Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/07/2024, 16:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://gg.gg/178wsh
Resource
win11-20240709-en
General
-
Target
http://gg.gg/178wsh
Malware Config
Extracted
redline
5664290451
https://pastebin.com/raw/NgsUAPya
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/5272-1199-0x0000000000700000-0x0000000000722000-memory.dmp family_redline -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 7 IoCs
pid Process 5696 7z2407-x64.exe 6076 7z.exe 6112 7z.exe 5288 7z.exe 4336 7z.exe 3984 7zG.exe 6592 Setup.exe -
Loads dropped DLL 3 IoCs
pid Process 3300 Process not Found 3984 7zG.exe 6592 Setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 pastebin.com 257 pastebin.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 6592 set thread context of 5272 6592 Setup.exe 156 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\cs.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\descript.ion 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt 7z2407-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2407-x64.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133654479553707770" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Applications\7z.exe\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Applications OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2407-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2407-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2407-x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2407-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Applications\7z.exe OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c00310000000000e958798b110050524f4752417e310000740009000400efbec5525961ee5837832e0000003f0000000000010000000000000000004a0000000000dba89b00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2407-x64.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2407-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2407-x64.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 5000310000000000e9581c881000372d5a6970003c0009000400efbee9581c88ee584f832e0000005b9d020000000a00000000000000000000000000000015d9140137002d005a0069007000000014000000 OpenWith.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NORD VPN.rar:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\7z2407-x64.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4880 chrome.exe 4880 chrome.exe 6180 chrome.exe 6180 chrome.exe 6180 chrome.exe 6180 chrome.exe 5272 MSBuild.exe 5272 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2648 OpenWith.exe 5132 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe Token: SeShutdownPrivilege 4880 chrome.exe Token: SeCreatePagefilePrivilege 4880 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe 4880 chrome.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5696 7z2407-x64.exe 5940 MiniSearchHost.exe 2648 OpenWith.exe 2648 OpenWith.exe 2648 OpenWith.exe 2648 OpenWith.exe 2648 OpenWith.exe 2648 OpenWith.exe 2648 OpenWith.exe 2648 OpenWith.exe 2648 OpenWith.exe 2648 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe 5132 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4880 wrote to memory of 1332 4880 chrome.exe 80 PID 4880 wrote to memory of 1332 4880 chrome.exe 80 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 4988 4880 chrome.exe 83 PID 4880 wrote to memory of 3800 4880 chrome.exe 84 PID 4880 wrote to memory of 3800 4880 chrome.exe 84 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 PID 4880 wrote to memory of 2288 4880 chrome.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://gg.gg/178wsh1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf14ccc40,0x7ffaf14ccc4c,0x7ffaf14ccc582⤵PID:1332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1804 /prefetch:22⤵PID:4988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2100 /prefetch:32⤵PID:3800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2548 /prefetch:82⤵PID:2288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3000,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3028 /prefetch:12⤵PID:1324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3012,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3544,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4372 /prefetch:12⤵PID:2916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4272,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:2168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4704,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4724 /prefetch:12⤵PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4720,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:1544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5012,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:4796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5220,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5152 /prefetch:12⤵PID:2128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5456,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:2744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5896,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5856 /prefetch:12⤵PID:1780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6052,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6024 /prefetch:12⤵PID:4860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5556,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6004 /prefetch:82⤵PID:2896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6356,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6344 /prefetch:12⤵PID:5000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5096,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5528,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6244 /prefetch:12⤵PID:3268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6668,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6692 /prefetch:12⤵PID:2008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6192,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6212 /prefetch:82⤵PID:4700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5116,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=6596 /prefetch:82⤵
- NTFS ADS
PID:3548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6348,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3380 /prefetch:82⤵PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6212,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6596,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5716 /prefetch:82⤵PID:2860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4636,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5488 /prefetch:82⤵
- NTFS ADS
PID:5216
-
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6264,i,13482704974593437381,4366646458284681645,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:6180
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:4836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1540
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5836
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5940
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2648 -
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Desktop\NORD VPN.rar"2⤵
- Executes dropped EXE
PID:6076
-
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Desktop\NORD VPN.rar"1⤵
- Executes dropped EXE
PID:6112
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Desktop\NORD VPN.rar"1⤵
- Executes dropped EXE
PID:5288
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Desktop\NORD VPN.rar"1⤵
- Executes dropped EXE
PID:4336
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5132 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\NORD VPN.rar"2⤵PID:5452
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\NORD VPN.rar"3⤵
- Checks processor information in registry
- Modifies registry class
PID:240 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {527ed709-ef1b-45ef-acb9-e1e642b037bd} 240 "\\.\pipe\gecko-crash-server-pipe.240" gpu4⤵PID:5772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2284 -prefMapHandle 2300 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3722bdf6-deb7-4a7e-8e4b-b2bffb87c836} 240 "\\.\pipe\gecko-crash-server-pipe.240" socket4⤵
- Checks processor information in registry
PID:1596
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3320 -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 3336 -prefsLen 26812 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea7b6ff-87c2-4972-a019-11399d189972} 240 "\\.\pipe\gecko-crash-server-pipe.240" tab4⤵PID:6120
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3584 -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3456 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a3bdddd-bd5d-468b-a15c-263be0b57169} 240 "\\.\pipe\gecko-crash-server-pipe.240" tab4⤵PID:4480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4408 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4416 -prefMapHandle 1696 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de7ffb49-bd33-4b26-bc71-3fa6c6c99e36} 240 "\\.\pipe\gecko-crash-server-pipe.240" utility4⤵
- Checks processor information in registry
PID:6368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 3 -isForBrowser -prefsHandle 5668 -prefMapHandle 5652 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27cca80c-f730-4b3c-a758-f1b4c61b5f90} 240 "\\.\pipe\gecko-crash-server-pipe.240" tab4⤵PID:7032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5804 -childID 4 -isForBrowser -prefsHandle 5812 -prefMapHandle 5816 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5494ced6-e988-450b-8818-39b04ca830c6} 240 "\\.\pipe\gecko-crash-server-pipe.240" tab4⤵PID:7044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6020 -childID 5 -isForBrowser -prefsHandle 6096 -prefMapHandle 6092 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9e3dfc2-ad4c-4587-8f87-c4c078ac8e20} 240 "\\.\pipe\gecko-crash-server-pipe.240" tab4⤵PID:7056
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap7543:74:7zEvent191961⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3984
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NORD VPN\readme.txt1⤵PID:5424
-
C:\Users\Admin\Desktop\NORD VPN\Setup.exe"C:\Users\Admin\Desktop\NORD VPN\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:6592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5272
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD58af282b10fd825dc83d827c1d8d23b53
SHA117c08d9ad0fb1537c7e6cb125ec0acbc72f2b355
SHA2561c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca
SHA512cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8
-
Filesize
1.8MB
MD50009bd5e13766d11a23289734b383cbe
SHA1913784502be52ce33078d75b97a1c1396414cf44
SHA2563691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129
SHA512d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b
-
Filesize
548KB
MD51d1b0349f970c8de7fae7a94520e21f7
SHA18787ce498c9f1628665dd17004676a9cc5e8f99a
SHA256f63a2d492d7a20e7ae6ace725da0320b05a6250794c9b449e1bc48d3f63cef56
SHA5122ff084ca8b7bd05e156fcce6faaffd861ee09e09821e8f3325093a0aec46d54481d18d61d84b35fc2c760d93aeda70648201c740fb429f6f75dbd6708774f0f2
-
Filesize
960KB
MD579e8ca28aef2f3b1f1484430702b24e1
SHA176087153a547ce3f03f5b9de217c9b4b11d12f22
SHA2565bc65256b92316f7792e27b0111e208aa6c27628a79a1dec238a4ad1cc9530f7
SHA512b8426b44260a3adcbeaa38c5647e09a891a952774ecd3e6a1b971aef0e4c00d0f2a2def9965ee75be6c6494c3b4e3a84ce28572e376d6c82db0b53ccbbdb1438
-
Filesize
691KB
MD5ef0279a7884b9dd13a8a2b6e6f105419
SHA1755af3328261b37426bc495c6c64bba0c18870b2
SHA2560cee5cb3da5dc517d2283d0d5dae69e9be68f1d8d64eca65c81daef9b0b8c69b
SHA5129376a91b8fb3f03d5a777461b1644049eccac4d77b44334d3fe292debed16b4d40601ebe9accb29b386f37eb3ccc2415b92e5cc1735bcce600618734112d6d0e
-
Filesize
14KB
MD51ae18a5934322b0b23da7c5678e2dbec
SHA1a1ae84c861f338e8f8c2a7c0102d8b0ef9aa6da1
SHA256e5db8a72bd2901a877c67b3acba60f386b9d6e8d3e485372f7180fb76652b93a
SHA51201e660e2dc2ec9d4d64c4f981804f252f77bee400eb21a43077681a2fc51bc564fd5749ea8f25a4b3da0500bbf33dd3cd27ebbe3cab96e333dbd6b57966fc151
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
40B
MD5815b3cdf06ede867d92ace546aa126f5
SHA1399421f8ba7b64c9db92449ce13464b472cb56ad
SHA256f116d4d39f557729d3b43806d030ecc4ab833a204ae297b72896ce80aa051f56
SHA5125ea150c43f3d948ae07ace9575d3a15f907132ce8ba80a39412b7203c91fc262a8fe5a56345f0dd6faa2c1b541d4d3be0d7e26f95fcd995faac8beb49df6e72a
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
Filesize
3KB
MD5bfc56423686bd0bd873edd72a28a7a4b
SHA142ae58413b513d36658f8e83ad4b0ae11d57da0c
SHA256500e105fcae968ead68b0032833e7750746ff8e935be5dfacdb3c8386a6d26a8
SHA512d5159703843a8fc61e623ce14a29025485a677b0b4913f82de1428ce44db3e50ebad4419c1b3cdb9ee4dfb25044443874e0cd0cf390016731949ee068814a3dd
-
Filesize
19KB
MD561dad71dbc2cb6519e95d9bd7a628157
SHA102871a68750f20d6e4227ae43c3322c95a364646
SHA25609ed166d9745188e39b7cafa20455213a09214a548e455c28b596e6b3661d96c
SHA512e0bf0e95437b3755ae6cc2cf5b6e4f61a9c744c615a606fa75ee1c2cf6cc308505d977709f588b6ee3c002ee2904021a636431b4972ade3dad12dddaecb9a515
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
2KB
MD583e7d9f80a452915262655e56ed82932
SHA142f7f25ce75e40a84efe15bb9ceeb94cb0bc3c99
SHA25690440f0876ead2752bab0978258e5dd84bbb032d4d3adad56575cdde1fb1df8e
SHA512a069a2cd38e64c0818d918b08127d94d150284d65cf3a4507c1980eacdc3a68bcc9c503db5ad6dc6751173586af95833b98f536546e2264ecd000bf7e5ae89eb
-
Filesize
2KB
MD537bf79c88f5adc4518e71ab26d8842a4
SHA10187629e13a36f5a144d08c41b18fd79ae7fb93b
SHA256580f27714379beb37b35c52b7854a6343659c639a27e04830ffc03421e298edb
SHA512058229eddc7718294bf25980cb00e1f92d44d9446c42af324c0f2446664eda5f077af226741908141fed42d4aedca28dbf932e0994650c944c183c4803f75a65
-
Filesize
2KB
MD56da6b28d70af8a5a7850ceda61de58ae
SHA185d9eecabf69fb6ba47ff4abd85fe000b352cbda
SHA256525d3d15e81db07cfe09f37a7bf3cef70e316ff10e82523b569dcc2c989e312e
SHA5129a342ac9c5df53f35c7335bef2fb5fee72ec63a0da3288fd95c0ae4c3cd5e18082f3bb40deac9029bab806310dd8b71d2856e5044c3b00f327eda7a4fdcf1f43
-
Filesize
9KB
MD5455ca8fe15fd0d978076707063673f57
SHA1956432274df3ea09e2e1778cc716ebf83f1b31c0
SHA256b93add348f956bf7b22b79145c3f06ea6fac6e7113715c7d27e3fcdb53edc0f1
SHA51256aefdd5c19aad0fab25e44382f12c866be4afaa45424f78c35e17a3d4b583121be119c12a68e657e1b03c4e9dccbaf8a80d2ae3669187acd650a55ecae25094
-
Filesize
10KB
MD52df7e0c9d56908d237d7645288d30e8d
SHA14f71666da77584dd7330e09a2954e6643a6b0f70
SHA2568d42ed27e62d7775499423888f47972b9e42857b726155ea3d1d00430a63e6d6
SHA512108838af5aa83b89c7a9305466498352e4e183440ce0494b00a9ece0d9851eb2569886d6a89652913aa9e2af991a95601aea6d4780d33c3b441d83a04cc125ca
-
Filesize
11KB
MD5fc253720e705d487b5afd6222babbdab
SHA1234460dc8a0a976af3b6b18fc10bc8f313e162af
SHA256e5bb1b56096e3c999112732fb1e79113c90c8a4afceef7571fadfdee4fa5dd5a
SHA5129724d966bdc845eb8a3f34168b653d559dee8d3ea73750662ebbc425623a45af31a4b2d54421af5d735b47761c932b9177f2fd82b13e26f15597273f9f0142a6
-
Filesize
11KB
MD5a9697473d90826f66bd2e65cceee7910
SHA197ea166e2925d0956c8e224c9bf0a07b215fd2de
SHA25667f33b8988e31dfe640a2cbf7884b163e4e86122c5743c470c28fe35c8fbaa1a
SHA5127091e0b8f1b5365c22830958a90dcf6e48274b31f480d8b62af1bc82d08cc88483d035b9b0b0cf4f8f48273837390c2d383ffbf60641b7f85245ae74237c7c81
-
Filesize
11KB
MD51d026dcdea5d116a0f68797f70b9e1db
SHA1c66439be8d54076586790a5107e8d98b4fc615f9
SHA256a75b7ac8f4c5706ad132685e69f67d9f1486c6f81249be1a638ebb97ee58c6c4
SHA5128c89c9b11351c56110f923c82a775fd193cec9c21e44bbc50697b14fb9f06324c55f035d0d4b701bed385faf0836b68d44ae5783f4310b4c4bafbf87ec18aecc
-
Filesize
11KB
MD54e49a1489daff5274160bbd3003a77aa
SHA15e8f90deab9e222965299179db98b1a522df566a
SHA25647a2eefd96737492244f91f19a4bb75207480ada09e056827d87e597217e1acf
SHA51292e1d521c352847212d8fe6d6c1aab3743c1bbfbe811b10c0acea86bb1817e82cb2d6e7fc7cad4503f1351b3e9ec1f64e81a36fb20f4be46bbd23a3c8d57b1f8
-
Filesize
10KB
MD5d6117ab2bfedcb4089cc11857b4aae13
SHA1eb87394e0ba333a3b6a0a11441664a15fe6b173e
SHA256e9ed8e957c6c04baa4a6b6792d48f0ec319552f4258136ec5b93f6956739752f
SHA5121189085524b649e11ad965fc0c5c7a33ac92fa59a2b0f259f07df7607641315e9d6931fc5507646b646c94d55fac7cdfdb1e6868f756e738bd8106714c7a8410
-
Filesize
11KB
MD5ec2de54be5b00e69ac7c48dd67b1cab8
SHA1a8084b1e2eea85ea1f6f856ad66ae6ed361d778e
SHA2562dab34602c7a58e44691f742e6659be9a5676a835aeceb70d12c95267e49473e
SHA51226b7be41a98baf832b70c4830bfa1323e39b50296dba6958e10fd76602ad8623ec38e34599530c7edf9bbc341a1eb27ba737e53fc1d9fbbce51196c3df654741
-
Filesize
9KB
MD54cb0f93498200cbf8ed2da26f9abdfb0
SHA10dd438e88749f8baa3295d3aa98ea4fe861e1dc5
SHA256ca9bd2cf89bd1364ebb280de478b1a388db713a1d981ddafcb96314916dc7fde
SHA512ea14e9192731889bba2ee318067ee90cfca9a5723972b2877948f3ac2605b38561bd25ba3646713eafc9c8db4864be7609e1d9fc13c9040ba39be5770a474128
-
Filesize
11KB
MD5a7daa19283c63aefe51ca3cea0584457
SHA13bde4dd45abca2d74bdd7bf5c636a6482b5d601e
SHA256c853adbd34bcb90a494d416c2dbefe58b4a966326546638500a5102df7392fc7
SHA51214fb514a923108dcb0bb403b74217949903f54785e9b03446a68b433015142e9c0955288e4ae2c09cd2523b19333699da430546ab129c072fb096027ba5eca70
-
Filesize
92KB
MD5446b1956fac2d63e94566337dd203425
SHA120508a9ac094cb10f03a81fcd75f54b0970032df
SHA2563a55b2112dc962fe7fadab9c1cf8ff28797decc4c99c23b21ddb912a1c525dcb
SHA5122852a3ada7e280020b369100c1ee8c4470a3da12a94d42a560f2171eab3e88892e8486a7214c3afbebc1006bf8eb2a12121a2f3e764b25f9a87826b737f6e511
-
Filesize
92KB
MD5273fd963aa812dd8fe9f29b642704de8
SHA1a68abf2e59d6e0a1f8ee2bc70fa0c4bc9e4e1853
SHA256ec6caeb57cb4d9617fd16000a58e407b96363219a3b26cac7105040ce4a56b7b
SHA512da88a4e016a7815eb5ae544cc204a4308f6fb950125e5d436fb818e21c872470084796fd6f6ea2ae9dbd482683de62b8e75fb838cf19c01eeb8bc33bed2aa8f4
-
Filesize
92KB
MD5eb7d507806a2589ff4f36c524605a177
SHA15851e21e2fed539dc5b0ecfa652243ff2ba1fb1b
SHA256528388063fd7acedea8cc75e9ba4ea46db0508f10f743de824d78191473ead70
SHA512d456984dc5dbba02e6e11594e4c96cf99660242e97300abfae41f1af78d57ed99485f7f1d882c6c29bfb91ec1278d8f078d5d48af373217c1f07c61aa72aac32
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9orreff.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD537f5b0f2814d56e44b22efeeeeeadbad
SHA1e8c9dc4c2e12e09ced594ae4d36cfc740eb470c5
SHA25601b78957d5618b41c4216d22775b42cba9d73baec76c256947ac29810321dada
SHA51248373b97c259f45fd1a11fcde85fc4e5208e2942189b725898e0959688eba64d5d2971310bff4ab0cc377c4d7c78c19778542ef7fb81d3602b0fa1566846f275
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5c7e6c4fe75def133faaad5143dd9866b
SHA116c306f0f07a1eb20a184a055e7d00dae5c1be2e
SHA25693a3517d19755945a0e9a7f896bb4df74f0872ab515779b5919f8a06eb5732ed
SHA5123f32f7d849fd6d5e064a4f67733f1d8cba9ede77e515e175283682055a4e2f9bce65dd5ef82239266c1dc58aa708905f677fa557f3261d20c5de55b64a9182e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\AlternateServices.bin
Filesize6KB
MD513ba40b5fdfbba2906c6ce7b3ec21975
SHA1c5063a7e0eca78c436c450ed20a90e7ef916949a
SHA256aae557b63d07ce954ba2495de5126163bebbf6733d8c057333a41252ceb313d2
SHA51288f7b01fa6e9bbde897a12244c0923431f31a420ec9f4bbace6e72afa12e5ae21631bb5ae9d3117d744915fc739ab845374f4172bf142cb8d10fa3fd0734ffee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD506376b271dfc4ad97118931ac9aab620
SHA12109da9b2a2c491b0f4de920b8f6a1f86bed96de
SHA2567e95c053313026ea16da560252a216925170f8a98ff26ff9ae041b7faf493c55
SHA5122a2801a7eb2ed8779418570d1ed9e6ba534734823943bb47c27ce434341e0e367a3ea3da81121d4608024dbdd24900ba1cdeab25f8a9c05eea9c8d7f28250c79
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5fa335c223fb7eb1279906a1b8696e9dd
SHA136d691f66b81b0947ce9a5817e6c4072fe929660
SHA25682434587c6b7a0e22f99dc62d87c33615eb07943fc25d94a221cd21dd1803ef3
SHA512b361ba3e01b34482598352ab96e52a1170bf09e604a750b79b54038d2f0e628c1edaef41cfe73ac55892aa39d3f263723789f40842db01709693256318abf604
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD533e2453782b59ec11a64d9d8227c2d39
SHA1b79d52c95acdf0404cc8a34da34098d395ed3134
SHA2561d5466715ca77359d8e8b7f966fa0be887be05640a494e65861419f606284369
SHA512ca0ddb9517b9850feb2927557c84d13a5dd1c643f08bfa824e96ac26be1c67de2646d5e498adf11f429d9f954d3f182691f74b61992d9b962fc1778c81b67a59
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\3d2dcb30-582c-43a7-8ea3-845fbc34e93a
Filesize982B
MD53ad58a0262cf92984e8786b8c3298029
SHA109b95fb176f268a5f4360dfee32867318247bead
SHA2566fcb009b0787cf3e7eaaf82cfd44f036b25b5c5c06a191ef68b99f261f816da2
SHA512c03399c1c712ec208c7e28056a81afdce72636ef27ce59f12aa7d5339fdedb9f4ff1eb812d97a21e925425845e4c1b55d5d8660bdb38579059927385fbb1cda3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\d364423e-32f6-4693-b5a1-bbc0aaf29867
Filesize26KB
MD500193646ffba465e39fa5cfd63d9f7a0
SHA184fea7514497fc286e4b7fd7b0abdf11870d5f88
SHA2567db7efe06a0552d37411d47bcf7d248c4c7cb7eb7408bc1a19939877fa0ddce9
SHA512da4200aa5d316593b4b369c04d8ab321a466067bb4b234e70b80f8e7ec4162ab0c020b7ab9d0e93de631199ae5e1506811788c941bd70301b7dbec28a5330eb8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9orreff.default-release\datareporting\glean\pending_pings\f5527d06-9d14-4e5b-8aa3-e1f66ea65d94
Filesize671B
MD5e44e8663ccfc5c44e23a4db5e344ab6b
SHA137da31293e80dcb3eef68a1068123e52192a3d2f
SHA256a7f8c0e4bcc522f125260fdf9267148422ac8fa1621f8009c98ca40b27f517f7
SHA5128f0de2f467ea00c7f3e059e3f6a79e281fbe435ad2188c173ebf59fcb20d2ca7c9ee5809bd0f7708faf5aea73fc1f859a34568ac49d47854c02671ea742fa54c
-
Filesize
8KB
MD55bc2bef7a29c052bf1d2217c7dd41bc4
SHA1d8d98c3a8fd8c8f0dde228d0d6801c0b9dc67184
SHA2560e98021ffd0ceed82df8531d28e3d049349d37b92739e95e01eb8a4fef83dfa1
SHA5120fc58bd45344ade26e78c90e840faf5024b7b5e679e5d4983c691a696a07950d83de44365ab58cb8a0a46c01ca6acad23eb5f4d68f830e184a726808bf6a3978
-
Filesize
11KB
MD539c57d01e43b5200d0c0650818378b67
SHA16fdf9e5a37646415cf06da394f80758f6c2023b2
SHA2561172a5471157597f0e549ab0cdd35651c03b3412e16cf517225645691c995061
SHA512d9f85919a3d1ce3b867932db8a1bcae57a9efff927a566c535b704e05192337a6e1d555b0dfbb6dcebd5f92e2f0761609513ac84aa9c69fb9f224c4f27fa0303
-
Filesize
205KB
MD5f9518ffe8440bb06e5cefa90d928aed8
SHA1364b74d3f1f4d967a95e066c695209e6deb0d1b2
SHA256dda11b2d41246c39473f2266df03399d9fd9c68be8f84a601a5ba3cf4b51d305
SHA5125e15d08887d223f3c6acc1711a7030306438d297402c79848a3588d40bb88b816cf5a735be043dcff328219ac3d3c4141364ffa7b790201e97f3fdf7f24bcd79
-
Filesize
13.9MB
MD56d8ae7925b692b380e168c9a351ea9c7
SHA1b3363c66302051d5e4937ab6e066e8c145e27e2a
SHA2563da905f4227a1701abf3889ca2cf7644d9638812e0670ab186db568533b0171b
SHA5121553eb74066d9a3b8aee8f4f6dc18b40761ea8a38a8866139e8d588c3a9b7c96e521cf30f1bbed88f9f61cc415e35d5c9b8003d7f14f95c2e4dd18bef1dcea8f
-
Filesize
777KB
MD5609dc8041c85d08ca88532beda64010b
SHA1a3f016ce71a6e39529f3e270f70baa4aa5a4d66a
SHA2565eddb42cd21a88637770326bea9ae489ea4b1e3076adf38e1f1021a2deacf194
SHA512e8ba403f37d5f3b59e8f6ee54665c9c7dc6c1732cfe0c5c18d4c5049b760a4bac58b10a2f4dc84ba7e40f04548222cd72eb390df7356af9152dbcb0960adb984
-
Filesize
253B
MD58e4d39f6f4173b229f9db7e331cc4dae
SHA195ddd04f1e6722f5c8c42fa9075ab385014ff8df
SHA25671c0b861f754e31bab441f88c52e361622ea13ad202ba1442726d0297fd03017
SHA5120b0a918cd1ca385f4210e66a702e36e6b68165555fbb127d5400d008e446c82a7048e626fa968a49b8c176550f67b4f042bd3de57c317758ba43a8af91f19434
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1.5MB
MD5f1320bd826092e99fcec85cc96a29791
SHA1c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a