xworm | d999208640743aef67eac9544824e1e96176dbb73b17fad5d2f33f73fb8fa87e

Analysis

max time kernel
454s
max time network
456s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 19:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Solara.exe
Size

439KB
MD5

bbc212bd99b3cdbdf9ebea621b2ec078
SHA1

31b3bd37ea5c37ee034ed92c3643fef177b130e5
SHA256

def6f4ec76d2069322983c6eca95a313cb9a8d2456447dae67db7cb1dfe3acdd
SHA512

286e2dbe13d9e3732406bda3d55a1a673deb1c8f81669d8d8dc1d2bc5e30f2e8dbd13fc59bef3d13417afc1427243c51223d754422b2efd45b20600987c11737
SSDEEP

1536:Y52g9057DKXIvjKqx+bSIijoJLU6Bv0JVOfCTPnlp4Z9l:42V8q+bSIjv07Oq734ZP

Score

10^/10

xworm discovery execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:13970

accessories-retrieve.gl.at.ply.gg:13970

Attributes

Install_directory
%AppData%
install_file
Loader.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3728-1-0x00000000000C0000-0x0000000000134000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\Loader.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4464 powershell.exe
3324 powershell.exe
2496 powershell.exe
776 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Solara.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Solara.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Solara.exe

Drops startup file 2 IoCs

Processes:

Solara.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	Solara.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk	Solara.exe

Executes dropped EXE 8 IoCs

Processes:

Loader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exe

pid process

2928 Loader.exe
4360 Loader.exe
5144 Loader.exe
6912 Loader.exe
6580 Loader.exe
6656 Loader.exe
2912 Loader.exe
4784 Loader.exe

pid	process
2928	Loader.exe
4360	Loader.exe
5144	Loader.exe
6912	Loader.exe
6580	Loader.exe
6656	Loader.exe
2912	Loader.exe
4784	Loader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Solara.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loader = "C:\\Users\\Admin\\AppData\\Roaming\\Loader.exe"	Solara.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Solara.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	Solara.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133697807176842403"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings firefox.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4488 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	firefox.exe

pid	process
4488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeSolara.exechrome.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4464	powershell.exe
4464	powershell.exe
3324	powershell.exe
3324	powershell.exe
2496	powershell.exe
2496	powershell.exe
776	powershell.exe
776	powershell.exe
3728	Solara.exe
536	chrome.exe
536	chrome.exe
5588	msedge.exe
5588	msedge.exe
4344	msedge.exe
4344	msedge.exe
4464	msedge.exe
4464	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
6088	identity_helper.exe
6088	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
536	chrome.exe
536	chrome.exe
536	chrome.exe
4344	msedge.exe
4344	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe
4124	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

Solara.exepowershell.exepowershell.exepowershell.exepowershell.exeLoader.exeLoader.exechrome.exefirefox.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3728	Solara.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	3728	Solara.exe
Token: SeDebugPrivilege	2928	Loader.exe
Token: SeDebugPrivilege	4360	Loader.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeShutdownPrivilege	536	chrome.exe
Token: SeCreatePagefilePrivilege	536	chrome.exe
Token: SeDebugPrivilege	408	firefox.exe
Token: SeDebugPrivilege	408	firefox.exe
Token: SeDebugPrivilege	5144	Loader.exe
Token: SeDebugPrivilege	6912	Loader.exe
Token: SeDebugPrivilege	6580	Loader.exe
Token: SeDebugPrivilege	6656	Loader.exe
Token: SeDebugPrivilege	2912	Loader.exe
Token: SeDebugPrivilege	4784	Loader.exe
Token: SeShutdownPrivilege	6492	shutdown.exe
Token: SeRemoteShutdownPrivilege	6492	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exefirefox.exemsedge.exe

pid	process
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exemsedge.exe

pid	process
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
536	chrome.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
408	firefox.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Solara.exefirefox.exeLogonUI.exe

pid process

3728 Solara.exe
408 firefox.exe
5344 LogonUI.exe

pid	process
3728	Solara.exe
408	firefox.exe
5344	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Solara.exechrome.exe

description	pid	process	target process
PID 3728 wrote to memory of 4464	3728	Solara.exe	powershell.exe
PID 3728 wrote to memory of 4464	3728	Solara.exe	powershell.exe
PID 3728 wrote to memory of 3324	3728	Solara.exe	powershell.exe
PID 3728 wrote to memory of 3324	3728	Solara.exe	powershell.exe
PID 3728 wrote to memory of 2496	3728	Solara.exe	powershell.exe
PID 3728 wrote to memory of 2496	3728	Solara.exe	powershell.exe
PID 3728 wrote to memory of 776	3728	Solara.exe	powershell.exe
PID 3728 wrote to memory of 776	3728	Solara.exe	powershell.exe
PID 3728 wrote to memory of 4488	3728	Solara.exe	schtasks.exe
PID 3728 wrote to memory of 4488	3728	Solara.exe	schtasks.exe
PID 536 wrote to memory of 3460	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3460	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 3020	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 4624	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 4624	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe
PID 536 wrote to memory of 2152	536	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Solara.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Loader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Loader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Loader" /tr "C:\Users\Admin\AppData\Roaming\Loader.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbd2e46f8,0x7ffdbd2e4708,0x7ffdbd2e4718
    3⤵
    PID:3296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:2344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:5528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:6800
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 /prefetch:8
    3⤵
    PID:2548
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
    3⤵
    PID:5380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
    3⤵
    PID:6608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
    3⤵
    PID:6700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7547008983991408735,6138724973004184772,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
    3⤵
    PID:1400
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6492

C:\Users\Admin\AppData\Roaming\Loader.exe
C:\Users\Admin\AppData\Roaming\Loader.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Users\Admin\AppData\Roaming\Loader.exe
C:\Users\Admin\AppData\Roaming\Loader.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xf4,0x12c,0x7ffdc073cc40,0x7ffdc073cc4c,0x7ffdc073cc58
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,13050654058078024427,16011297040422597675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2196,i,13050654058078024427,16011297040422597675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,13050654058078024427,16011297040422597675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,13050654058078024427,16011297040422597675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3276,i,13050654058078024427,16011297040422597675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,13050654058078024427,16011297040422597675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,13050654058078024427,16011297040422597675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,13050654058078024427,16011297040422597675,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:8

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1260
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77ff94d4-c2b1-48e5-a776-e39e99022885} 408 "\\.\pipe\gecko-crash-server-pipe.408" gpu
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2336 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3923462b-39f0-47c4-bd8c-281829109196} 408 "\\.\pipe\gecko-crash-server-pipe.408" socket
    3⤵
    - Checks processor information in registry
    PID:1092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2972 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c1e6e0f-83c0-4974-bb07-1319c21cad17} 408 "\\.\pipe\gecko-crash-server-pipe.408" tab
    3⤵
    PID:3304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3616 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e48e55d-619a-40b4-a0c6-148f1e7893fe} 408 "\\.\pipe\gecko-crash-server-pipe.408" tab
    3⤵
    PID:1524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4892 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fb32298-6bd0-4683-b213-afbfcedef4ab} 408 "\\.\pipe\gecko-crash-server-pipe.408" utility
    3⤵
    - Checks processor information in registry
    PID:5188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 3532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abdde55a-592e-4828-adb0-0114c1c8638f} 408 "\\.\pipe\gecko-crash-server-pipe.408" tab
    3⤵
    PID:1960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c064d8c-1e4a-4d6e-ab08-5e5de0ea6b98} 408 "\\.\pipe\gecko-crash-server-pipe.408" tab
    3⤵
    PID:4612
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41f130e6-2f33-4a7d-a97e-4335982b019a} 408 "\\.\pipe\gecko-crash-server-pipe.408" tab
    3⤵
    PID:3796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6308 -childID 6 -isForBrowser -prefsHandle 6360 -prefMapHandle 6356 -prefsLen 30742 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f05c06db-2567-42e3-82c8-1e15ec9b843a} 408 "\\.\pipe\gecko-crash-server-pipe.408" tab
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6496 -childID 7 -isForBrowser -prefsHandle 6508 -prefMapHandle 6512 -prefsLen 30742 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55f24719-a15a-48d6-9565-f1a8540a65e6} 408 "\\.\pipe\gecko-crash-server-pipe.408" tab
    3⤵
    PID:1316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6908 -parentBuildID 20240401114208 -prefsHandle 6680 -prefMapHandle 6656 -prefsLen 33988 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffef5f4c-3d0e-4c16-84cd-1285f2ade49d} 408 "\\.\pipe\gecko-crash-server-pipe.408" rdd
    3⤵
    PID:2216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6916 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6760 -prefMapHandle 6748 -prefsLen 33988 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4392b17d-237e-4118-8c7c-b3c973665551} 408 "\\.\pipe\gecko-crash-server-pipe.408" utility
    3⤵
    - Checks processor information in registry
    PID:2768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7448 -childID 8 -isForBrowser -prefsHandle 7452 -prefMapHandle 7456 -prefsLen 30981 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d80ad264-4f02-4282-a176-0308d3d0278d} 408 "\\.\pipe\gecko-crash-server-pipe.408" tab
    3⤵
    PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UnprotectLock.mhtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdbd2e46f8,0x7ffdbd2e4708,0x7ffdbd2e4718
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1764,9955916931554026516,3816177497451503532,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1764,9955916931554026516,3816177497451503532,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1764,9955916931554026516,3816177497451503532,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,9955916931554026516,3816177497451503532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1764,9955916931554026516,3816177497451503532,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4080

C:\Users\Admin\AppData\Roaming\Loader.exe
C:\Users\Admin\AppData\Roaming\Loader.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Users\Admin\AppData\Roaming\Loader.exe
C:\Users\Admin\AppData\Roaming\Loader.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6912

C:\Users\Admin\AppData\Roaming\Loader.exe
C:\Users\Admin\AppData\Roaming\Loader.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6580

C:\Users\Admin\AppData\Roaming\Loader.exe
C:\Users\Admin\AppData\Roaming\Loader.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6656

C:\Users\Admin\AppData\Roaming\Loader.exe
C:\Users\Admin\AppData\Roaming\Loader.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Users\Admin\AppData\Roaming\Loader.exe
C:\Users\Admin\AppData\Roaming\Loader.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397b855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2076c9ed26511361bd611880b71cf74c

SHA1
25f247b150e43b02e12f2f1dce896fe28b05c733

SHA256
d9cd34509a541f8005c6f8e5557c4b9407a1833757c2eaf13ef33bc2b37d11cb

SHA512
41706076ce91209f0f55857f4b67919fa7150575e045ddb134d039f960281e2de9ae8ddbf7cf2b83c493890eae08c36205f5e41ae2e1001f9b57b336357cf47c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b420edcbac382f863e7670fed48136e4

SHA1
1f9c9385f4508687b9cc188d4d05debbf60d527a

SHA256
2742434f827b46fcad4102a296e85f8d32f6d19346bdf32da689cdc41d9998f9

SHA512
ac5012aefcb4a1ec14ada8dfdb06dc5911408a852ce10c69ae1c821075d32f08ff5d3da82a5940d499f8c65badd48525d61875503925e6d91677243da710033b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7d696d2f3f1b36e0f8d3a52083b9b1d5

SHA1
953922963f3bd658ec8bfe5565a1cd87580ae07c

SHA256
f94059af2c96662aa6f1aaed7575acc12998a0496932fb8155112cb11c0c846b

SHA512
22922158ca491fd2ffc732dc6cc1490c806ec0b840e443bff7cd248bcce0b888f852a70ebb5d5497a470aca522c8ee318232f8c88c4b0c82ab34e3663e223a5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
593749208e659a9eeec9de7416c6d51c

SHA1
97f7ba402b15c6e8410e2b30f771733589b1e768

SHA256
3ba843e70056fd4c919cbbc96609f84d7a9c328709fe64ba9afb8b26e24e731d

SHA512
1a0f75c91d116c6513468735aafddcd3636b0a60ef27a48843e12497d0a256d46dd5209f3816e3e795f2a89f9fe11ab1f7534f241a367d74f959477a08135b7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0dd10eecbf09be1e9cd4b4f5ccfa862

SHA1
b89f9a12e1e9059a8ba4c6c993de8176458d5a25

SHA256
3ad1aae2c02fb25a38df577c9a476a8acc2f87af5dc673c34af04e1989e5b09e

SHA512
0151ab30dd1de43a03b5f3222e5f067b77217296073cf7539c403e585e4fb9c30b71433d2d47dd0c78fbf1109755433d24ea4af7ef25f7b59c3da80ea7e6d508

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9cfcac93633cef8d13c1b95e7fc1c56c

SHA1
e69661d1c9220b9ebb26f10fce771e7a8bf7c428

SHA256
12cd5f219434959f1bbb3c15f34de16622db3d985bdcaa52d37669d858f83da1

SHA512
3fa3e99ebd0ff72a729eabc1d7ae871046733a97c251eeb5c4d023d11c84f195a8aee378f187de0da3c9b7b627e1f3ea475341cd77af01f1c589dc50029b866b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
e1e65ee84c7280d6de9648e3be74acb0

SHA1
bafc904ed8119c6b6193b9465ff105bc8e3311a9

SHA256
e01686e385e49c939056c4c8c2557f2f9973906a2740b4b408d64bd14e65841e

SHA512
a195cf053e22b49598d7cfe5cd7439e58ec0cc48e29d103512467c8721de31737f897c03670a0a1156a91637118e8377982ac84a179aec48f324370dca45693b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
203KB

MD5
0f11a07342cc7536e6977e73cd460c15

SHA1
c7e7d61401659de96c27bf7fa7c4766040568563

SHA256
522b2a0d218b6f131e445b19e32a0160c9eab75c1fd3d26e59958979bc342adb

SHA512
ca79d3d21f34cb4a51ba3f66c86a4dd0675105f68b8e4a577e3a930b0800c2eb83e17ad7dd9f107cfa316786f64ae6ec7af020dfa694cab306743218ba45eb63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3ac8a713b13f0f6283ea9a2c1a4c2d28

SHA1
5bd0b4b84131db4f1b6c81caa3a478116909afa5

SHA256
280949eaa8de7139b63367636abd71a092cf3d7b961407232f039ebca99677b9

SHA512
87aef492d07428dace7b616f9f6a1c1443e64d2b840715d59c2ace4e6da60b3d65981311fa580070a41c5fdb0cade8c7c57ef4c8336241b2bf9b7b468385945e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73a1cbf12b5d7c41c27489d795c363a5

SHA1
ad09060c80cb97ad6348aabc7d74f57b94fbf1e8

SHA256
4805a3d151783e898e822a222472d47ec8e69c723efc915488dc08491e46a72c

SHA512
d4cb770ccfe0b92b631ac26088e5c692f571efeba4fea31db0dd9d179ac4cdf7eddd8fe35abfe215ee5bcb96bdf671e53f646d7f53329d0bdd2411b7c25ce290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3cba26b6-9778-4933-b0df-91b6e1ea1fc4.tmp

Filesize
6KB

MD5
8e999cec3cd788e033b28715c12ce77e

SHA1
2a07cb1cab8919d120adc003b58557dcafddebce

SHA256
5a5c49005b2fb0f768a5841aff83197ce0d9c3184cb28666ea2dc1e052878d06

SHA512
0acc30f36c1a813f0f4fef9dde6c9eecc2a53057f219652ebd8ae558113e96feb3ba020ab20c7c2ba677627192aa854fa5a530c294467f9e39456c863e4f332b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
c405a472da1363dee39419037c1a6c7b

SHA1
de968b0be98858f2af11cfca3e4860424dad10fa

SHA256
1dfe6c4aae404b7b312a3cc3ecfcb0d0cdbd2d066569e7ef5b96425b4b322607

SHA512
25c1ab4b91f503256a0fce30041a90b70b99915d70ef41a4a14629dbc7f5dbd01e894adcfe12937e9feb7198106f071ace5350ad425d921c41cd6f05265826b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d8d19bc46763e2d90068df6221561929

SHA1
00997533481c699b0176486472819f5140ab1b62

SHA256
453566cbd4e418880fb5d46642df9282e234f62658968f6572b62d223d5764fc

SHA512
ea0873290af1dac475818407966b872126385a8968635a96663b4f747f17a6fded34f52eca7a149f9810da35a0600a87ed94fe6abd5f6889b609cc1ef3232009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
272ad82688c2e9b624c6da535d2458f0

SHA1
d87075539cfa4a98f1358e7760685d0c33c53a77

SHA256
7086188553864e04df9a7676f3513a265983dce7decf4e3a860f86e0b70fed42

SHA512
bc8a4384c3cbdd9ee7f1daef04b7242d5c5d5be3d138fb3119b7d0ea963f2d80672550854c18ac11db165de0a8c6365407814860000db3266714f0d1805fead5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
502B

MD5
ee96c6e1f7bbcdeff8528c4336ae8fa4

SHA1
95b2e2271e239c52338718061bbfb46b1adbcde9

SHA256
f95fa5fe5470335388e1b7eb8c96c4e529a2a751336b09290dc152411d634d5b

SHA512
abd6cbf7d3fd7cbac8d65fff5581db27600c1241de4e2a0d25b0591be1294a42206707e2f3fe84a083ff615b5eccba7d0203a8448915f4b991229899a6cebfb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
6e8255e5530f0c8a0c4aeeb6db77c11d

SHA1
2c4c342ede71d7e98d0ae457d98616206b8c5378

SHA256
2e981fab40b15f6ff37b6db8338e833c74db9b6ca66dc9f3abbae085d08bdf51

SHA512
43765aed1219c6f1564383cbff29be8a288eb23b373a92a89f55f1a644ec73f26c2108214e2bd00ff19669faf43298f9de5282b95d901606c67ae33909d0612e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
e2e0d321802537762bb42a23f36a4c54

SHA1
98c2ca6c3bc0070bbe72aa9d627d796d56009807

SHA256
d40bcf98960e9998cc006a2a909d9d191549ab9ab412900fd4d3c25d79ada8a5

SHA512
f203889ea7e5dedafb81d25927ede0b3ffcc5cab2231a2ea180e54c999b7d0854e0430447bb41aa62eb46786cce7d9ed42c11008a212eb5d1855b7dea4a0124d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82f67f67d27e2143b4aecf0841bc81d9

SHA1
cdd7672882c65fe60f8bcd01eb7ae7fb7ff1de38

SHA256
84e7a91f4bd67ddb9067a6b20097a6183d3b0edbc35c18051deca65fb6a0987a

SHA512
0decde02df3e2bc2fb340136070da5dff0c02b1cb3a2d4e52956ff4140614ed6c5dea5b77f68ad3bb9eaaf6cf3e7d1eb2da3f9b7ba08c54ddaeca71e43b97c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4dd93f1563be31d894f5631979070da

SHA1
36a3956a21ed377c565509f322dc6cfb513b90d3

SHA256
68cdf3591c586e0afa55c68ff03be55f22fcc1ce92179308292bcf2899423811

SHA512
4ce2786b37e59f72a41cefb0c39424e37f32a18ec0b4d65407e20cef14b109e86fec150ad3224e756d5330ae14a82191c7a3276aa342a9f26a73f45d8d8c9478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
760a2a1f157f6bbb1e307ea7d266b91b

SHA1
b844e0ec7a6c5d8fc0f5ecb30858c534697ec753

SHA256
3afc3b8250dfd203289459bf8b3687b6024e149ba3f9b676929570d502761254

SHA512
155b363b12dacfce5a2be4abbb800e6c16257ea9c04b65df5da209edb9204ea6158db1e2082adc52a5b361e89a07267c43d30a09b5f1e62b2b510dea742b5ec7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a57007a545dd2b7ca15d18d05657f1d8

SHA1
c73e68de4fe20ccedbed0f8d47a535df0a873991

SHA256
518aacd2d277b6c2833d8150d02ce6b94c4f5df30c1f126cdbda41fa5ff2396f

SHA512
dcc30ee3f0a6ab8a1e2ea74529c54b27d6d0410f473968ada58ae266c7d7b6d82e6b8f1583b85a128c120b33cfc6061bb943551ba2161344c888f2f568d6a2f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
40f19c4bfb285a828d5e9e2957f65aa7

SHA1
684f7ce6114979b67118a258d1543506ce1bcb04

SHA256
2ce3e62a29ed9f784beda4c35c6bae9c383ef4fb09c55e2a0d2ba57531dfc869

SHA512
3102d03b3e57831c19e653cb4e6f890a47284eed47ce2acdb221985ccb600f74275938ce39b963a4e2c599192489a153d297c5aa30fd11243698f01099b79dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13369780736329363

Filesize
1KB

MD5
202ad10b70f77589e8929c4c1fc6af58

SHA1
b91059ba443ace3eda601a0c803221e475c5b16b

SHA256
0ce6af158d0c7f568ad687c2e0f213cd3ee825078cd10a955158cf69ece5a3a1

SHA512
77598b667155dd9a4a38953f4b38391cdb7e90eb50472dd37b5815988d58df4945af8d4ccc4ff0eb24cab9e00e80f79799792d1093c8fabc0a63053a6f2039d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369780736624363

Filesize
1KB

MD5
5bc0e02b03e423353037e64f216730c3

SHA1
f4f9790776afbda1adb48718332fd0be76a1a545

SHA256
2c40ac0592d3aa3420d936e2ab62429c271c38df185b02366694b33a9b71cd57

SHA512
7096fe48c134d9df8f9ab2b57020e489ff446f6fc13c0fc8fdb6783ee520a1f526027e9ecfb9b28bba97eb648e892177957e624cf390b97e44044564711d6ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
21940eb502adc0b75d6d2689b53d7dab

SHA1
94b64d985213922c29a53939fbf25b057d6e62e5

SHA256
ed9245cc1d6b535ca889d899607d46eed8d61f6e59d5e46fcddf9cac8b6fe263

SHA512
be842b6a4eab6d1fd2c5d9534ea04daebe5b4455d8ab522d1936c8060817ca74d712db5997c8bef65b303ac0dc3bcf0111914854ce1615ec02f7831dec1b5638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
63bc2c2fa6f34841b1e3165b289b94a8

SHA1
cab4cd2e373acee0c8b6654c9340f01d1e46515d

SHA256
16adc193341bc6662f83c2eb1b5aab1a6c0821c60ff63f2aa16b58cad16fff1c

SHA512
8362466cc14da961de9b1ad2d56f28d38c472bc11a343547775aef97d222e64dc01a086e3b5c8c2357b1f2e464412d6baeffc5f93365ce210334af2a1b74fa74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
3852308d949e1409d9f4837425d11f1b

SHA1
8b808c415b3dd6d586e726fb183d2176bb83e67b

SHA256
c7cbb4fae435c7a3076f6dc7e5a14a272bdd6cf37c6682b4e56164a09d836a88

SHA512
6bf1a501fb0a12879407e42a96008ec2aa38bbded06843542105c8164b30eed8e0425b7d8bab1aa9e95546aad35f8633b8a17ac64e8657ca1d8143d1d3f8e29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b31a8476-2d88-4f7a-a8c1-ab1795125779.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
93d7dce2482fcaaf6b879dac813b6b81

SHA1
75611ead38afe2056e12be65c649cd2b9aa64025

SHA256
82f900ad0f4cd993ad17b8bcd864bec6e72872c1b7c77d6c6c82d955a3183af4

SHA512
39cb352636e0224d7d8e0ec9558c7684258fea74a1dc4a4cdf5b7a9b92634a1f497c559bdde7ee5e79ace4245282ec3d32df59c34725047c5db0c50e7e9a9756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
194B

MD5
a48763b50473dbd0a0922258703d673e

SHA1
5a3572629bcdf5586d79823b6ddbf3d9736aa251

SHA256
9bb14ea03c24f4c3543b22a8b4e9d306b926d4950cfcc410808ecac2407409fd

SHA512
536406435e35f8204ce6d3b64850ffb656813aacbc5172af895c16c4f183005d69999c4f48f948875d9837890f290b51a7358ff974fb1efc6ba3d1592426cca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
79f0372969cb26bdab99019bcb82d447

SHA1
c4c959c7d830ea2c214d45498942139bebc60ff9

SHA256
7921f220edab27855aaec10a5db8e5c7ccddbacc641dbf096ad1d816918f402a

SHA512
b480bc276a3962a2a9c08f6505e04a48b37820dfbc2f614e8dc0f535899e2e4f9161036e07a9cb089ac4a590b2f89bd3c14621fd94ad80c01475935bf9e57c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
e9953489bdb3f0735134d10f866c246b

SHA1
f0c3815ac730892d0c5b3d1aff88c209c98830bd

SHA256
a7d8b9c81428fe985ee27b30c1648f508d5a47c942acbf0c3511e9e6a2032d77

SHA512
7ca1afed1427a8530bde4d8ada46feb8937c222f03af752d0318a183989d74fcf11c9c895b1fd62a1d61f1e56ae4fbb0d87779de8829759fef68626cd71be856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
34446aa5532f8240ff16eb2f361084fe

SHA1
871ce18f659010980d0c0d085b8445c9fc36eaf2

SHA256
bec23674cf58cc7b65c79c7a113d19cd7b8b0c38a55a06bb4c3ad649fec0d5b7

SHA512
e8fb80e0f6de42f6ab6672f19c4f5518e78353f6c9f4f3d7c5b24194eee89ffb5d48cd9ccb4570fd70075edae2795784bc545a02e768771d33260675243b85a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
f7e276cf4854661891b237a4da9cb504

SHA1
57aee3bec2ba0d95ece55fce7bcc85045c41e626

SHA256
fc8f9b827820e5650d853eb1aa19b857d6ebec68c2153596404cf6f8a3b7e1e3

SHA512
7c0f6bc65783c1b4be89acec0e3f8a009edbe9c71a6497885c6ff47cc4ccefa432cf6d8fcf4aed32e7107e771ae4efbcdfc167a05a12bb09e1f6b4a2ba28978d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7597d920d36df0a87513740a759e7ad0

SHA1
76491be198f5297c3b3cbd26cb4ef6e5cf5fc7f9

SHA256
e45f4481b057259d8c1985e73763514d6671303331bb9c60da04c30e259ed815

SHA512
0f3a8f12a6f67ced13e1ea4cec18dc591ddad4eb28a7aeb32d984fe36376b8a6f57c8fff5286f9b73085f07fce9b0e4857a14b9129d3e8dab88afc4e6ea85814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7301d12f02d74f6c8b9929a1ad3de742

SHA1
7473d91435dc509e7bba87a1df9448129465f79c

SHA256
e9000945fdf3c1e54d3392b13539fdb672ca661bf3593cff2854b6bb68e4bb7f

SHA512
3453163d3ec07c112a45c2492e2d51e8d3356bb5694d4faa5385ee3c8d5669892bc36a9ae0c8cd59b05bd247d03c69e1e823b3b051ecc5a48f1de35641560471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
96357597b47e038dc9f8da54d7ea8b0c

SHA1
c54be19273f5ad2574218c2b063deafdb96652e0

SHA256
29bea911630d6191db5953e6c65938a73e1332a28993c9a272ec8a2764d6a947

SHA512
3be4861159e604f263e3d53ede4cb6bd59d48dacbb563f68b7f3d2754b045e3816e2492b2885413d1bcd73b2d947a356696b160ef1cfdf8add5b403b2729e575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
478204d8ebd5385464ef69b841a90ac6

SHA1
4238f2e83b1acaa2f0ba449fb285a745ec6c1dfa

SHA256
1761d3251fefab7577cac37aceb485822cdfaf37ef9acc70c965c13bfffdf5a6

SHA512
2796be8227b2758255d5391ac1b0ed5e05db86e718e77bfb6578ea34c1a76f539e861756ab9393363a431c715f31f158f38e1c2706b1fd5a863638ce8bd932b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
89f945e3c764d35bd5dd94e5244ce579

SHA1
6239104d2d19cf825c2e558cfec756220da8ee08

SHA256
08d02bf75a7a105b6afbce1329f24e9720157a35d89bf8bd7a90a31e47638e72

SHA512
086d74b449d1c91581f0d7d2c7f7e660e9890ae3f69095d487e9da84a852fa1d4ce160ab36c1d9eca0ee0a946b68699c6bfd56cdf671715e5347c2fe3c9fe0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
349c3fee12dc370bb94880dfb6fd85ec

SHA1
ec1cf4334aec11816b09f5d3d3b4524c7fc17ebb

SHA256
9d9807d44c633ca4f53ab966f1f7f3e74236e2b97b3fe5e4fdb386f61fb83d4f

SHA512
d313cc9eab375876c89ea014f992e1715e639daad6575e2dbb80a3a6af3b17f5a90d5e5f3ad4b2f36c9f456f9e81e2dcd33714e667f0044a3a37617d805e267a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
7cb0ce40c0e901943e11cc71c8cd2927

SHA1
40803c61d380e5ee9804e8843c86a494194aba61

SHA256
b0500bf713b8740c6d748cb72937922cd929bf29e527612c8c2d5a07add3a1ee

SHA512
bfc03072ac4b936f41f30014e3e810a399d061e5ce4e2f6f04ae9b36e0b6218e689f68647e49b4731c8dfa227a81643563ab1ca5188e1e9ec0fd10e4a7f02370

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k4md4jae.bs3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
439KB

MD5
bbc212bd99b3cdbdf9ebea621b2ec078

SHA1
31b3bd37ea5c37ee034ed92c3643fef177b130e5

SHA256
def6f4ec76d2069322983c6eca95a313cb9a8d2456447dae67db7cb1dfe3acdd

SHA512
286e2dbe13d9e3732406bda3d55a1a673deb1c8f81669d8d8dc1d2bc5e30f2e8dbd13fc59bef3d13417afc1427243c51223d754422b2efd45b20600987c11737

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk

Filesize
766B

MD5
085a2384704e9125771aa3747bf21db4

SHA1
2c030aa2ead12f3b601d7ad820929b1b7a4ab794

SHA256
f4e8941b27b6cbb7abf12f034a4c85ad88d6e151e182e69d9896e4c874a4095b

SHA512
aebd8e70541cf7b23c53eca49eb96dee6df855b878745a6e4e89a54023ad65b43dae9acf266347c18c35c9e9ce26151f1f784ed6467add00c31d4f9ba21097fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
17KB

MD5
a00b70a3059b8766555329950840449f

SHA1
bae815343c9354f59fba10e4d4310dfe3b76adea

SHA256
9df18c0ef91472524d735bb81ced027755ef05a4d39bbd8213ee0a1d3bd86cc0

SHA512
b8ebfba2298f0ad6d340cc80c8a3d49163b9a55bed9398a2bcb4b77ee316a71dcafe926cf28c003e00cafe26d0b506b7836aa488b95fcb0446bb2539b27008d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\AlternateServices.bin

Filesize
6KB

MD5
688d731a83dfb17ed2d39b81e48a7c6d

SHA1
fafe3a5e56c0972a3a4ef034165756cdf5bf549f

SHA256
56f13adfea61bef3f6007a647d521168a3147f83cd5f8849c5928431e06fe5b4

SHA512
75a779c09b365fd3b95ce4e76b9d802c74f69610062ae0a2fb825a59e081518d60e72b665b8a97fe432d76b37d56d4ae003c57016c45588d94aaf4950b43f95c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
938989289fc2f294a8abda95a6933e66

SHA1
42410dd9ba640a1ab850b62f08e704a16fabf120

SHA256
b5412ff2b053c844bb1b71de6a43a9451274824447386f8f1be92aa6b2783692

SHA512
a063ab8e0fecbbfa87192e4bedc5c768f8de91184cd27859c4320b303edf184d585db99f5cc0292f539938856375fb155677845074ede0a40352c42c05d04753

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2489c55c572ca1469cc662444fca63ae

SHA1
e69678253fb369c6ce4d97af06ef8ddc95166257

SHA256
c10c0cdeb3ba9d2252082617c806aac2fb3b42307f221b68ab7d9eeb64b59d91

SHA512
0d68c94c0f9f9668aea0d914acee94dbacd2398f477eb5ebef8386c152c2d1b34268854e17621f9814de585ca18f9649f3782bde85a0cbbf66216966ba4432af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d17d287c69080c4afa1c6144fc48c12b

SHA1
265d838a2abb08610cadc8d117bd875f8c5a0228

SHA256
265bf7cf374970378131e64539664f6e119a5519b582341195b2b7a79d691917

SHA512
ef9d08f2ff5a958aedcd562b82c878ba6e33655b23624cf35d319841d87608651c3517252f82c7ede2692bdf9e5e26eb4e7f96aecbbfb5f45f6a8c6c191e25bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
39KB

MD5
c38a7efc8e2b5302535ddac38c733374

SHA1
a4754574a5c5997843c926bb89789be8f4132359

SHA256
a5d3e97833ab731b229849e506dd01554e10e8d3301dc807ba28e3a335c67854

SHA512
b95cc0bd13a7239d27e08258058d953cdffeb7be3c456857b39b601523ba4b314af3b464a5a67d45f24e0647f1f9acb9b60090f815b776183be31000a8854d4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\db\data.safe.tmp

Filesize
13KB

MD5
18cf4bfc14e2b5cc8c72428090bef127

SHA1
bbe7d2d617babb96db7f30eaa9759637826f24b6

SHA256
9e021e7987fde06269a845d006b4908e2fbb5ec8c358b9825b1b4e590c9531a3

SHA512
a7ec4c0ecd469a893cf0bbaab9688be4084626f984595557cfaee58cf08c4cb9d53d44825de7819b95b6037597dad0f023a4194f6102506c492ec4f6e2649d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\0931ba82-fc12-47d9-b54b-6867078f2a74

Filesize
671B

MD5
625b8c5b79a5fcd1e6705a154c60fb31

SHA1
eb935daab1fbe43509b9a8c33bda6a2942d3fc9d

SHA256
89282c5d6a2b7e6c64e97f94019ac9e453a57d50b4b083185c3c8c4f0a47a987

SHA512
4722b915767223fdc6ef6e07f28b7e735d639509c4e3bac38128fdbfb75aaf94917fa36d563a74b15abd9773e74fee260f021d5aa101443d6fdfd1bcfc8118ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\60d66b53-010e-4250-b6ad-7fe0eb3f026d

Filesize
27KB

MD5
094ef53d5e3741481cbb19b3d34fd0ef

SHA1
05a66a59c8fb08391d166b057f39591ddf70cba5

SHA256
b922ecbad29d1a8f4a0fe7fab0ae5beca95fc30dd23942e24ab53b8d2d20a7c7

SHA512
8729efd05433ef6f2e3161a29467677afa61465ae9712b595c7ddf0e149d6199a4c993457153eb4eb9e05b534f04dbcf6825f70f9903151d24671b0c462cf187

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\800fa624-e3cf-4221-869d-43cafa54eebe

Filesize
696B

MD5
b637045ad100e83e919b7670722318c5

SHA1
63ba8394f6e573a26a3221321a112a7ad3f77a9e

SHA256
a28ab01f1368b483faeebb45744b47896c9332a4bb49143ff3701c343bf20a4e

SHA512
be0b50de50379bfecebfeef5af72dee1b4cabb4b6fff1bd179a0d025eef9c18ff745fae79e5e563b46fcfded4b95949a6a3d67e69882200872329b53a5644c58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\datareporting\glean\pending_pings\eb0d13c9-28b7-4fcb-b0e9-ac1abb69d319

Filesize
982B

MD5
f8fb63efb6c4abe6879a965127d29345

SHA1
1409c8b0e5884e898fe597aba7d842257d20b80b

SHA256
6891ac25fe04dcce6d01a4b5bb0236d8410818404e417ad3ac5b92f1a3eefd86

SHA512
6271a9d9f36d10ccc3bf0e00d6f3516a810bb7aae603598b27f820fa13495bb8a75ec63f6fdf985ee639fad4f843090c12902ae57f43672f44725a4b0089f7ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
13KB

MD5
73c3a6eceec23d8882be3aa2a9f43faf

SHA1
be0cedb575ca7a732968d0058dbaf4b8982c05cd

SHA256
f51f78e92cd74ac189d51b1a07d02f0ef02fac2313343ab89606e856b6212961

SHA512
b3869d0116ed031aec6f87afebd586b2207f955326fdfa87cd64f89c5aa7315da315cb4ad83656946da680902f170c1bdd99238bc6574ab9525924b9a22da380

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
16KB

MD5
4cd03524730c1e2463e0b387c1e402f7

SHA1
52c1ae301c01ff0fadeba3838755453923a95192

SHA256
30e5886b9e90ca62e159b4b07726538639da0f44f699c934f16c33475f0d7e03

SHA512
4368b31e3b9c6124eb367972e254b785dc8b50b27c5265abb831f6578f3388243b88cfd1b08b7cd77ac37d992b921b81e8c6f1f7abb43dc5c7293e155f1a6e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
c966c1b47f2d1eefb7770f9a840da81f

SHA1
b6166734658970af37e777f16718e9ca47ae201f

SHA256
3e1dfc873ca7b9d590e43e02104dd1ab21b51b99c3d454f77c6a70fd4f8973e9

SHA512
31b792971132532fd92180a4b3e578451d9765eb48885c79557aaed3643319dd05d12c847b024ee7df2e5ae63058014a1d407055d4c92eb4a4655e9b000ba676

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\prefs.js

Filesize
11KB

MD5
03c369d1f437580bd5e0cb04fa8a0d94

SHA1
34c437dc7ea88189590827e06d16e50371285619

SHA256
bb71a520377df14f5d8362f2988e817aa51887576e93464040ab19dafa66472a

SHA512
23348cf5e71e2b5753e6e04766aebbceb75305649aad83e1d8be1ae50503ea72ddbc7d622c2047dea8f7fc7c4a8671b6e41451a80dc4a15f7d552a44e4e231f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
a32ca46f18a341e3d38864b2c54fcb38

SHA1
3d2aa2d34a81a1d96e4f0b107e7a545ecdb98859

SHA256
59e123b46b126fd14ef8b8c403144b8cb76a368e51d0605d9cfb6c8c2c7020ff

SHA512
dd2fd1d7f11bd1c03929c3dc5c7f1019f4893f224a514be08b6d589324881d34d3173d25861fff41b05433a428f3b29df9f747d761af378f90cf1d614f27f400

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c2c408e4ffd18fdc43498156968f5452

SHA1
99a32048072375d6df0d6719dcec2f605543c912

SHA256
505fc32f8ce411faefd4fc1092eb9b5f2ff03a6ad12b2ac34dc566e3a025edeb

SHA512
7961c8ed46f0f966579836a199cda1af564ef40f881396b12856b4f7ac3150e17b0dfdb706a82ec3c77154f80ced49b0de94f93b7156e4ddae9b57d44f212751

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\default\https+++www.youtube.com\cache\morgue\192\{7275a85e-0bbe-4d70-a962-091fd6f1f1c0}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\default\https+++www.youtube.com\idb\358387590yCt7-%iCt7-%r1e5s3pfo.sqlite

Filesize
48KB

MD5
8a475ec48d10c6be17eba0c5e74d10ba

SHA1
82a0b39d9cd9a9c484a891d3d0c1dff186662f46

SHA256
401cc9abffb86038963ce61aaee07b2cd5e20393dcb570e1b244a00969049258

SHA512
9fa60116b1e4ee277ae8d842eb3d2814512b4d0e56a0bd7b11ef9f9944406be1ef2c13c2dce3b1a15ef32e3903c6c564d7c9bc28b75c701a12f6a68a3c641d0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
b5e214d69464e69abc1ab1c62432e8c6

SHA1
697c9720fa7dd44dcfa5d62d0ab20028684482e9

SHA256
d22bdc4ddcf4fd10202f693d9040032c6cfbec1ce86bafa508b2f2900a434377

SHA512
e1af244b2f80b0c0c8f8bb6572341c80a63ec1f84f3d4fba794540ea048710b41cd241cc7db0fcaaa9be897c6bd37c695edd20b59a2bf265d1d9386f8fa1ed5d

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
88b188069f5ec73927d6e2f024177bf7

SHA1
06add08fe52cef926aa454cf7bc4cb267e88ff6e

SHA256
8a0f61b43c42d9b5f7908fbce0659bed46158516b7c8464fcdc60a0c212e5294

SHA512
51ca4ecab41ba85f4bc38c9f68d300fc071ffbbee8f6a86e855a09ae0b8033d318a718f3507962e86c92568340029f94d98b30bb47da3ae48bfe522e57be9624

Download Submit
\??\pipe\crashpad_536_UQXTCHYPVOUCBXLN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3728-4441-0x00007FFDC3C90000-0x00007FFDC4751000-memory.dmp

Filesize
10.8MB

Download
memory/3728-59-0x00007FFDC3C90000-0x00007FFDC4751000-memory.dmp

Filesize
10.8MB

Download
memory/3728-0-0x00007FFDC3C93000-0x00007FFDC3C95000-memory.dmp

Filesize
8KB

Download
memory/3728-56-0x00007FFDC3C90000-0x00007FFDC4751000-memory.dmp

Filesize
10.8MB

Download
memory/3728-4157-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/3728-1-0x00000000000C0000-0x0000000000134000-memory.dmp

Filesize
464KB

Download
memory/4464-12-0x00007FFDC3C90000-0x00007FFDC4751000-memory.dmp

Filesize
10.8MB

Download
memory/4464-13-0x00007FFDC3C90000-0x00007FFDC4751000-memory.dmp

Filesize
10.8MB

Download
memory/4464-17-0x00007FFDC3C90000-0x00007FFDC4751000-memory.dmp

Filesize
10.8MB

Download
memory/4464-14-0x00007FFDC3C90000-0x00007FFDC4751000-memory.dmp

Filesize
10.8MB

Download
memory/4464-11-0x000001A268B90000-0x000001A268BB2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads