Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10FN-TOOLZ-m...AN.bat
windows10-2004-x64
10Tournament...ew.exe
windows10-2004-x64
6Tournament...al.dll
windows10-2004-x64
1Tournament...UI.dll
windows10-2004-x64
1Tournament...cl.exe
windows10-2004-x64
1Tournament...uz.exe
windows10-2004-x64
9Tournament...dc.exe
windows10-2004-x64
1Tournament...ft.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
1Tournament...32.exe
windows10-2004-x64
1Tournament...64.exe
windows10-2004-x64
4Tournament...fg.exe
windows10-2004-x64
3Tournament...sg.exe
windows10-2004-x64
3Tournament...sr.exe
windows10-2004-x64
10Tournament...wg.exe
windows10-2004-x64
1Tournament...sm.dll
windows10-2004-x64
1Tournament...xy.dll
windows10-2004-x64
7Tournament...ry.dll
windows10-2004-x64
1Tournament...ll.dll
windows10-2004-x64
1Tournament...pi.dll
windows10-2004-x64
1Tournament...32.dll
windows10-2004-x64
1Tournament...da.dll
windows10-2004-x64
1Tournament...ve.dll
windows10-2004-x64
1Tournament...70.dll
windows10-2004-x64
1Tournament...rl.exe
windows10-2004-x64
3Tournament...64.exe
windows10-2004-x64
3Tournament...cs.exe
windows10-2004-x64
8Tournament...64.exe
windows10-2004-x64
10Tournament...tm.exe
windows10-2004-x64
3Tournament...mc.exe
windows10-2004-x64
1FN-TOOLZ-m...er.exe
windows10-2004-x64
9FN-TOOLZ-m...er.bat
windows10-2004-x64
1Analysis
-
max time kernel
106s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/06/2024, 20:50
Behavioral task
behavioral1
Sample
FN-TOOLZ-main/FNCLEAN.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Tournament_Fixer/AdditionalRuntimes/DevManView.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Tournament_Fixer/AdditionalRuntimes/MCCSPal.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Tournament_Fixer/AdditionalRuntimes/MaintenanceUI.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Tournament_Fixer/AdditionalRuntimes/ccl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral6
Sample
Tournament_Fixer/AdditionalRuntimes/cpuz.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Tournament_Fixer/AdditionalRuntimes/ddc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
Tournament_Fixer/AdditionalRuntimes/hssft.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Tournament_Fixer/AdditionalRuntimes/hwbd64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo32.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Tournament_Fixer/AdditionalRuntimes/hwinfo64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
Tournament_Fixer/AdditionalRuntimes/jfg.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Tournament_Fixer/AdditionalRuntimes/jsg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral14
Sample
Tournament_Fixer/AdditionalRuntimes/jsr.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Tournament_Fixer/AdditionalRuntimes/kwg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral16
Sample
Tournament_Fixer/AdditionalRuntimes/lsm.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Tournament_Fixer/AdditionalRuntimes/lsmproxy.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
Tournament_Fixer/AdditionalRuntimes/lstelemetry.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
Tournament_Fixer/AdditionalRuntimes/luainstall.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Tournament_Fixer/AdditionalRuntimes/luiapi.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
Tournament_Fixer/AdditionalRuntimes/lz32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral22
Sample
Tournament_Fixer/AdditionalRuntimes/mcicda.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Tournament_Fixer/AdditionalRuntimes/mciwave.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral24
Sample
Tournament_Fixer/AdditionalRuntimes/mfc70.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral26
Sample
Tournament_Fixer/AdditionalRuntimes/nvrl64.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Tournament_Fixer/AdditionalRuntimes/tcs.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
Tournament_Fixer/AdditionalRuntimes/tcs64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Tournament_Fixer/AdditionalRuntimes/tm.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
Tournament_Fixer/AdditionalRuntimes/wmc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
FN-TOOLZ-main/applecleaner.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
FN-TOOLZ-main/serial_checker.bat
Resource
win10v2004-20240508-en
General
-
Target
FN-TOOLZ-main/FNCLEAN.bat
-
Size
3.2MB
-
MD5
0bef79984a785d284e225d3576239802
-
SHA1
0a759883c5cd8822f269eca241c4dc8c43d86220
-
SHA256
33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80
-
SHA512
d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad
-
SSDEEP
49152:ZTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:1
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDrive.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4636 sc.exe 3600 sc.exe 4956 sc.exe 2528 sc.exe 400 sc.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 OneDrive.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OneDrive.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 13 IoCs
pid Process 1428 taskkill.exe 1676 taskkill.exe 3780 taskkill.exe 2524 taskkill.exe 5100 taskkill.exe 3060 taskkill.exe 820 taskkill.exe 3076 taskkill.exe 3264 taskkill.exe 3188 taskkill.exe 3532 taskkill.exe 2892 taskkill.exe 3500 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDrive.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDrive.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639086792631678" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c} OneDrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D4950C79-806D-4ECE-9DB1-11B34D33F514}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\WbemScripting.SWbemObjectPath.1 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VersionIndependentProgID\ = "SyncEngineFileInfoProvider.SyncEngineFileInfoProvider" OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C659258-E236-11D2-8899-00104B2AFB46} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{55F7B88D-A254-4B22-B7BB-FCDBBA1AFA32}\TypeLib\ = "{0438D53A-9A57-423C-9E54-9612C4576257}" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID\ = "{5999E1EE-711E-48D2-9884-851A709F543D}" OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\TypeLib regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A571F412-E3D2-4A32-BF42-1D3B2203FF17} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\ = "SharedOverlayHandler Class" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\Programmable regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\ = "ToastActivator Class" OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C0B0642-1DEB-43DF-8032-7A9BF5811A74}\Version regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\odopen\shell\open OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C2FEEEAC-CFCD-11D1-8B05-00600806D9B6}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" OneDrive.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WbemScripting.SWbemNamedValueSet.1\ = "WBEM Scripting Named Value Collection 1.0" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMISnapinAbout.1 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\VersionIndependentProgID OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "IFileSyncOutOfProcServices" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{33831ED4-42B8-11D2-93AD-00805F853771} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\ = "IFileInformationProvider" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\odopen\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\ProgID OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CurVer OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75718C9A-F029-11D1-A1AC-00C04FB6C223}\TypeLib regsvr32.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4540 OneDrive.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4324 chrome.exe 4324 chrome.exe 3212 msedge.exe 3212 msedge.exe 2696 msedge.exe 2696 msedge.exe 4540 OneDrive.exe 4540 OneDrive.exe 3688 chrome.exe 3688 chrome.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 2696 msedge.exe 2696 msedge.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 3076 taskkill.exe Token: SeDebugPrivilege 3264 taskkill.exe Token: SeDebugPrivilege 5100 taskkill.exe Token: SeDebugPrivilege 3780 taskkill.exe Token: SeDebugPrivilege 3188 taskkill.exe Token: SeDebugPrivilege 3060 taskkill.exe Token: SeDebugPrivilege 3532 taskkill.exe Token: SeDebugPrivilege 1676 taskkill.exe Token: SeDebugPrivilege 2892 taskkill.exe Token: SeDebugPrivilege 2524 taskkill.exe Token: SeDebugPrivilege 3500 taskkill.exe Token: SeDebugPrivilege 820 taskkill.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe Token: SeCreatePagefilePrivilege 4324 chrome.exe Token: SeShutdownPrivilege 4324 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 4324 chrome.exe 336 firefox.exe 336 firefox.exe 336 firefox.exe 336 firefox.exe 4540 OneDrive.exe 4540 OneDrive.exe 4540 OneDrive.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 4324 chrome.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 2696 msedge.exe 336 firefox.exe 336 firefox.exe 336 firefox.exe 4540 OneDrive.exe 4540 OneDrive.exe 4540 OneDrive.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe 3688 chrome.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 336 firefox.exe 4540 OneDrive.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 628 wrote to memory of 3528 628 cmd.exe 82 PID 628 wrote to memory of 3528 628 cmd.exe 82 PID 628 wrote to memory of 1428 628 cmd.exe 83 PID 628 wrote to memory of 1428 628 cmd.exe 83 PID 628 wrote to memory of 3076 628 cmd.exe 85 PID 628 wrote to memory of 3076 628 cmd.exe 85 PID 628 wrote to memory of 3264 628 cmd.exe 86 PID 628 wrote to memory of 3264 628 cmd.exe 86 PID 628 wrote to memory of 5100 628 cmd.exe 87 PID 628 wrote to memory of 5100 628 cmd.exe 87 PID 628 wrote to memory of 3780 628 cmd.exe 88 PID 628 wrote to memory of 3780 628 cmd.exe 88 PID 628 wrote to memory of 3188 628 cmd.exe 89 PID 628 wrote to memory of 3188 628 cmd.exe 89 PID 628 wrote to memory of 3060 628 cmd.exe 90 PID 628 wrote to memory of 3060 628 cmd.exe 90 PID 628 wrote to memory of 3532 628 cmd.exe 91 PID 628 wrote to memory of 3532 628 cmd.exe 91 PID 628 wrote to memory of 1676 628 cmd.exe 92 PID 628 wrote to memory of 1676 628 cmd.exe 92 PID 628 wrote to memory of 2892 628 cmd.exe 93 PID 628 wrote to memory of 2892 628 cmd.exe 93 PID 628 wrote to memory of 2524 628 cmd.exe 94 PID 628 wrote to memory of 2524 628 cmd.exe 94 PID 628 wrote to memory of 3500 628 cmd.exe 95 PID 628 wrote to memory of 3500 628 cmd.exe 95 PID 628 wrote to memory of 820 628 cmd.exe 96 PID 628 wrote to memory of 820 628 cmd.exe 96 PID 628 wrote to memory of 3600 628 cmd.exe 97 PID 628 wrote to memory of 3600 628 cmd.exe 97 PID 628 wrote to memory of 4956 628 cmd.exe 98 PID 628 wrote to memory of 4956 628 cmd.exe 98 PID 628 wrote to memory of 2528 628 cmd.exe 99 PID 628 wrote to memory of 2528 628 cmd.exe 99 PID 628 wrote to memory of 400 628 cmd.exe 100 PID 628 wrote to memory of 400 628 cmd.exe 100 PID 628 wrote to memory of 4636 628 cmd.exe 101 PID 628 wrote to memory of 4636 628 cmd.exe 101 PID 628 wrote to memory of 1680 628 cmd.exe 102 PID 628 wrote to memory of 1680 628 cmd.exe 102 PID 1680 wrote to memory of 3824 1680 net.exe 103 PID 1680 wrote to memory of 3824 1680 net.exe 103 PID 628 wrote to memory of 5112 628 cmd.exe 104 PID 628 wrote to memory of 5112 628 cmd.exe 104 PID 628 wrote to memory of 4292 628 cmd.exe 105 PID 628 wrote to memory of 4292 628 cmd.exe 105 PID 628 wrote to memory of 1280 628 cmd.exe 106 PID 628 wrote to memory of 1280 628 cmd.exe 106 PID 628 wrote to memory of 3960 628 cmd.exe 107 PID 628 wrote to memory of 3960 628 cmd.exe 107 PID 628 wrote to memory of 4532 628 cmd.exe 108 PID 628 wrote to memory of 4532 628 cmd.exe 108 PID 628 wrote to memory of 4436 628 cmd.exe 109 PID 628 wrote to memory of 4436 628 cmd.exe 109 PID 628 wrote to memory of 1768 628 cmd.exe 110 PID 628 wrote to memory of 1768 628 cmd.exe 110 PID 628 wrote to memory of 864 628 cmd.exe 111 PID 628 wrote to memory of 864 628 cmd.exe 111 PID 628 wrote to memory of 4056 628 cmd.exe 112 PID 628 wrote to memory of 4056 628 cmd.exe 112 PID 628 wrote to memory of 5012 628 cmd.exe 113 PID 628 wrote to memory of 5012 628 cmd.exe 113 PID 628 wrote to memory of 3328 628 cmd.exe 114 PID 628 wrote to memory of 3328 628 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-TOOLZ-main\FNCLEAN.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:3528
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im OneDrive.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im UnrealCEFSubProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im CEFProcess.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\system32\sc.exeSc stop EasyAntiCheat2⤵
- Launches sc.exe
PID:3600
-
-
C:\Windows\system32\sc.exeSc stop FortniteClient-Win64-Shipping_EAC2⤵
- Launches sc.exe
PID:4956
-
-
C:\Windows\system32\sc.exeSc stop BattleEye2⤵
- Launches sc.exe
PID:2528
-
-
C:\Windows\system32\sc.exeSc stop FortniteClient-Win64-Shipping_BE2⤵
- Launches sc.exe
PID:400
-
-
C:\Windows\system32\sc.exesc config winmgmt start= disabled2⤵
- Launches sc.exe
PID:4636
-
-
C:\Windows\system32\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c dir /b *.dll2⤵PID:5112
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s appbackgroundtask.dll2⤵PID:4292
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s cimwin32.dll2⤵PID:1280
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s DMWmiBridgeProv.dll2⤵PID:3960
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s DMWmiBridgeProv1.dll2⤵PID:4532
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s dnsclientcim.dll2⤵PID:4436
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s dnsclientpsprovider.dll2⤵PID:1768
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s Dscpspluginwkr.dll2⤵PID:864
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s dsprov.dll2⤵
- Modifies registry class
PID:4056
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s EmbeddedLockdownWmi.dll2⤵PID:5012
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s esscli.dll2⤵PID:3328
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s EventTracingManagement.dll2⤵PID:4504
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s fastprox.dll2⤵PID:3212
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s ipmiprr.dll2⤵PID:2420
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s ipmiprv.dll2⤵PID:4500
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s KrnlProv.dll2⤵PID:988
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s MDMAppProv.dll2⤵PID:1304
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s MDMSettingsProv.dll2⤵PID:2280
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s Microsoft.AppV.AppVClientWmi.dll2⤵PID:4732
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s Microsoft.Uev.AgentWmi.dll2⤵
- Modifies registry class
PID:1212
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s MMFUtil.dll2⤵PID:1432
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s mofd.dll2⤵PID:2636
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s mofinstall.dll2⤵PID:5024
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s msdtcwmi.dll2⤵PID:4468
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s msiprov.dll2⤵PID:2640
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s NCProv.dll2⤵PID:1092
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s ndisimplatcim.dll2⤵PID:2320
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s NetAdapterCim.dll2⤵PID:3176
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s netdacim.dll2⤵PID:3220
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s NetEventPacketCapture.dll2⤵PID:1548
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s netnccim.dll2⤵PID:4388
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s NetPeerDistCim.dll2⤵PID:2788
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s netswitchteamcim.dll2⤵PID:4624
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s NetTCPIP.dll2⤵PID:5092
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s netttcim.dll2⤵PID:3820
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s nlmcim.dll2⤵PID:3588
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s ntevt.dll2⤵PID:3032
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s PolicMan.dll2⤵PID:2460
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s PrintManagementProvider.dll2⤵PID:3656
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s qoswmi.dll2⤵PID:1020
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s RacWmiProv.dll2⤵PID:1912
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s repdrvfs.dll2⤵PID:748
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s schedprov.dll2⤵PID:4948
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s ServDeps.dll2⤵PID:1064
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s SMTPCons.dll2⤵PID:4288
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s stdprov.dll2⤵PID:3752
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s vdswmi.dll2⤵PID:3644
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s viewprov.dll2⤵PID:4764
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s vpnclientpsprovider.dll2⤵PID:2164
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s vsswmi.dll2⤵PID:4448
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s wbemcntl.dll2⤵
- Modifies registry class
PID:4484
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s wbemcons.dll2⤵PID:3916
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s wbemcore.dll2⤵PID:2564
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s wbemdisp.dll2⤵
- Modifies registry class
PID:1968
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s wbemess.dll2⤵PID:1880
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s wbemprox.dll2⤵PID:5096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4324 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffc19acab58,0x7ffc19acab68,0x7ffc19acab782⤵PID:3560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:22⤵PID:4352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:82⤵PID:1312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:82⤵PID:4876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3024 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:1992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:2400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4272 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:3396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:82⤵PID:4088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:82⤵PID:764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4124 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4436 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:2676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3060 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:4864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4320 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:3576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3104 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:3596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4104 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:3900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3132 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:3244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4860 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:12⤵PID:1148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:82⤵PID:2312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3132 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:82⤵PID:4368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1916,i,4923498581716284657,14852838470744311498,131072 /prefetch:82⤵PID:1760
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:3008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2696 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc096e46f8,0x7ffc096e4708,0x7ffc096e47182⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1641416480451424712,5456917777122669342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:2512
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4488
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3056
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4484
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:336 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.0.1687205155\620404844" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72c0f628-a591-416b-8be9-4fa4b46f3744} 336 "\\.\pipe\gecko-crash-server-pipe.336" 1868 1f5aa11a558 gpu3⤵PID:4572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.1.1259090993\135693298" -parentBuildID 20230214051806 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d2d4b49-de10-47a6-bb36-6f1e2e427b96} 336 "\\.\pipe\gecko-crash-server-pipe.336" 2392 1f595e89f58 socket3⤵
- Checks processor information in registry
PID:2448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.2.2095034817\409581324" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 2936 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e782b676-812a-4735-a051-131dadd4cb3b} 336 "\\.\pipe\gecko-crash-server-pipe.336" 3064 1f5acf07758 tab3⤵PID:1808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.3.262397246\1532890146" -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8414e907-be05-4f04-b54e-f39338aeb153} 336 "\\.\pipe\gecko-crash-server-pipe.336" 3984 1f5aede9c58 tab3⤵PID:2596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.4.1751320324\1555874683" -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4856 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b5b13a4-1444-4367-b10b-9b95c2b8b869} 336 "\\.\pipe\gecko-crash-server-pipe.336" 4884 1f5b0f3d158 tab3⤵PID:2776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.5.1106532333\1914084109" -childID 4 -isForBrowser -prefsHandle 5084 -prefMapHandle 5080 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e37147d-32ac-4bc8-8fab-17a40f14525c} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5092 1f5b0f3d758 tab3⤵PID:4100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.6.287551704\1466741780" -childID 5 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {292e35af-2b16-4b5b-8b06-616a4a6b35c8} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5184 1f5b0f3e958 tab3⤵PID:3456
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="336.7.606134376\416284088" -childID 6 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1316 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91bbb348-9a7b-4106-ba10-917bf300a59e} 336 "\\.\pipe\gecko-crash-server-pipe.336" 5656 1f5b219bf58 tab3⤵PID:5108
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1040
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3688 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc19acab58,0x7ffc19acab68,0x7ffc19acab782⤵PID:3536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:22⤵PID:3240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:82⤵PID:1720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:82⤵PID:2016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:12⤵PID:1416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:12⤵PID:1408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3972 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:12⤵PID:4048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4136 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:12⤵PID:1752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:82⤵PID:5060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:82⤵PID:2240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4508 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:12⤵PID:1740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3488 --field-trial-handle=1924,i,5319262632984705461,16470935029816450065,131072 /prefetch:12⤵PID:3780
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:824
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5d9a49a7d6d5ca840cf0f0e937007e278
SHA190197e483cc1bf8970cb6012997b1968f43d8e78
SHA256183acf4a52e283da352ac2e3d51d43dbdd1534325f4585b6763a4ef38151b876
SHA512142acbf150500db5f703b3e56c42895cb4374927f6e26adb02f090cf18e9797b8f4e34b7e621de6daf03093cc0a7df73cb4328525ac7a1a4f36e2b61dfde0642
-
Filesize
40B
MD5757f9692a70d6d6f226ba652bbcffe53
SHA1771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b
SHA256d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad
SHA51279580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\926e442f-7be3-4066-9b81-2a14d7ceb28d.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
44KB
MD5ee40a5604745eaeb8fdb6b4bc78dfb1b
SHA1d0bc3faadf2d23e0fc331527a715c6e2401b342e
SHA256398f309dc7b4e1a45620bb860b591c36e8c7739ec85824160b5fcc666cbd19e0
SHA512e7daac3e6c8f689ff9794febc97490606590d060cad4d1a317864ac745c559f0830365339a5f3fe23d683e69db089401602bed965cc827ee8c693f4c9d681728
-
Filesize
264KB
MD5af4ec2ba8e9b3b34f205f985f71061be
SHA14adac5d60b09b420a33cbb99d99101bdd994dc01
SHA256714b852082dd51df23d05565e8cc4155c146a77bb9d090ce6032f5446ed8837b
SHA512eec0bb40265c89e3ee4bef128bbf48df64a408c551e8389463a24fbe8433d470ea863cd8f92820bb7a130b6407f7ea331db0cadd9f7844562365442fb8f2c069
-
Filesize
264KB
MD5c6e39ae33b027fddc818d4e39cf3599c
SHA1f8b339161866d44e04e003a6f27a9710fd54d64b
SHA256bcbb7d4eec4f143b964b02d4e833554b381cd2d92976a11bc6f3af70002ec4eb
SHA512db3ba43a999b220a746337b1b32cf57ae4ca97731d955be1778099c50b710cbf36a890d998b1432606f346aae5cd83f4765b76055b7175fc712b7ccdffccea3c
-
Filesize
320B
MD59143e5b13e796313d2eee3908a31e272
SHA1691b30ba285f07be5c788a1d0d0ebc58f8adc32c
SHA256d3e2b688603cf02c5468b1f277bdae94acdfc5e593cd89c910d609f8a7e52382
SHA512ac61cd480ac0ca60d4bee8717c4df9d79c3d8a6ae7d2ece530e325b677ed273cba62a5c17d2a7097b68526295ed0d0a070590527d32abc16908dc98aa0bb5620
-
Filesize
332B
MD580114b107e54a0edabedc2f2c318bed2
SHA1422c8a01f10b5c3eab4b2d06c9086f0a1f5c015f
SHA256f6a4e2fc57f42ec5f7b7bb6f22d4eb342636eb88c6d546e30524f7e76ddf980e
SHA51295cb69d67ddd927534960b5f2d9d74d03d4b88345946ef64dd19495feb9e8b4c98f9243cd7abc99e325a530e26f4408c84f576806e3fee90a9059b63d7598dca
-
Filesize
44KB
MD5204ce019e13613657140319709ae07a3
SHA1a877b074e3acbf37c29a33a8fd2253495dc22fe0
SHA256d76f87d36072ec05a0486e16f93b0ace77c7988204c30a896aca10cf43bf4765
SHA512ad094524cd04e00b748ac389e98f104db9488c0fda7ac961be42d15eb4dec4efd8a08ead7674aacbead5794de855fd1749076cd0cec42917722c15229774a38e
-
Filesize
811B
MD55e2177b2a19e397e68209180b1f004cd
SHA1ce4f503ee40c644375557a402e17f567aaa4e499
SHA256b7b966e7ba11bc07c133e20b36154a05b2af3f929421a7c634ef3e5582d271f0
SHA51298e1d2e38668f5890e0c9dec0587f00235985bfc527c094100c7882df3deab5ed2512807a5354739e4ad5dcb577cd2b6c64cc8d38d33972c9c7effb24f8ee92d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
7KB
MD59961fe9d150a42743d1c9adc5718bb3a
SHA1fadf8307c34dd35e953ca91140225507469c3cae
SHA2566239d54d7e2c7cf8142bdc28261be4ba200ec6a77d7f9deb128171c49992f789
SHA512ce9317f086b93afbe8276a48a664d59d20f3f884e41fce7d9a4942f1ff1a702df4d4406fd2b0cbd89b12569e9f4f55cb72e011e4d8ab0ee5ad68c71a7f639f96
-
Filesize
7KB
MD5a9b28a1749eb3dd04b41460ec08b8945
SHA14c813102145a8ecb0abc509d2714c398d4253ac9
SHA256b91c269c374b689b2992a4b18013f93cffb9b0f6ee89ae992ce8c56f4441fd94
SHA5125f56e4f27fa463ef2288efcdabcc6eb4fa405adec2203ae7f0a1dcf64569b05551e917170ddd323967d1ea6ab9e04d17cacfe3fcf827123376de640dd9873f7d
-
Filesize
7KB
MD5f5383921bcb74b35ec440b8a5f28f73b
SHA152e15b5611ae5da9a9df7e77d51cddaded832da7
SHA25671a4839595084b59b3f50d1e10867002b07a0c1710649f1a3ef3be8c2dfdef30
SHA51234df31815068188f2eb23b9d946371c7ac6cd964df4948987dbf0f5500b13e6c8d6cbb60e0de8502fcdd5aa294c65dbeb15b0022edd60f65c55ee5f37cff6e1c
-
Filesize
7KB
MD5fcdacb12563ec642dfd88835f3d0b3ef
SHA1b4ec1d2d9a1a74f9cc7070cc291b0e5bdb642bbc
SHA2567f4a652fbe99cd9c8bbc07eae3f13590b67b4e94fa9606d15b68410cf84a09b4
SHA5127a066ff4e43ea8eaa4a8d1b46a3c3efe9256c9891f338285ee96541b287a74c9f1d4cd9ac345ec2bb377e0c7517f7a47304032846bef8c487510675bc2fd4cf3
-
Filesize
232B
MD58a30a1fdd0459d9ea8b1e78a8e636856
SHA19d7225e97f9cfcfb225cfbfd0b0bba21d4efdd20
SHA25688fe1d31608930f2738d102d45c75dc77acdf01a1b69bfb7e7c0281575b75e33
SHA512b529bce870cd8165bf82f3ebf94f07552467bd0993b9d35145182e54e26fb2ae8e7bb167d88267b632757e2146f27dfddf8867db0c66e5dcc306db12ec6b7bef
-
Filesize
320B
MD524a6403967b6810f33a87ad0087049ac
SHA19b62990d94e668b7abd582c110b811ebfd0d6511
SHA256192663cc1b1dbe6ba14bbba5b7ddc50384f69400065327f79f5fa4678e3a5a78
SHA51240f4dce238e7f22a7898877d340c87a7465853430de2ffd422e8efc74a086b3cb2a7e21d510b43054a9d10af10784a47bb2c5b8f3b6f6443e1adb59bb454214b
-
Filesize
10KB
MD5b29171c93e4bba12f9439404dbd77335
SHA10e6f2a70b8c988fa3bb7788994eea014eeb8bc55
SHA256e371cb9a9346f53bf397e99b9d01166570cc46054c7564a2ab7a898f545d9fde
SHA5123f434c9b1226ea78ce280c4c6d30d3d783f336fd4ba54d8062c3c2f0c505ba7fa8e6bf93760f68eabaecbafe5d55821e13e8307dbdd24f4438a500a2adc22f0a
-
Filesize
4KB
MD5a57ceb9d40ece8a34837dc732f7ca043
SHA18a7e51dac2013a2d23ccd6531d69d7c38a469712
SHA25605c1c66f06fe4e01ef00cff1efe1a1afe916396977098db1b3bee6479cc9cde3
SHA512b7a8a73acc184e5597263f0f036559d5857c41248c9accd58459b22deb990bb0064bad879920cbd49c201f3590b92e590f17a898a0e29058a49de75e689de8b5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log
Filesize112B
MD52ecf1b5fd5d8c3d6d8d8b82715986f30
SHA1d069acb07aa0c970952c8304b1a39b59ef08cb55
SHA2567a5bb7874afb57037613fa89ae436ff8fa260303c0e4da85c521dd4bc21d3106
SHA5120588429a1ccaf26709c9e1f6633b8a0bd43e0e637e90b3bdcd945ea058bdc0ad50ea74f0576769c98c5a625b2517b86ee454c147befc9facb8f835ddc4fa7d71
-
Filesize
345B
MD5b3372c79ebf99bd0b6c4ab278436e748
SHA1c783873346fd4d6034de37891135528d75011b8e
SHA2561a8f1ef39bfa0d71652896e2341bdaced7120de9cda5f84ee5c3e7093e413349
SHA512a988f6d74b243d2cb04e49303a5abd1004435945c2842a419a01dd9a368be242b2d56a5b8694de3a78091ea6ced03a645301803448a63b39796b34cf5dd0b90f
-
Filesize
15KB
MD5ae9ae9c7af7e6967000575e8f56b7475
SHA178b6522808aae600e60d588b58351a60bb6cfbb0
SHA2569d278560a112bfbf55b692e0129ff9dbd8622948789f7d24034d367badc00a3f
SHA512a4775ff0b1fa57aed77daab16d95085d265ff7214a331908787d0bc675ff52aa3dc1a62cf01a040fcb3734d7e3da3d03fe7977c6fb8f2072188b8d4ee064ca0a
-
Filesize
321B
MD5039a2d884405ca898624a9d3bdae21b9
SHA13af3299fdf869f37af00b7019e184054d71df7bd
SHA256573670a1d8dc4e0b429da138fe1bc77a8d07a32b8c009caa67e3a124d7587f48
SHA512f0a3a06b82645335c4a5ee548e82491fa56b2846298c4e068a456e4efe668152c6e2bd558956c27ada1b53ce37f8df92608d8495b72e0816682b4e41bd880995
-
Filesize
1KB
MD5c61f7f416c01a3f2c08b888fe14e5be2
SHA1325ace9628dfba74eb85b0330572610163ca9424
SHA256d496fe87ab6fd3b06dd4577c2b7349f0b8f6086fbbf7b3b98c1cdd7418fae14e
SHA5127f9ea85c49fbda4d67c39e1ccb2d218ba754abdb9197bbc1662e60107ae00ac8d7f2ba4cb140fba5b48c775f78257ab02850a7ef4de9b98851d024a5a373c0d9
-
Filesize
320B
MD5d3417877cb792c1f0853c33a72026287
SHA18ba5c9fa11a66a88ba1d1a25b58c7eea34d1dcc1
SHA25671ac702f6f3506f3d21824826dbcdf4063527d789213101bfd72d67928f90bf5
SHA5123fe3244eba270721fe9fb033944cc30fdb3fece0ed8d6302abdf3ff56e1f0b3e8eba2c7c1ce66b99ce34efee87128d45035c50834b27ad954e1b07927594efe0
-
Filesize
889B
MD5c31c4325b6b9099d3fa9c007ad3a16e2
SHA1686046aae26ce5c5b75e807e48e11a8de74a73dc
SHA256980856d398501a500254c358b46c06061d6f66f4f5e77ac049625d24500380b1
SHA512d4c6eb6c29560e60052b1c24ece9a282b51a3374eca307ee3d6a824104b12fbc2f10d14f84a14830e13ed52252616320f2d10075da5d323a30a883ad4863f9fc
-
Filesize
338B
MD57d677a6317d3c6f1790fab35dfd87b46
SHA167ebe03f53d20c77006621f7e7dad14e20097a5e
SHA2563127fa97a41d333932e477820fbd50172040c2f92afe50eea62c5b64746718bd
SHA51287e85f04397865ab00752b04348042eb8b07af25a59ef6e1c12225178aa04e8328787b619b3a2ec68f5ca7064ebf269a777d21ebce8a96f84b50ccc2225238e5
-
Filesize
44KB
MD5ce1b9b0446f3a08ee7da17e148d1212d
SHA1840ae9cd4338e28e7cb7216a9c9baf2d4bf2a010
SHA2565525ee31bb7828710b63c9f0ff4e75188ad9abd0f087271b63d0dbe290cab818
SHA5127f673e16e2017855d0fe275c67184f304a53dcf9be4112e6de5dfcf37f8633fe8a0cd03162de55047edaaafc36a7ea62a9213744e6438a187d5cdaccf7140af1
-
Filesize
264KB
MD58c6133c716b252cf75aac1752fd81da7
SHA19fdf40e6ce52bf0e6fafb5a2c5b9611b9cf148b8
SHA256c8368b43b19d3e4b9b0f37322c5b475069bbd9699360333f798919e521b765ca
SHA512fca9ad09bc1cc893cb28fc7e7d55b7b8d3bb852e3b1495081e1f173e272e9c36b9d5f1d9a24639d7f977938c37c8844ba0ad1d271506ffbc1284cf9f3833f136
-
Filesize
4.0MB
MD5a4deb5c60975b6e947658e9b1cf4ec22
SHA1ea6e0db371bb3249da7c31c6f71add7124844ae6
SHA2569d4275bef0ed4be0fa1ec6eb14d4fbec133d49ed882ce51ec9e7bc84091bca6f
SHA512b455c62fe90033302be750aa2b26b6edfec8a1792e294dd747019ea01778cdfcec75c6139bd4ee099018a0b7e6fcb78969de171e0feb935a947ba8f0f9b98a9e
-
Filesize
14B
MD5009b9a2ee7afbf6dd0b9617fc8f8ecba
SHA1c97ed0652e731fc412e3b7bdfca2994b7cc206a7
SHA256de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915
SHA5126161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910
-
Filesize
257KB
MD5f2a240e3bdf54df12c71264a89678841
SHA1f40a03b1d482f89cec44eac7ab3f9696c0a3b416
SHA25622bbcd0f7814a27a088560aa79950b0f6eb3fb4225bab3897851ddbb3c28e835
SHA512376b48457c3eaca5c7737fe52abfdb6b347aaf375e3b3c2bcd6bc50261374b01eea94c6a3c582aa32d6e0cbf656f8f332eb229c1ae8b8fb3dd06db2b1faf53a6
-
Filesize
257KB
MD5f4e945de22b3b5c6d415a470593ac2af
SHA1955c2f7bcefb33994837117215ade276f2ec4a65
SHA256922b6a263ab65f3b339de73a00c47725f5099cce7d809eb2dd15063a0acd6d26
SHA5127c43fe379170403a609a40d870f245138c336d7ecf1173ddab2e50afbe6e1841d132aadf424478676ebfff6ae2c60c60f1a781bcd086ab7ce47f14935dfd99ea
-
Filesize
257KB
MD56d8865e321af157f2726cb05a5652366
SHA1cbdbba158e9082a28e50516cfb9c57096147e950
SHA256d0cf9cd9bd24aebf033721ce2e52f17815b86b89c8a67c0292b1b897a2fd60d4
SHA5126de779789cc7bc8ed691a9c2a8343c6eefb315bef2c47713fec038bceac12c70de1005bbf9934df01dab54e54d8782eb868f8a7c93d655269c23e57313478254
-
Filesize
257KB
MD540cc170c129a7436f79f5c3961617e28
SHA182b7e2f9fe51bb8cf9f4b0b2a80110907f8f14bb
SHA256002f7aa2fed71d114ec37146a8ef1463c0f4ca8030e9ff809c237bac6f23ce6b
SHA512d43ed249b1f453a4e4204fab394685f789c5d30e9fecf6ca412511a3a9590d14fb9c87783bfe5c489ee1f09dbece5b4abf674829486f329d837682307bbb2ffc
-
Filesize
89KB
MD5ab05a6f1d865afafe17aae5e1b588464
SHA1e8f88f906a91a13cd13b834209f93eaf1f2f61d3
SHA256bd85ea17b642eae153e5240a1041c0091117dc761b6ba05494de98725ac91fa7
SHA51201f9a9a8b4e8573412d1f388acf681c6bb07c7a6bd46b94eadce3f6a6cc1969a3aaee54fc32c40a9f71de5d605c56fd0eef29732e2881ddf1d1959ea56198aff
-
Filesize
264KB
MD582fb1275e54d596dd99df70a32e3b171
SHA1878b1ed2c0ee67509374c6267bcc306878f39330
SHA256a6bf4abdb04ea17d91502184b3a984fab7c2b82a645003a08a197fe942ec8a14
SHA51276ac36f45bad045f4c81d8257ad4c4e7b981049a342d3967bd9310947bb722382abc601359b152347e98e9fc3111e9592eef01105ec901b47bf22b0937919ab4
-
Filesize
85B
MD5bc6142469cd7dadf107be9ad87ea4753
SHA172a9aa05003fab742b0e4dc4c5d9eda6b9f7565c
SHA256b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557
SHA51247d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182
-
Filesize
4B
MD5ea6e60354b61a9d62f1a0bcfd432f8b9
SHA1f598436e5ac6c9cf042ab751e80c739fffac7cb4
SHA256659a0eb34b709f718bcbf30cab06e8e491d290424694d7bc155218f2290ff8ce
SHA5124f1818e4c7151ed5f8784a69f48d8c11e327cc9ea5d53ef7510529ef4991266301121f5bf70f2da84f9e0ab8d189a3aaaaa5901942aca39279d08139ea4c2838
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
5KB
MD5701ccd38871e34186c276a74fe51fddb
SHA19a4bee485ce065c083ed77ec16daca10514d8e49
SHA2563fede500908ae10b697ad1feacc63d1b1b0ebc2c5a5850ac1b6a1387d24ef724
SHA512a6691cc8652b3b05d6e3b19c53065c71e09c5d5bf3dfa7b0d3062a7bd46002af48128e1c7454a6a2ac6950fd03bcaf5f8dcd80a76fbedefbc6703e62ea1cf55e
-
Filesize
6KB
MD53a2eb026f22d6173f91fe6010120cbd3
SHA16a381796dcc3654c88abbecc8cc70620725765b0
SHA256701b06fe1cbe7c9f3ddfb337ffebe43e8442c75463679530c3f4f48b104dcb14
SHA5121628a9560da46796f02cff4ba5d1f9337e6107d0ec6c751ee1eb200f18c5fd122bbfdd044c5c2a5658018192410cd9b735c987df031d3dd2299b6d44fe4d1ea4
-
Filesize
8KB
MD51596054babe0521d918641b8ca3a81cb
SHA18e5544b20b6750fbdb0ec0d16ee6e67162862b0b
SHA2561a30aeb01e62e8c9fe1c4481cd22b095d991a2425a99a5324883e83ceead0634
SHA512e35d7f95942ba5ffe9c32eb3d4490007f274d1da97cc63b4318afbb4ab1f7ddf3cdc9dc789e6675e90a7514ba37f5122a9c219da7248a19951b1c77b43d8dea4
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD540a3ea2c49066f1a424188e4749c6e3c
SHA1f7bf39c4a0c588d7ff6eff880ee75c350216d2d2
SHA256afc3d9613974931cffc68fb78e373b0bf78bef623fceae7f723f65242a55b114
SHA512cf03f1ed7b88439e9cce630132e13e91a54b5963b7911ed9c5cdda011ca5572b29c2e1a148c86a827a6907350245d777bcb351cb136438bd1efceb96a2e044b5
-
Filesize
7KB
MD5b587d07b8f4b8f12bc39eb64cf33442e
SHA1b09345686421b902d0a9766a69d9cb08e7618567
SHA2568aefa1f2682f39977f01abf0bbd9c78658f4cb26fe3bf344aab259ce9b0c385c
SHA5126e90fa791179ce600cd3aaddac8e34ed7f2bbea3947ea0e158f408325a76010607b122ece2ac648707ac1e455d11c73facc0e8befc0ff5b96f4c509c19dcd6d7
-
Filesize
6KB
MD5a8d6644cc77973226e22275d5073a055
SHA1c736f5e27a32466c7eab289b95713d6773478210
SHA2562d03c4a8857864e22691433ae52932108633a148e8077b2907ca7c6be798719f
SHA512cb7cc4cd33b4fc0f5d85fa7ce2b7328843b8e0e3625f9cad7b58b9693006cdc250f9ee7b2628fe30bf85aa700a77aaf3d87ef0eec7a7b4bef239220b62fae196
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5bbe596fd36fcf6118ac87d27f27a5c36
SHA1480fb6fc6621fa6a817638d18a455926e42e41d5
SHA256f3a51ae895e2922c099e3c0432c1f995274d11a11b0d9ae9ac69b49ee775fefb
SHA512d3fde3702e780fa89d117d5ddf697b663c46e3ee4cc0dc15ac836dd1ca1a588515a519651391069899d3aa922af0b3b7a65af9126c3dcad57e4bbd6864dcfa9d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4
Filesize1KB
MD559ef481b63687e717a451ca45e3df20b
SHA197b7adf5931d5240fe6889ef9e69d79bde8d19e1
SHA256b653e7ccb670902b84f9d4061ace584c6cd2efce09eab8327ab22361f37c6bd8
SHA5125db2985884334c9e29ed6d7fcd5190380b92c47323a54f60832dd68d470c6911069ca916f4cf3d43f2f86b9244d9bfb9cf556ab77e17b83b4db95369c22e9b96