Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/09/2024, 17:46
Static task
static1
Behavioral task
behavioral1
Sample
Orbit Executor_38541207.exe
Resource
win11-20240802-en
General
-
Target
Orbit Executor_38541207.exe
-
Size
9.5MB
-
MD5
7c6ee11bb51836c324084fcc3c6e2445
-
SHA1
98a55adddca774d5e402bea0bbdf8054332975ef
-
SHA256
cefe4e9c6fe234191788d51417bf9de9fb3a65078c6c4ad82918e35f70f415e3
-
SHA512
f0adbe141fba42b56cf4594de8fee80d69da95478a8abb05d39dae345c735953e8c8927a34ea34bc5dfb039a65719059c1089dbc503761bb3dfb2ec679dbce24
-
SSDEEP
196608:aK0MPGCiZt9cKOrqNRxmQ3bKfIiaNPFHNRsiKS:J/Ph0SrqNRxL3bIIiEHMnS
Malware Config
Signatures
-
Checks for any installed AV software in registry 1 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast setup38541207.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version setup38541207.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast setup38541207.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir setup38541207.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV setup38541207.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir setup38541207.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV setup38541207.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version setup38541207.exe -
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 4 raw.githubusercontent.com 46 raw.githubusercontent.com 64 raw.githubusercontent.com 65 raw.githubusercontent.com -
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 612 tasklist.exe 972 tasklist.exe 4816 tasklist.exe 3700 tasklist.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 3 IoCs
pid Process 4240 setup38541207.exe 3324 setup38541207.exe 4436 OfferInstaller.exe -
Loads dropped DLL 64 IoCs
pid Process 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe 3324 setup38541207.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Orbit Executor_38541207.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Orbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup38541207.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup38541207.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OfferInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3584 msedgewebview2.exe 3452 msedgewebview2.exe 2140 msedgewebview2.exe 5368 msedgewebview2.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 4996 timeout.exe 3420 timeout.exe 3416 timeout.exe 3984 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Opera GXStable Orbit Executor_38541207.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable Orbit Executor_38541207.exe Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings Orbit Executor_38541207.exe Key created \REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 setup38541207.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 setup38541207.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 setup38541207.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\v1.01.1_Orbit 2.zip:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4632 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 4240 setup38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 4436 OfferInstaller.exe 4436 OfferInstaller.exe 4436 OfferInstaller.exe 4436 OfferInstaller.exe 4436 OfferInstaller.exe 2916 msedgewebview2.exe 2916 msedgewebview2.exe 5368 msedgewebview2.exe 5368 msedgewebview2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 5024 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4240 setup38541207.exe Token: SeDebugPrivilege 4436 OfferInstaller.exe Token: SeDebugPrivilege 612 tasklist.exe Token: SeDebugPrivilege 972 tasklist.exe Token: SeDebugPrivilege 4816 tasklist.exe Token: SeDebugPrivilege 3700 tasklist.exe Token: SeDebugPrivilege 2316 firefox.exe Token: SeDebugPrivilege 2316 firefox.exe Token: SeDebugPrivilege 2316 firefox.exe Token: SeDebugPrivilege 4280 Orbit.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 5024 msedgewebview2.exe 5024 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2848 Orbit Executor_38541207.exe 2848 Orbit Executor_38541207.exe 4240 setup38541207.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe 2316 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 4240 2848 Orbit Executor_38541207.exe 78 PID 2848 wrote to memory of 4240 2848 Orbit Executor_38541207.exe 78 PID 2848 wrote to memory of 4240 2848 Orbit Executor_38541207.exe 78 PID 2848 wrote to memory of 3324 2848 Orbit Executor_38541207.exe 79 PID 2848 wrote to memory of 3324 2848 Orbit Executor_38541207.exe 79 PID 2848 wrote to memory of 3324 2848 Orbit Executor_38541207.exe 79 PID 4240 wrote to memory of 4436 4240 setup38541207.exe 80 PID 4240 wrote to memory of 4436 4240 setup38541207.exe 80 PID 4240 wrote to memory of 4436 4240 setup38541207.exe 80 PID 4240 wrote to memory of 3396 4240 setup38541207.exe 81 PID 4240 wrote to memory of 3396 4240 setup38541207.exe 81 PID 4240 wrote to memory of 3396 4240 setup38541207.exe 81 PID 3396 wrote to memory of 612 3396 cmd.exe 83 PID 3396 wrote to memory of 612 3396 cmd.exe 83 PID 3396 wrote to memory of 612 3396 cmd.exe 83 PID 3396 wrote to memory of 4904 3396 cmd.exe 84 PID 3396 wrote to memory of 4904 3396 cmd.exe 84 PID 3396 wrote to memory of 4904 3396 cmd.exe 84 PID 3396 wrote to memory of 4996 3396 cmd.exe 86 PID 3396 wrote to memory of 4996 3396 cmd.exe 86 PID 3396 wrote to memory of 4996 3396 cmd.exe 86 PID 4436 wrote to memory of 2324 4436 OfferInstaller.exe 87 PID 4436 wrote to memory of 2324 4436 OfferInstaller.exe 87 PID 4436 wrote to memory of 2324 4436 OfferInstaller.exe 87 PID 2324 wrote to memory of 972 2324 cmd.exe 89 PID 2324 wrote to memory of 972 2324 cmd.exe 89 PID 2324 wrote to memory of 972 2324 cmd.exe 89 PID 2324 wrote to memory of 1652 2324 cmd.exe 90 PID 2324 wrote to memory of 1652 2324 cmd.exe 90 PID 2324 wrote to memory of 1652 2324 cmd.exe 90 PID 2324 wrote to memory of 3420 2324 cmd.exe 91 PID 2324 wrote to memory of 3420 2324 cmd.exe 91 PID 2324 wrote to memory of 3420 2324 cmd.exe 91 PID 2324 wrote to memory of 4816 2324 cmd.exe 92 PID 2324 wrote to memory of 4816 2324 cmd.exe 92 PID 2324 wrote to memory of 4816 2324 cmd.exe 92 PID 2324 wrote to memory of 4012 2324 cmd.exe 93 PID 2324 wrote to memory of 4012 2324 cmd.exe 93 PID 2324 wrote to memory of 4012 2324 cmd.exe 93 PID 2324 wrote to memory of 3416 2324 cmd.exe 94 PID 2324 wrote to memory of 3416 2324 cmd.exe 94 PID 2324 wrote to memory of 3416 2324 cmd.exe 94 PID 2324 wrote to memory of 3700 2324 cmd.exe 95 PID 2324 wrote to memory of 3700 2324 cmd.exe 95 PID 2324 wrote to memory of 3700 2324 cmd.exe 95 PID 2324 wrote to memory of 484 2324 cmd.exe 96 PID 2324 wrote to memory of 484 2324 cmd.exe 96 PID 2324 wrote to memory of 484 2324 cmd.exe 96 PID 2324 wrote to memory of 3984 2324 cmd.exe 97 PID 2324 wrote to memory of 3984 2324 cmd.exe 97 PID 2324 wrote to memory of 3984 2324 cmd.exe 97 PID 2848 wrote to memory of 4632 2848 Orbit Executor_38541207.exe 98 PID 2848 wrote to memory of 4632 2848 Orbit Executor_38541207.exe 98 PID 2848 wrote to memory of 4632 2848 Orbit Executor_38541207.exe 98 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 PID 4580 wrote to memory of 2316 4580 firefox.exe 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orbit Executor_38541207.exe"C:\Users\Admin\AppData\Local\Temp\Orbit Executor_38541207.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\setup38541207.exeC:\Users\Admin\AppData\Local\setup38541207.exe hhwnd=393624 hreturntoinstaller hextras=id:964bc9f9d4b9a45-US-u9hAJ2⤵
- Checks for any installed AV software in registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "PID eq 4436" /fo csv5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Windows\SysWOW64\find.exefind /I "4436"5⤵
- System Location Discovery: System Language Discovery
PID:1652
-
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3420
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "PID eq 4436" /fo csv5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
-
C:\Windows\SysWOW64\find.exefind /I "4436"5⤵
- System Location Discovery: System Language Discovery
PID:4012
-
-
C:\Windows\SysWOW64\timeout.exetimeout 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3416
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "PID eq 4436" /fo csv5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\SysWOW64\find.exefind /I "4436"5⤵
- System Location Discovery: System Language Discovery
PID:484
-
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3984
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "PID eq 4240" /fo csv4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\SysWOW64\find.exefind /I "4240"4⤵
- System Location Discovery: System Language Discovery
PID:4904
-
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4996
-
-
-
-
C:\Users\Admin\AppData\Local\setup38541207.exeC:\Users\Admin\AppData\Local\setup38541207.exe hready2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3324
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:4632
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2316 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dbee728-1fd4-41e3-9240-01b5121c3760} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" gpu3⤵PID:1528
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2312 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb254af-6ad5-411b-8bd9-2f73130ab81e} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" socket3⤵PID:3740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3144 -childID 1 -isForBrowser -prefsHandle 2548 -prefMapHandle 3096 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cac280e-2771-48a1-ab50-54b1bbeda9ac} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab3⤵PID:2080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 3036 -prefMapHandle 3164 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c33750c-8085-47bf-9b23-e427d3377bb9} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab3⤵PID:4780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4580 -prefMapHandle 4584 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c9b4aa4-f202-469e-8151-91059657cc97} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" utility3⤵
- Checks processor information in registry
PID:404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 4308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28efe327-6844-4cd9-87c9-210b3230cd6a} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab3⤵PID:2264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c68a26ca-257f-4e5f-a04b-f0030fe7f4c8} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab3⤵PID:904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5780 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdd13fd2-2aa9-4056-80cc-de7bc1e6263f} 2316 "\\.\pipe\gecko-crash-server-pipe.2316" tab3⤵PID:2932
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2552
-
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe"C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=4280.1812.141748203313380192962⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5024 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Crashpad" "--metrics-dir=C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x134,0x7ff8f58a3cb8,0x7ff8f58a3cc8,0x7ff8f58a3cd83⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:23⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3584
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2072 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2500 /prefetch:83⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3452
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:13⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2140
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,354365670984720667,8889417735792050422,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView" --webview-exe-name=Orbit.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=4632 /prefetch:83⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5368
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3328
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1920
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Discovery
Network Share Discovery
1Process Discovery
1Query Registry
4Software Discovery
1Security Software Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD593ad8800e31cf6e3851969647fa554cb
SHA1aa8300fa7ba1e9aa7703729633c34e38e70b743a
SHA2567d3e304bfb729e2c758396b6095682c416c4aecdba171205c1d470dcc272e7d0
SHA512830444453a47539ee18a2f7524127d58ef50d9785496058beb002c60c4c2fb9442577cdafcbe68085907e8573ab01cac3b022c53109808167245f6dc85d1b4b6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5da82c27a0ac7c5807be7657cc33758df
SHA12feb65dafeabad4050b0343552985895e11d7c69
SHA256604d4cfa4c9ac03fdab9f9eff45cd5848205617b0bff77432e1801b6aed7fdaa
SHA51236c9c3104dda90c4ef9a924331818079bcb85360402ba9f179eb7595092c350ed5b20dba0f686aa1b05b7c42d018081659bff051928cc85756b411e58b0bbd71
-
Filesize
57KB
MD56e001f8d0ee4f09a6673a9e8168836b6
SHA1334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38
SHA2566a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859
SHA5120eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6
-
Filesize
117KB
MD508112f27dcd8f1d779231a7a3e944cb1
SHA139a98a95feb1b6295ad762e22aa47854f57c226f
SHA25611c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa
SHA512afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb
-
Filesize
5.7MB
MD538cc1b5c2a4c510b8d4930a3821d7e0b
SHA1f06d1d695012ace0aef7a45e340b70981ca023ba
SHA256c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2
SHA51299170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298
-
Filesize
15KB
MD5422be1a0c08185b107050fcf32f8fa40
SHA1c8746a8dad7b4bf18380207b0c7c848362567a92
SHA256723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528
SHA512dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599
-
Filesize
75KB
MD5c06ac6dcfa7780cd781fc9af269e33c0
SHA1f6b69337b369df50427f6d5968eb75b6283c199d
SHA256b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d
SHA512ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3
-
Filesize
19KB
MD5554c3e1d68c8b5d04ca7a2264ca44e71
SHA1ef749e325f52179e6875e9b2dd397bee2ca41bb4
SHA2561eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e
SHA51258ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6
-
Filesize
160KB
MD56df226bda27d26ce4523b80dbf57a9ea
SHA1615f9aba84856026460dc54b581711dad63da469
SHA25617d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc
SHA512988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5
-
Filesize
119KB
MD59d2c520bfa294a6aa0c5cbc6d87caeec
SHA120b390db533153e4bf84f3d17225384b924b391f
SHA256669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89
SHA5127e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15
-
Filesize
8KB
MD5be4c2b0862d2fc399c393fca163094df
SHA17c03c84b2871c27fa0f1914825e504a090c2a550
SHA256c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a
SHA512d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799
-
Filesize
154KB
MD517220f65bd242b6a491423d5bb7940c1
SHA1a33fabf2b788e80f0f7f84524fe3ed9b797be7ad
SHA25623056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f
SHA512bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e
-
Filesize
56KB
MD5f931e960cc4ed0d2f392376525ff44db
SHA11895aaa8f5b8314d8a4c5938d1405775d3837109
SHA2561c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA5127fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0
-
Filesize
168KB
MD528f1996059e79df241388bd9f89cf0b1
SHA16ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA5129654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29
-
Filesize
541KB
MD59de86cdf74a30602d6baa7affc8c4a0f
SHA19c79b6fbf85b8b87dd781b20fc38ba2ac0664143
SHA25656032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583
SHA512dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641
-
Filesize
133KB
MD58db691813a26e7d0f1db5e2f4d0d05e3
SHA17c7a33553dd0b50b78bf0ca6974c77088da253eb
SHA2563043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701
SHA512d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f
-
Filesize
26KB
MD5cef027c3341afbcdb83c72080df7f002
SHA1e538f1dd4aee8544d888a616a6ebe4aeecaf1661
SHA256e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7
SHA51271ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf
-
Filesize
172KB
MD5b199dcd6824a02522a4d29a69ab65058
SHA1f9c7f8c5c6543b80fa6f1940402430b37fa8dce4
SHA2569310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4
SHA5121d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1
-
Filesize
1KB
MD59ba0a91b564e22c876e58a8a5921b528
SHA18eb23cab5effc0d0df63120a4dbad3cffcac6f1e
SHA2562ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941
SHA51238b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9
-
Filesize
291B
MD5bf5328e51e8ab1211c509b5a65ab9972
SHA1480dfb920e926d81bce67113576781815fbd1ea4
SHA25698f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b
SHA51292bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928
-
Filesize
134KB
MD5105a9e404f7ac841c46380063cc27f50
SHA1ec27d9e1c3b546848324096283797a8644516ee3
SHA25669fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b
SHA5126990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940
-
Filesize
101KB
MD583d37fb4f754c7f4e41605ec3c8608ea
SHA170401de8ce89f809c6e601834d48768c0d65159f
SHA25656db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020
SHA512f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f
-
Filesize
151KB
MD572990c7e32ee6c811ea3d2ea64523234
SHA1a7fcbf83ec6eefb2235d40f51d0d6172d364b822
SHA256e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3
SHA5122908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682
-
Filesize
766B
MD54003efa6e7d44e2cbd3d7486e2e0451a
SHA1a2a9ab4a88cd4732647faa37bbdf726fd885ea1e
SHA256effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508
SHA51286e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198
-
Filesize
426KB
MD58ff1898897f3f4391803c7253366a87b
SHA19bdbeed8f75a892b6b630ef9e634667f4c620fa0
SHA25651398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
SHA512cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03
-
Filesize
5.6MB
MD5b431083586e39d018e19880ad1a5ce8f
SHA13bbf957ab534d845d485a8698accc0a40b63cedd
SHA256b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b
SHA5127805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b
-
Filesize
74KB
MD51a84957b6e681fca057160cd04e26b27
SHA18d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe
SHA2569faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5
SHA5125f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
3.8MB
MD529d3a70cec060614e1691e64162a6c1e
SHA1ce4daf2b1d39a1a881635b393450e435bfb7f7d1
SHA256cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72
SHA51269d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin
Filesize8KB
MD5c9ce44dd97dbf900d6a565545c429d8a
SHA1a26e1875469bb24018ce68295c8ba9be308bcb29
SHA2560e9239f1e8575b240c95d96a67bb195618c73da839bea874644bcf34c40bfc7f
SHA5122c616a51dc1204d3c9cebf87582fb9b234cb30e707bff60edd77ca9ef41ea528263270e934bc61882ccf1a6d63019b7a93481af9580cb591c525c165f376e87f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD519edd101ad5b5f3a5e2a5f5c2dae3209
SHA10bd15f5e250ffbe6836afbc8743543deb754ebc8
SHA256cfcdc82254b45da0229e852d23b235aa19a2ff65446b30e5b26d5fcd75360e67
SHA5126ecade2eb4e3cf1abf803cb799d1f75e7eb3afb58edc5e8153fb49028e812ef085278acdd6ee007daa3cb82ed1b7ec0c26c82fa71145a062d296772516605e0a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5024cff32d48d5383133a8c02e4003a65
SHA1caa860a7634814764dbd0200be122d6b6002a7f5
SHA2560c463b13c62f174021bd1e63631a909a622f386b2a94d4cb9f0ebf80dee510d1
SHA512ebf3c0d7512e4b3586366b158c243dd63f398356d031d1ade589e4372cc6317b61623adafd8b09c8f7c93141151643b83128051c7d379d6f63d252e6a918370e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD599718addc42227aefd3285855aca6f23
SHA13ca6bee5ae828e3cf7a989604c0f5c12baee6e53
SHA2565e408d60c6a23d91349fc6320e1e1f7d006158cafdde4cdf586eb3d8d7af26f9
SHA5123f3c353707a3cfc4daceacf1095f5a3bde0d57f8398bb7651b316fdf9ffc7a1570670dc9709634e46e01aa13164d250356d9693a17bc7f0249f233a81d2907fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\014e0ab0-efad-4591-a3ac-d773e3db257e
Filesize982B
MD5da176251407e98f0a17c36347a5640ae
SHA143d9fdbbd9ddacb0cdfcba8da7e92be578519363
SHA2569b45931986f69807dcc704a6fcdb7bd92146d5411f3ae73f25efb0df9e1bb1a8
SHA51201c155087335de8d1d8f01f1941e6874f1bfd5a099f763da872bf343cd93052b037b5181071785d29a83f4e4fa8b91f3fc59d5709a268e552c98ea46deaba21b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\3f845571-b8cf-4f92-9e69-7527192ca56e
Filesize671B
MD592e6559559aa0708be99800ad9e3b00d
SHA1cf2192ebef2f2bddba1696ad77a6a019983b1e75
SHA25642d49745290971380dccc91d298787434146fbbc4c718bd84f0238a1fc8850c8
SHA512892abf641e558ea615d3150cb95954354832ea5fba422d8db210e5be391753af8fceaf38ce290584184ef62720bb51499c9e323b89762474d44b511a8bffa180
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\9f1bf6aa-b159-4e68-bdbb-047922b2bf39
Filesize25KB
MD5e0dd272e78a4c06876b301b9e1f0b747
SHA18793ef84409557551cc354f33f415d6ba11d6740
SHA256dd3e2d71b1a5e53dd84838c77016b23d16c5a8b6921961a91346f9815c6eb3f2
SHA512e7dc4d5f0c928b5c9f4f741d965bc5fc27b674b2064a1a448ff746600d7f833fc8d4fbbfe469356a6337dd86aa26ddb16800fa0ecb931641050a01928224921b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD590eca297f6c3b70ee86db716bb9b79d9
SHA196002bb03ee8be05043643e74ff61ac87e43a84a
SHA2568757eb0d325c6a251c97454431a77c13f7243685121fd763c9665c49e81c6533
SHA512c3b67db62aee0ebbdc1b9755b60ed81087f5c6e1e9533b754eb743f004e559358539f774d8d6d9c447c718c5cb475ac6771855617b0d996a87365517e3205cb3
-
Filesize
11KB
MD5fe9decc2cd1e15244ead2c879790ba06
SHA170abf2a4376688e957da707a8e2d473ce8cc087d
SHA256c946f9fed27335577ee5b841b7c2251103511ba17a15990cb81122fdd32d8843
SHA51223abbdd50befacfc17001315b8c4dcc3cdc8f82f9b41ff2877859ea374d51b8ff2479223e931508c0fcb82ce124b41ea020a79070ba2b9726b744b568a9470b9
-
Filesize
11KB
MD591893426819e6aabd77e61b5632437cd
SHA15379f1e15d5f34968d41af1ddc2a8aa6e6b550be
SHA2561df41308cbf28bd4b35f9f297a453a0c40179b071505d74c10397bddf6d708cb
SHA5121b2d1f897187357910d7d55cd9f28eaae47f1743dc67134549555554d795f131273cc82a8d21d0c83f2c068bf87bb457663f0b1d34f0bd4dc18bdbf27036ecac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize376KB
MD5f244e861e17fd86d2a7faff38d3ffc66
SHA1888bddbbf9dae94df89a1f9788689525d8a2df5a
SHA256ecfea9f2d3c9774f10f5e2e097106e833106d57f462e6e02c59a065453942dd0
SHA512ef1964ff79d435e498378eaa4751aeb0a955e6a6e560f284a43fbb1899e64b45753576ab724a90c154ceb1f34edd5304f2b6af0811632aae3a5bb6ebbb0d5146
-
Filesize
152B
MD50cf9b003b0af013750e06e6da753f613
SHA120e5a8d6de6fdb9cd50e4509ce61b0537f845c83
SHA256df3df8d831afea1763c6a969ecd3ea57263d9fb77c700ecf5ac78846444874f0
SHA512545dad3610893643e1f0521c76c59fae07afd5888e372d91a5a697d37b88a196b4389613f9dc2bdb97a0a935f09d1fdb8239ba8c4e9632b9beaffa843cfec0bc
-
Filesize
152B
MD58d01233cf101c69d82040f8be773b824
SHA1d46214cfecb03565f90b3269036024ac3b986596
SHA256c46a9fdc41d4544a39aa83351a00f41c91451c42cde9a6c024e3cf5b460a5693
SHA5127437a2b528193f415ebf96b3eddce1392c2fd6fe095611a8f72dc2fb954d62e4eee8b3ee77f97cd43347a29e8ad4ff766c073115906998b54adcfb6b095ca574
-
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Extension State\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Network Persistent State
Filesize299B
MD5b5c33fbfda6e5471b869a9d2784e0ad7
SHA10b792318360bceaa7272c66c16d6330d19dcc2d9
SHA256875ecf86874ea91b87986d53c3c51a52d1c44236421c3e350eea32264a5eef9d
SHA512a3e992d523ae55133189bac8bf675d02b3566e15479e73548caaf66589aca521a91d9fca68e482886ec4c083f7cd1d648f7e572766b47fc91bedd047511fae49
-
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\Network Persistent State~RFe597a37.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
14KB
MD5ad2c5e623c5ffe2d5e55c381251073f2
SHA184ea9dfe181d978a68a351fcc1404e885ab7df84
SHA25655b85b700fb82805762a7bbc8db1c3c2ab9f36c1da7a7162717ba7b2ba3ee501
SHA512d300505b56cc7837a591df3ee8bb0ba89a1db2711673bf3953b5ebf038197f1c7fc1a1263b91279c08fe90b179bc9baad2b4adda954c8c19b05601fdc01a4db2
-
Filesize
10KB
MD58891338fa16fc3bb1982f8427833792c
SHA170924f473f99399ec7070315cfafdbd1c4daf15f
SHA256c8305a9a9c42354d9fdc88a9d83fbc1e1288eb6d767110b6d23d57bf5d768e36
SHA512205bcfb78eb460fdca75b6eeefb6b265c84d5e2865cd42452ef442ce5a946555cd0fd35099485eefb97347a1a88c2cc5dfa359a2e03831f410399214fb50f06e
-
Filesize
10KB
MD52188b4e12047e63006a971bc4b7a2559
SHA1b09e6afa011c57ce1b7cccab1672f471f300dcd0
SHA2565afb96241ffa2602b5c506b0dba0622184150eecdb00b5dd4230d0fae88607df
SHA512443b90400659bbb75e1cdc7b53a324c19553c1a9a6a29078d939a0c9e52c176df60fc8ccbaf3c89bbba9dd19ba51953d163e52776b34cac39ad94f8343e1fea8
-
Filesize
6KB
MD5914eb7f2a3d88904bb047acb0eada080
SHA1f9b2b9879695d552feee5b44afaa23908eb72b5a
SHA256f146730cc192bb573035a919123559af1e8d35cda487fa0d0f2e68f2c7a7b296
SHA512eae513954f6b112e48cbe92eccc415e6e4b7f857393950d79db00d5b412eab6b11b9c45eb9492a302839d7f000ab95fcd9e2210e6aaafe5acc55eb192b51a949
-
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
45KB
MD5b8ac648da3f1d3b657feeb8d1ca4b9fa
SHA16193fa0e06bd28b895937d39b56a422c2baa09be
SHA25643934d9ab32058a86c0c545a275a0cf3324a811ada87f96dd2092254ca008fb4
SHA5128ab89091605b56a569bb1ea9aea76cb712bef52cfea5bda3275753b0af6994f1c451cad7560618a3f374c575a27fa5202b3d3abc9bc1703022687738519461e2
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD582c6fb898bbfd0e6404729b2cf84d2ed
SHA1b6dda7e507118aab605dab5469c587ccb28af303
SHA256eec9ca1610d7ce1930e14ef3eb1496d67987cb7db580b50badfc99fbc8fefaf7
SHA512fd291cab836ddbe6440e06fce177f927f758fec71e82c92324c62b92b987eb3f8806631a000eca3da28b2c27e4a128d190427dd52465ee5e420461b350d07050
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\Downloads\v1.01.1_Orbit 2\Orbit.exe.WebView2\EBWebView\Subresource Filter\Indexed Rules\28\scoped_dir5024_575589820\LICENSE
Filesize24KB
MD5aad9405766b20014ab3beb08b99536de
SHA1486a379bdfeecdc99ed3f4617f35ae65babe9d47
SHA256ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d
SHA512bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852
-
Filesize
4.7MB
MD5617465ad5938f94074e03b6857ac37bc
SHA1dbcab7462c93744ccf24be5e8f54afe5e09f9579
SHA256bd00399dfaad1c2165994f849632a493131d6f6b6c4678b0e7dfdd7707f98fb5
SHA512e5a1051528b20091b4df2b123cc15103f3c9f83da9e172fa5230d18d32d41c72970c3ff5387f3670055edfd1c65fe6f8827eb7735465ead46878154c7c0bdc5a