4948 wrote to memory of 4596	4948	stremio-runtime.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Stremio+4.4.168.exe
"C:\Users\Admin\AppData\Local\Temp\Stremio+4.4.168.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe
  "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1192
      4⤵
      Program crash
      PID:3256
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe
    "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=renderer --autoplay-policy=no-user-gesture-required --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=2 --mojo-platform-channel-handle=3056 /prefetch:1
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4264
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe
    "C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=en-US --service-sandbox-type=network --application-name=Stremio --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=3212 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1152
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:3376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1108
      4⤵
      Program crash
      PID:2860
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:4596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1180
      4⤵
      Program crash
      PID:3496
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    PID:3180
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:3044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 1124
      4⤵
      Program crash
      PID:1888
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    PID:3452
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:2772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1116
      4⤵
      Program crash
      PID:2816
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    PID:4136
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:1392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1108
      4⤵
      Program crash
      PID:1920
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    PID:3616
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:2488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1116
      4⤵
      Program crash
      PID:4968
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    PID:5032
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:4824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1116
      4⤵
      Program crash
      PID:1364
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    PID:2672
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:4292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1116
      4⤵
      Program crash
      PID:2132
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    PID:5368
  - - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe
      C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\ffprobe.exe -show_entries "stream=index,bit_rate,max_bit_rate,codec_type,codec_name,start_time,start_pts,r_frame_rate,sample_rate,channels,channel_layout,time_base,has_b_frames,nb_frames,width,height,color_space,color_transfer,color_primaries,codec_tag_string : stream_tags=title,language,duration,bps,number_of_bytes : format=format_name,duration,bit_rate,max_bit_rate" -print_format json http://127.0.0.1:11470/samples/hevc.mkv
      4⤵
      Executes dropped EXE
      PID:5452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1124
      4⤵
      Program crash
      PID:5564
- - C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe
    C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe C:/Users/Admin/AppData/Local/Programs/LNV/Stremio-4/server.js
    3⤵
    - Executes dropped EXE
    PID:4320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:244

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1996

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2948

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\WaitRead.pptx" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\WaitRead.pptx" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4528 -ip 4528
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2284 -ip 2284
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4948 -ip 4948
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3180 -ip 3180
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3452 -ip 3452
1⤵
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484
- C:\Windows\system32\dashost.exe
  dashost.exe {6f946054-18b5-4fcb-b82aae9505a9d268}
  2⤵
  PID:3000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4136 -ip 4136
1⤵
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3616 -ip 3616
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5032 -ip 5032
1⤵
PID:1888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2376
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\ExportHide.png"
  2⤵
  PID:3864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\ExportHide.png
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4676
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7c76d5-8a3d-4b37-aafe-afd4cb910ace} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" gpu
      4⤵
      PID:3936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 26379 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83c83011-c6ab-4ad6-a290-81caf03c7105} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" socket
      4⤵
      Checks processor information in registry
      PID:540
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3316 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3040 -prefsLen 26520 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9728694d-bcbe-4a26-9023-509421eb12a5} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab
      4⤵
      PID:880
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3472 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3656 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44e0ccb9-a9c8-4df7-bbef-6df08da2e4c4} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab
      4⤵
      PID:3512
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4436 -prefMapHandle 4432 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {582ab3bd-319f-4ca6-918c-d2b6cbe5ca73} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" utility
      4⤵
      Checks processor information in registry
      PID:5724
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -childID 3 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e2bc5e0-bb43-485c-8bcd-e6cbcef7e802} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab
      4⤵
      PID:6072
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5364 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d698b17f-d4e1-43ca-84a1-31790930dd10} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab
      4⤵
      PID:6084
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 5 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a5f9828-4f37-428d-b81b-08d80f90668d} 4676 "\\.\pipe\gecko-crash-server-pipe.4676" tab
      4⤵
      PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2672 -ip 2672
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5368 -ip 5368
1⤵
PID:5532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5600
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\SetSearch.png"
  2⤵
  PID:5844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\SetSearch.png
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:6012
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3094919c-1ea1-4850-a79b-229d5f1b6bca} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" gpu
      4⤵
      PID:5992
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 26379 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca480436-180d-4d85-922f-58a53ad6a049} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" socket
      4⤵
      Checks processor information in registry
      PID:5652
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 2976 -prefsLen 26520 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de2e9886-5fcf-487b-bddf-942743d49495} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab
      4⤵
      PID:2008
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3620 -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eb5798e-bb4c-4bb3-bbe5-5e7cddce1031} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab
      4⤵
      PID:3424
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4576 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4588 -prefMapHandle 4564 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b18c103b-c604-4066-9904-5eeb0fbf3964} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" utility
      4⤵
      Checks processor information in registry
      PID:5544
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4560 -childID 3 -isForBrowser -prefsHandle 5184 -prefMapHandle 5180 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f98eb86-75d6-4ad8-b144-d4dc44cfd9c5} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab
      4⤵
      PID:1168
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 4 -isForBrowser -prefsHandle 5368 -prefMapHandle 5364 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d72c9e0-4a44-40da-95d7-216892c717cf} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab
      4⤵
      PID:5232
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 5 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63b044fc-7497-4093-8239-2736cc17dabe} 6012 "\\.\pipe\gecko-crash-server-pipe.6012" tab
      4⤵
      PID:1392

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CloseUnlock.au"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5736

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RequestWait.wvx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:3924

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditPop.3gp2"
1⤵
PID:4384

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditPop.3gp2"
1⤵
PID:5784

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditPop.3gp2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:6000

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditPop.3gp2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:5416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39de055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
b6006c7751dfc5a1b2855352beb950c8

SHA1
902bbebd3ad43b5f6e31fca3dcf021afa7625ebe

SHA256
dc94f44811c4899d00bb7004ba2560f78f2cbf6739513e97affbe6352ba30797

SHA512
b63a0b6665ee940fc4f239615255736e4b2f62da01c910dd81fa1ea39dd3a37de92eacf419e0c34fcf89e91e548a34cebc87e37e1cd735c87dc530e0c6cd5e1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\startupCache\webext.sc.lz4

Filesize
108KB

MD5
e9b786067bdddda67a5a025f2348dfdc

SHA1
ff0cddbb44f0128ec6d00cc1b6ac7ecd97879219

SHA256
d02c52536523d8bafbe20018909b6c69ffe009c924a2cdd2eb1cadc3826fc463

SHA512
6ab0d0d6192cb4f2beff4a18ee9587056e47f6d435a65fbd2884f2f635f4e2f924bca1aaeecd39a27bf8ece07dd1bec86a78aebc665c73245499a38861b3b750

Download Submit
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio-runtime.exe

Filesize
49.1MB

MD5
58a451f04d8da2f547edf753fbe03fdf

SHA1
dfe60e0de8f4f892fdd5719d7b9657ad232f7414

SHA256
2a9d34c190c8c639c2817a371cd8ab6e5d8c8f5d0c45b8c72fbb1d9d4c1e9227

SHA512
0580068222d415ac6cb1f48a236ce425a57cf860cd802bfd31e76a296d269b8d4b9dd174d5d88552616ed7c99c1e758b23c4f69fa5f23c522f1f312f1a8d3ca6

Download Submit
C:\Users\Admin\AppData\Local\Programs\LNV\Stremio-4\stremio.exe

Filesize
300KB

MD5
c0fbaeea5372c54a2f39716fcbc6afec

SHA1
e54790d82d0abdc75607fa0384bb886fc9b8027b

SHA256
cc7b6317d48368cb5791a1e95de5306b6152777b09758d14666d82f4b315dabd

SHA512
002aa47f5223eb113d3b2bfe1c88eb0ba588b1fc79465340b06c69dde1b897fef73c1f2540712ff22a658a6fe7b8bca4d2b6d4ec9c3d643838ff70275ebd8816

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\0b86b658-fb6f-4252-aeba-48d0f51b3375.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Network Persistent State~RFe5aa1b0.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Smart Code ltd\Stremio\QtWebEngine\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6E1C.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6E1C.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e20772979f2708ff0551cabea5592955

SHA1
99981cb5c1520642adf578f2a98ed1f9fda35a62

SHA256
418aadf942dd7437f5d6a41b1553549a00aa3d8b3677e2a7d5b50e087259a770

SHA512
8aace1ea276c5440727319b7c8ad6f9e2458a59dfc409eb33b2486ac334f87f279a909750742d04ff376a174eec6ce14caf32325394c98e76ad5cf0055dd9778

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
586bc706fb75d3ad6acf6793c4f14f75

SHA1
88e5a8c832f948ffc724c0d88bc28105dc6e448f

SHA256
6b48f7b97672861609a3fd167ef112268a8b8a55e49175c1158cee4105b1c1d8

SHA512
b9ffef4e5a79916e1846482c7fbc46ea4fe54bafb20a3667e048eac14995e2bfd526018c9c926e0e3cb91098f62517ffe5bfeaa013241fe016ff1b435987a1db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
8c1b0dd04f0571d37f9bd934eb696cd5

SHA1
2b0448fecd566814ad336e9e87fd828bace42bd5

SHA256
6834a04c8371d4fb1abf6eb6ebd07f2fe202718eceac0453595819d20d841617

SHA512
2467fc5b2297a222591cb278c2ef4da526c4f3bc0157e19e266e423a579a8d5d1416aa75bbd5c6948b6d5e935611afe0861b9d8936dae1f49082bc72e7859594

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
6d0b2e86a1747cf8980e4c148acf0f1c

SHA1
4d351715b440e516817f2f95747cdb1724652c0f

SHA256
5cfc17fee6b493c6f50cee87af459ec26016b3ecf61112a964c3c62bd0dd34a8

SHA512
fd8c0812c395464427a26d5bfd96aafc0a84649e8cdbfaa8ce35c8060f95352d1cb400b487b8e7108a0c70e8a9b815431d44f183a0af18a2dffdf374e219893e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
aa50806818d7cb74026461964ce55ca0

SHA1
50bbd2ed1c40dde726eb7efee4b4a4b217db6312

SHA256
a139fc8538f69e3376eb8e596ba6353639776b3f2508dc1bd61b67cfa58a0934

SHA512
e58dfd9315c51d63f54a4bfeb0293794f77d3a885d87df82c9521fcb22a5aaee6d39224dfdd97b41f3ff6b3f8272d09088910ca4c06fdf615642f07f47e517b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
416295985bc4d7d07e498802e345eb29

SHA1
9dfa1d4c5b27b2901ab23f79f1385d2a23e05c24

SHA256
d398e644cc01371a3138e063f84175e01516e1369028b3f5c8d86c9a1ced01db

SHA512
29c1a5661e4fa88a82e59c0ce53329790d79ac5518c05729be377270b2481bbfc9dd5bdba5f2bf285733b45432c80cd74bb10a13eb424cf04afd177d313458a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
69969d83722e797fd7c622ae4389f064

SHA1
41c4fa96ed992154c5a6ebe1a9cbd0a933ae815d

SHA256
74107d93865ec373b5d2face0453ae834c3739a8c1901249482da6d00c98ebdd

SHA512
120f05f55638e347194b6d21e3b1bf0f329b8b6d816249dc86e09dc02b30a6d0551b2fddfb478b7cb34a6e27403b19ac03567ba5b3805d98b5608746f6ef399d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\2d961c17-fe75-4813-aaba-b6ad695410e0

Filesize
671B

MD5
8e17da5fc3fca970c1c02bc2b9117d56

SHA1
3083ed668b76c5ba8ea5e3deac8dd40eb522617c

SHA256
ba9d6685960c04673e56e492dd4b1c84a861b89374daed9bd10a1136e942310e

SHA512
a0284a26e0e1a709369d348daf2c2b85be8e3d4059109e461f7557b40b41c8d3ab08415ec1dcd7db3d74c5ac7ce19580da74bbaddaba547f3854d93726f6054e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\8e3345f6-9e5f-4837-a463-34c666b28ed4

Filesize
905B

MD5
5300b02ab990a0299d8ac9eb1016fbc1

SHA1
6deb2097519518f0909053b07ce41d18fe383fda

SHA256
3d18e97bc97b4a585bc69ee54d798f2a5124f13da866a223c5be865fd9cbfca0

SHA512
2904da4d2a8f380beaebb27c1d3aa8707bdf4384ef132506941974c6817427ade39743da792df5af191f5ef84e01a690ab0942c94f55c439e9b3f28c55d44b35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\dfac5030-d5ab-47be-9b02-40ea5dbc4df6

Filesize
676B

MD5
c4439b0a6ec1964eae779f78a65930bd

SHA1
b02dc2deae5dd1751a71b2d29355bf704469df88

SHA256
a81e3774bc803d645493b4fad8ab792c929a7ad514d9b64cfe7ba0a9daa02dd6

SHA512
92fc0292a0b642b1fe7f19c23e44b12fcc5eb6595c8da11448883dc98c4ab3ecb112ba28bfe590f5ca1d92e0677e6be18b06dca09fae55aa6827e4fead8bf565

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\e44946c8-b526-4e3b-97a0-594591e45c31

Filesize
26KB

MD5
bcb37a2fbe43bd5ab68568ed7d786e7e

SHA1
b46f8fdb73e30d4306e7a6e9f184e3e92dcf47a9

SHA256
cf3ccad29fb13e5fbf85a2d215c5661daa2e5429b18a9ed08c8227d0a3eb2b0b

SHA512
0b228f4d018875737cd38cc5ef0762fcc9095b72351c3b4aad61c91f74085a357621c6358b47b53593700c27019cc10551de7b48dc545c70306171bdbed65173

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\datareporting\glean\pending_pings\e48d15a7-5c2c-47b6-ab81-a9807a6082f4

Filesize
982B

MD5
06f7769322a21cdb17cad26dceba46b6

SHA1
eab955fea0308cd4bb1e5371f81f6274e035e8f1

SHA256
a91cef2dc69daa663030b73ca7946ec08e8fae5b548b42d7555aa11d5bc92cc7

SHA512
ef48584830297e7311411890369bf9a4b73071ef9b6d8afe2ff1bcb88823444fba265c3244c608fe71e8d3ec9b154b019cf7e7916346e683ec7ef6832ea6042f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
8KB

MD5
ac7e5984a81829ba216576506cb5d6be

SHA1
929321b2605b31aadf8dd278009837bdc0b7fb72

SHA256
84ca16a20175cc0a69430757cf43d8427da8d616732f50100f367ce47aca8c2d

SHA512
d8b9513f7c2a6dd982a2d93ff296bfd56cc904cc83c5cea8c831dc22f8008b9e0f2d4558d90e4e00f5e69f7e925a92ff7193f04aacb898ac976213d6c54c853d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\prefs-1.js

Filesize
8KB

MD5
4872f30b4fe39f92594501a2453c8b90

SHA1
97cfd39049cd99e376dc7432c217e31af0836952

SHA256
05fac99a58f7bb0e7238d8d1999aa8c902cb3b77b5e4a78a8988b47daf26184e

SHA512
ccffe216f93e4f79fdf309d28e56467f81a8d31c0de0e1df5efa904a94cfca7e13521a10f7ef028b596c7cf11d38a8edff3327d8a37a61fa654ad83c3e52f58c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pz5zwzp5.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf.tmp3924

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
76B

MD5
37fb7e03c63be8f86d63a66bf06a658c

SHA1
ff6e0767805e16239c717a4b6142f91fdf69ae14

SHA256
5e6bf1b5af6336bb3b317b40b028f5c79e1368a10178c27aebe98d29ee7e0d0f

SHA512
16e80773682d4d5e62fd972a25bcdfa2a3ebb09df75602bc65415497d0820063b1ff5521dc5dfba0eb0e320a8bf212b8488e22464613cc3c94dc8d6ed62bf333

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
852B

MD5
b2de0a7e310b64804c6e06b132423ef2

SHA1
7787fd4ef98c70a7ddf6b150b8ad95c378de23ea

SHA256
738a04f7b1fbc837b0a955b03337095cbab608ecdbf503fbc3e5f215893f8b41

SHA512
a525fe01f6371046379f44c7651c04597181f8b1d0237f6e0f80db5a5354d0bfead5b5318f9fb975a5630113859a5c8a06d92ee0395d6bc38ec61bf4d713be0a

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Ya5736

Filesize
75B

MD5
ee73342c7bdf2d78a7c2022e73f027b4

SHA1
4d245bcaf94202b9b932beb636187fa6b318a7b2

SHA256
fd35184a7754cd10ce329401afd4aefb1ff6f9f99816ae4630dfc759ad41be76

SHA512
1b8bc26105bc3f0a7eea49055c3b4d1eedcc2e17b00fb2b42e8965494190c1b5e309a5334b1f0fb384d1cac49498b9712cc381e46cbddfa4522ac464022b48af

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
636945f887927ff6b3bfd48803d14f6b

SHA1
dcaff7b2d044907733557ec8e1b11b6f9663b3cf

SHA256
0cb97d23e4ab09be62ea9eb541b9fa6052910e0275ecf8c99ed7d564141a51a1

SHA512
d546fb487c09309d11d5d203a42ca3152043fef5819bf5bcd10733ba16c6ef7c53b1c0cc78cd1dc670c762cbe66cd8c903a020b231b91f56829cab10bf324098

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
73ad437ddde2e3e99f136544783479fe

SHA1
d1cd5bf795d6c1739d5c7b7825c6c1d4eb1884bf

SHA256
da51d0f3e8165b72c7794b550e84abc9e0a29c58436adb04d552906346ac2a88

SHA512
fe383add519389cc6d12d438f3f7f13be33d396747752ab88469428b3025c9a87136e5d460d1b442f495c7dcfbddc10d72d75d83329eee1bed26cc203520e4f7

Download Submit
memory/1224-4057-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4048-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4040-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4039-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4038-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4033-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4032-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4031-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4030-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4029-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4028-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4027-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4026-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4025-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4024-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4023-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4022-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4021-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4020-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4042-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4043-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4044-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4045-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4046-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4047-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4041-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4049-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4050-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4051-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4052-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4054-0x000000000C670000-0x000000000C671000-memory.dmp

Filesize
4KB

Download
memory/1224-4055-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4056-0x000000000C670000-0x000000000C671000-memory.dmp

Filesize
4KB

Download
memory/1224-4035-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4036-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4037-0x000000000C650000-0x000000000C651000-memory.dmp

Filesize
4KB

Download
memory/1224-4019-0x000000000B5E0000-0x000000000B5E1000-memory.dmp

Filesize
4KB

Download
memory/1224-4017-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1224-4016-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1224-4014-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1224-4015-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1224-4013-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/1224-4003-0x0000000004B30000-0x0000000004F70000-memory.dmp

Filesize
4.2MB

Download
memory/1224-4005-0x0000000004F70000-0x0000000005170000-memory.dmp

Filesize
2.0MB

Download
memory/3564-3972-0x00007FFE49530000-0x00007FFE49540000-memory.dmp

Filesize
64KB

Download
memory/3564-3971-0x00007FFE49530000-0x00007FFE49540000-memory.dmp

Filesize
64KB

Download
memory/3564-3967-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp

Filesize
64KB

Download
memory/3564-3968-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp

Filesize
64KB

Download
memory/3564-3970-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp

Filesize
64KB

Download
memory/3564-3969-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp

Filesize
64KB

Download
memory/3564-3966-0x00007FFE4C0D0000-0x00007FFE4C0E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads