Resubmissions
07-09-2024 11:17
240907-ndvx2s1gra 1007-09-2024 10:21
240907-mdzqkayhpb 1007-09-2024 10:21
240907-mdq4esyfnl 1005-09-2024 22:04
240905-1y2bsa1clp 1005-09-2024 21:37
240905-1gl6ja1bjb 1016-08-2024 00:38
240816-azcrpsvdqe 1016-08-2024 00:13
240816-ah5fdsyapm 1016-08-2024 00:04
240816-ac4a5sxglk 1015-08-2024 01:57
240815-cc95ssydlb 10Analysis
-
max time kernel
575s -
max time network
579s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
05-09-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
Downloaders.zip
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
New Text Document mod.exe
Resource
win11-20240802-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
djvu
http://cajgtus.com/test1/get.php
-
extension
.watz
-
offline_id
Lc3VTezPWbMhuVAQFzJUdeA68PwI7UDpc5aKHYt1
- payload_url
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/abe121434ad837dd5bdd03878a14485820240531135509/34284d Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0874PsawqS
Extracted
amadey
4.41
2da029
http://api.garageserviceoperation.com
-
install_dir
69c36458f5
-
install_file
ednfosi.exe
-
strings_key
0abf6f7bfab99a62ed876fec107361d0
-
url_paths
/CoreOPT/index.php
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%Userprofile%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
stealc
valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
3^?r?mtxk(kt - Email To:
[email protected]
Extracted
redline
38.180.72.54:42814
Extracted
redline
test
45.9.91.71:46967
Extracted
gurcu
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0003000000025a83-717.dat family_xworm behavioral2/memory/3976-776-0x0000000000A60000-0x0000000000A7C000-memory.dmp family_xworm -
Detected Djvu ransomware 13 IoCs
resource yara_rule behavioral2/memory/3032-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3032-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3032-64-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-72-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-70-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-80-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-81-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-79-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-87-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-90-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-89-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-93-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4812-94-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysarddrvs.exe -
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Phorphiex payload 2 IoCs
resource yara_rule behavioral2/files/0x000300000000068d-189.dat family_phorphiex behavioral2/files/0x0003000000025d1d-395.dat family_phorphiex -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
resource yara_rule behavioral2/files/0x000100000002ab52-1171.dat family_purelog_stealer behavioral2/memory/5132-1179-0x00000000004B0000-0x00000000005AA000-memory.dmp family_purelog_stealer -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x000a00000002aae9-884.dat family_redline behavioral2/memory/2436-889-0x0000000000C60000-0x0000000000CB2000-memory.dmp family_redline behavioral2/memory/6404-8081-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
description pid Process procid_target PID 5840 created 3356 5840 Forestry.pif 52 PID 5840 created 3356 5840 Forestry.pif 52 PID 5132 created 1796 5132 66c3721bc46fe_Ernrnmkio.exe 184 PID 5840 created 3356 5840 Forestry.pif 52 PID 7236 created 1796 7236 xsom.exe 184 PID 7768 created 1796 7768 xsom.exe 184 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2692 powershell.exe 1208 powershell.exe 4000 powershell.exe 2200 powershell.exe 4388 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts.ics autoupdate.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CloudPilot.url cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automrunner201.ini.lnk ApertureLab.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CloudPilot.url cmd.exe -
Executes dropped EXE 64 IoCs
pid Process 4352 8_Ball_Pool_Cheto.exe 3396 66ae9cc050ded_file0308.exe 1220 armadegon.exe 3032 66ae9cc050ded_file0308.exe 1244 66ae9cc050ded_file0308.exe 4812 66ae9cc050ded_file0308.exe 2080 armadegon.exe 1444 098.exe 4700 Suselx.exe 724 VIZSPLOIT.exe 4540 armadegon.exe 2468 mountain-pasture.exe 4800 ednfosi.exe 1064 ednfosi.exe 3144 ednfosi.exe 8 ednfosi.exe 2644 ednfosi.exe 3396 r.exe 4980 sysmablsvr.exe 2724 ednfosi.exe 3232 ednfosi.exe 1704 inst77player_1.0.0.1.exe 1624 11.exe 1988 peinf.exe 1628 ednfosi.exe 1872 t1.exe 1684 sysarddrvs.exe 2908 updater.exe 2644 t2.exe 408 updater.exe 3812 pp.exe 2844 autoupdate.exe 2040 159604083.exe 2460 ednfosi.exe 2004 conhost.exe 2404 ednfosi.exe 1924 313465787.exe 1916 ednfosi.exe 4388 test.exe 3932 s.exe 2424 test.exe 1796 explorer.exe 4736 ednfosi.exe 2644 ednfosi.exe 2660 t.exe 1604 stealc_valenciga.exe 4944 notebyx.exe 2436 new1.exe 1848 ednfosi.exe 4044 66b2871b47a8b_uhigdbf.exe 2044 clamer.exe 2412 1.exe 2256 fseawd.exe 4736 tt.exe 2360 opswgxt.exe 1504 ednfosi.exe 3932 2020.exe 3624 2020.exe 1128 m.exe 2500 ednfosi.exe 3160 66c0f6e668215_stealc_test.exe 4432 66b4b10e9ef0b_stealc_default.exe 2292 66bf3574eb3f2_FocusesAttempted.exe 1416 ednfosi.exe -
Loads dropped DLL 64 IoCs
pid Process 2468 mountain-pasture.exe 2468 mountain-pasture.exe 1704 inst77player_1.0.0.1.exe 408 updater.exe 408 updater.exe 408 updater.exe 408 updater.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 2424 test.exe 1604 stealc_valenciga.exe 1604 stealc_valenciga.exe 3624 2020.exe 3624 2020.exe 3624 2020.exe 3624 2020.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 360 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysarddrvs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysmablsvr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysmablsvr.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe" 11.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\explorer" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe" 66c3721bc46fe_Ernrnmkio.exe Set value (str) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\55b3248f-55f7-4b86-b7f2-584a50a00954\\66ae9cc050ded_file0308.exe\" --AutoStart" 66ae9cc050ded_file0308.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysmablsvr.exe" r.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 206 raw.githubusercontent.com 233 raw.githubusercontent.com -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.2ip.ua 10 api.2ip.ua 13 api.2ip.ua 46 ip-api.com 50 ipinfo.io 204 ipinfo.io -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000200000002aae7-834.dat autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 6988 tasklist.exe 6236 tasklist.exe -
Suspicious use of SetThreadContext 26 IoCs
description pid Process procid_target PID 3396 set thread context of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 1244 set thread context of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1444 set thread context of 4848 1444 098.exe 101 PID 4700 set thread context of 3240 4700 Suselx.exe 103 PID 1220 set thread context of 4540 1220 armadegon.exe 92 PID 4800 set thread context of 2724 4800 ednfosi.exe 120 PID 1064 set thread context of 3232 1064 ednfosi.exe 123 PID 1628 set thread context of 2460 1628 ednfosi.exe 167 PID 2404 set thread context of 4736 2404 ednfosi.exe 176 PID 4944 set thread context of 4988 4944 notebyx.exe 202 PID 2644 set thread context of 1848 2644 ednfosi.exe 198 PID 1504 set thread context of 2500 1504 ednfosi.exe 219 PID 3160 set thread context of 3868 3160 66c0f6e668215_stealc_test.exe 226 PID 6500 set thread context of 6492 6500 AdminEHJKFCGHID.exe 271 PID 5812 set thread context of 5916 5812 AdminEHDAAECAEB.exe 276 PID 3812 set thread context of 5948 3812 EGHJKFHJJJ.exe 300 PID 6332 set thread context of 5868 6332 BKEBFHIJEC.exe 307 PID 5132 set thread context of 4104 5132 66c3721bc46fe_Ernrnmkio.exe 316 PID 3744 set thread context of 7028 3744 66b38609432fa_sosusion.exe 319 PID 1416 set thread context of 6956 1416 ednfosi.exe 295 PID 8364 set thread context of 8420 8364 66c9dc4089598_update.exe 330 PID 7236 set thread context of 8528 7236 xsom.exe 331 PID 8048 set thread context of 7640 8048 ednfosi.exe 325 PID 7768 set thread context of 8244 7768 xsom.exe 343 PID 7220 set thread context of 6404 7220 66b623c3b1dcb_Mowdiewart.exe 345 PID 8168 set thread context of 7640 8168 ednfosi.exe 342 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification \??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\mountain-pasture.jpg mountain-pasture.exe File opened for modification \??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\mountain-pasture.htm mountain-pasture.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\sysarddrvs.exe 11.exe File opened for modification C:\Windows\sysarddrvs.exe 11.exe File created C:\Windows\Tasks\Test Task17.job fseawd.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\Tasks\Test Task17.job 66c3721bc46fe_Ernrnmkio.exe File created C:\Windows\Tasks\ednfosi.job armadegon.exe File created C:\Windows\sysmablsvr.exe r.exe File opened for modification C:\Windows\sysmablsvr.exe r.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3144 sc.exe 3208 sc.exe 2100 sc.exe 1504 sc.exe 328 sc.exe -
Detects Pyinstaller 2 IoCs
resource yara_rule behavioral2/files/0x000300000002a559-425.dat pyinstaller behavioral2/files/0x000400000002aaf4-962.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 11 IoCs
pid pid_target Process procid_target 420 4848 WerFault.exe 101 3504 3240 WerFault.exe 103 3244 4848 WerFault.exe 101 1572 3240 WerFault.exe 103 6100 5916 WerFault.exe 276 1060 5948 WerFault.exe 300 4712 5948 WerFault.exe 300 3028 5948 WerFault.exe 300 7940 4432 WerFault.exe 227 8592 8420 WerFault.exe 330 8616 8420 WerFault.exe 330 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Forestry.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language armadegon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mountain-pasture.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ednfosi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66ae9cc050ded_file0308.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_valenciga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ednfosi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 159604083.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notebyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language m.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c0f6e668215_stealc_test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminEHDAAECAEB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 098.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Suselx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ednfosi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EGHJKFHJJJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66ae9cc050ded_file0308.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AdminEHJKFCGHID.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language maza-0.16.3-win64-setup-unsigned.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opswgxt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language armadegon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66bf3574eb3f2_FocusesAttempted.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66ae9cc050ded_file0308.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language peinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fseawd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66b623c3b1dcb_Mowdiewart.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ednfosi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c3721bc46fe_Ernrnmkio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66c9dc4089598_update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 313465787.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ApertureLab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BKEBFHIJEC.exe -
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x000500000000068f-311.dat nsis_installer_1 behavioral2/files/0x000500000000068f-311.dat nsis_installer_2 behavioral2/files/0x000200000002ab5b-2944.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 66b4b10e9ef0b_stealc_default.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 66b4b10e9ef0b_stealc_default.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_valenciga.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_valenciga.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1168 timeout.exe 4448 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700464299536623" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C 4363463463464363463463463.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 autoupdate.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 5900000001000000160000005200530041002f00530048004100330038003400000003000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f00000020000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f autoupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 4363463463464363463463463.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 4b0000000100000044000000300037004300450046003200460036003500340045003300450044003600300035003000460046004300390042003600450042003800340034003200350030005f000000180000000100000010000000ea6089055218053dd01e37e1d806eedf5c000000010000000400000000080000190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb960f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235040000000100000010000000adab5c4df031fb9299f71ada7e18f6131400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e103000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f autoupdate.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C autoupdate.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa25c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 autoupdate.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB autoupdate.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 5900000001000000160000005200530041002f005300480041003300380034000000030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 autoupdate.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 4363463463464363463463463.exe Key created \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e autoupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 new1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 new1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 4363463463464363463463463.exe Set value (data) \REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\SystemCertificates\CA\Certificates\33E4E80807204C2B6182A3A14B591ACD25B5F0DB\Blob = 03000000010000001400000033e4e80807204c2b6182a3a14b591acd25b5f0db1400000001000000140000008d8c5ec454ad8ae177e99bf99b05e1b8018d61e1040000000100000010000000adab5c4df031fb9299f71ada7e18f6130f00000001000000300000008b612b2190a95b28b866b9be5d0b95f368c17534ab1da61a42dfb32766f9ae2908fe6bfd1669be140eddaf0d33e95235190000000100000010000000fc741b3b78cfb31e075744fe5d0eeb965c000000010000000400000000080000180000000100000010000000ea6089055218053dd01e37e1d806eedf20000000010000001706000030820613308203fba00302010202107d5b5126b476ba11db74160bbc530da7300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3138313130323030303030305a170d3330313233313233353935395a30818f310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f726431183016060355040a130f5365637469676f204c696d69746564313730350603550403132e5365637469676f2052534120446f6d61696e2056616c69646174696f6e205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100d67333d6d73c20d000d21745b8d63e07a23fc741ee3230c9b06cfdf49fcb12980f2d3f8d4d010c820f177f622ee9b84879fb16834eadd7322593b707bfb9503fa94cc3402ae939ffd981ca1f163241da8026b9237a87201ee3ff209a3c95446f8775069040b4329316091008233ed2dd870f6f5d51146a0a69c54f017269cfd3934c6d04a0a31b827eb19ab9edc59ec537789f9a0834fb562e58c4090e06645bbc37dcf19f2868a856b092a35c9fbb8898081b241dab3085aeafb02e9e7a9dc1c0421ce202f0eae04ad2ef900eb4c14016f06f85424a64f7a430a0febf2ea3275a8e8b58b8adc319178463ed6f56fd83cb6034c474bee69ddbe1e4e5ca0c5f150203010001a382016e3082016a301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e041604148d8c5ec454ad8ae177e99bf99b05e1b8018d61e1300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b06010505070302301b0603551d200414301230060604551d20003008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c0500038202010032bf61bd0e48c34fc7ba474df89c781901dc131d806ffcc370b4529a31339a5752fb319e6ba4ef54aa898d401768f811107cd2cab1f15586c7eeb3369186f63951bf46bf0fa0bab4f77e49c42a36179ee468397aaf944e566fb27b3bbf0a86bdcdc5771c03b838b1a21f5f7edb8adc4648b6680acfb2b5b4e234e467a93866095ed2b8fc9d283a174027c2724e29fd213c7ccf13fb962cc53144fd13edd59ba96968777ceee1ffa4f93638085339a284349c19f3be0eacd52437eb23a878d0d3e7ef924764623922efc6f711be2285c6664424268e10328dc893ae079e833e2fd9f9f5468e63bec1e6b4dca6cd21a8860a95d92e85261afdfcb1b657426d95d133f6391406824138f58f58dc805ba4d57d9578fda79bfffdc5a869ab26e7a7a405875ba9b7b8a3200b97a94585ddb38be589378e290dfc0617f638400e42e41206fb7bf3c6116862dfe398f413d8154f8bb169d91060bc642aea31b7e4b5a33a149b26e30b7bfd028eb699c138975936f6a874a286b65eebc664eacfa0a3f96e9eba2d11b6869808582dc9ac2564f25e75b438c1ae7f5a4683ea51cab6f19911356ba56a7bc600b0e7f8be64b2adc8c2f1ace351eaa493e079c8e18140c90a5be1123cc1602ae397c08942ca94cf46981269bb98d0c2d30d724b476ee593c43228638743e4b0323e0ad34bbf239b1429412b9a041f932df1c739483cad5a127f 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e autoupdate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4848 schtasks.exe 6984 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4352 8_Ball_Pool_Cheto.exe 4352 8_Ball_Pool_Cheto.exe 1220 armadegon.exe 3032 66ae9cc050ded_file0308.exe 3032 66ae9cc050ded_file0308.exe 1220 armadegon.exe 1220 armadegon.exe 1220 armadegon.exe 4812 66ae9cc050ded_file0308.exe 4812 66ae9cc050ded_file0308.exe 1220 armadegon.exe 1220 armadegon.exe 1444 098.exe 1444 098.exe 1444 098.exe 1444 098.exe 1444 098.exe 1444 098.exe 4800 ednfosi.exe 4800 ednfosi.exe 4800 ednfosi.exe 4800 ednfosi.exe 1064 ednfosi.exe 4800 ednfosi.exe 4800 ednfosi.exe 1064 ednfosi.exe 1064 ednfosi.exe 1064 ednfosi.exe 1064 ednfosi.exe 1064 ednfosi.exe 1064 ednfosi.exe 1064 ednfosi.exe 3520 msedge.exe 3520 msedge.exe 4568 msedge.exe 4568 msedge.exe 2200 msedge.exe 2200 msedge.exe 1560 identity_helper.exe 1560 identity_helper.exe 1628 ednfosi.exe 1628 ednfosi.exe 2200 powershell.exe 2200 powershell.exe 2200 powershell.exe 1628 ednfosi.exe 1628 ednfosi.exe 1628 ednfosi.exe 2004 conhost.exe 2004 conhost.exe 2004 conhost.exe 2004 conhost.exe 2404 ednfosi.exe 2404 ednfosi.exe 2404 ednfosi.exe 2404 ednfosi.exe 2404 ednfosi.exe 2404 ednfosi.exe 2404 ednfosi.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 1128 msedge.exe 4388 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4944 notebyx.exe 4944 notebyx.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 2816 chrome.exe 2816 chrome.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 1684 sysarddrvs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1380 4363463463464363463463463.exe Token: SeDebugPrivilege 1220 armadegon.exe Token: SeDebugPrivilege 1444 098.exe Token: SeDebugPrivilege 4700 Suselx.exe Token: SeDebugPrivilege 4800 ednfosi.exe Token: SeDebugPrivilege 1064 ednfosi.exe Token: SeDebugPrivilege 1628 ednfosi.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 2844 autoupdate.exe Token: SeDebugPrivilege 2404 ednfosi.exe Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 1208 powershell.exe Token: SeDebugPrivilege 4000 powershell.exe Token: SeDebugPrivilege 3976 explorer Token: SeDebugPrivilege 2644 ednfosi.exe Token: SeDebugPrivilege 4988 RegSvcs.exe Token: SeDebugPrivilege 1872 explorer Token: SeDebugPrivilege 1504 ednfosi.exe Token: SeDebugPrivilege 3624 2020.exe Token: SeDebugPrivilege 1416 ednfosi.exe Token: SeDebugPrivilege 3712 explorer Token: SeSecurityPrivilege 752 client32.exe Token: SeDebugPrivilege 5132 66c3721bc46fe_Ernrnmkio.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeDebugPrivilege 4352 firefox.exe Token: SeDebugPrivilege 4352 firefox.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeDebugPrivilege 6988 tasklist.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeDebugPrivilege 6236 tasklist.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe Token: SeShutdownPrivilege 2816 chrome.exe Token: SeCreatePagefilePrivilege 2816 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 2844 autoupdate.exe 4944 notebyx.exe 4944 notebyx.exe 752 client32.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 4568 msedge.exe 2844 autoupdate.exe 4944 notebyx.exe 4944 notebyx.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 2816 chrome.exe 5840 Forestry.pif 5840 Forestry.pif 5840 Forestry.pif -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2844 autoupdate.exe 2844 autoupdate.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe 4352 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 4352 1380 4363463463464363463463463.exe 82 PID 1380 wrote to memory of 4352 1380 4363463463464363463463463.exe 82 PID 1380 wrote to memory of 4352 1380 4363463463464363463463463.exe 82 PID 1380 wrote to memory of 3396 1380 4363463463464363463463463.exe 83 PID 1380 wrote to memory of 3396 1380 4363463463464363463463463.exe 83 PID 1380 wrote to memory of 3396 1380 4363463463464363463463463.exe 83 PID 1380 wrote to memory of 1220 1380 4363463463464363463463463.exe 84 PID 1380 wrote to memory of 1220 1380 4363463463464363463463463.exe 84 PID 1380 wrote to memory of 1220 1380 4363463463464363463463463.exe 84 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3396 wrote to memory of 3032 3396 66ae9cc050ded_file0308.exe 85 PID 3032 wrote to memory of 360 3032 66ae9cc050ded_file0308.exe 86 PID 3032 wrote to memory of 360 3032 66ae9cc050ded_file0308.exe 86 PID 3032 wrote to memory of 360 3032 66ae9cc050ded_file0308.exe 86 PID 3032 wrote to memory of 1244 3032 66ae9cc050ded_file0308.exe 87 PID 3032 wrote to memory of 1244 3032 66ae9cc050ded_file0308.exe 87 PID 3032 wrote to memory of 1244 3032 66ae9cc050ded_file0308.exe 87 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1244 wrote to memory of 4812 1244 66ae9cc050ded_file0308.exe 90 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 2080 1220 armadegon.exe 91 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1220 wrote to memory of 4540 1220 armadegon.exe 92 PID 1380 wrote to memory of 1444 1380 4363463463464363463463463.exe 93 PID 1380 wrote to memory of 1444 1380 4363463463464363463463463.exe 93 PID 1380 wrote to memory of 1444 1380 4363463463464363463463463.exe 93 PID 1380 wrote to memory of 4700 1380 4363463463464363463463463.exe 94 PID 1380 wrote to memory of 4700 1380 4363463463464363463463463.exe 94 PID 1380 wrote to memory of 4700 1380 4363463463464363463463463.exe 94 PID 1380 wrote to memory of 724 1380 4363463463464363463463463.exe 95 PID 1380 wrote to memory of 724 1380 4363463463464363463463463.exe 95 PID 724 wrote to memory of 2772 724 VIZSPLOIT.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\Files\8_Ball_Pool_Cheto.exe"C:\Users\Admin\AppData\Local\Temp\Files\8_Ball_Pool_Cheto.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4352
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66ae9cc050ded_file0308.exe"C:\Users\Admin\AppData\Local\Temp\Files\66ae9cc050ded_file0308.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\Files\66ae9cc050ded_file0308.exe"C:\Users\Admin\AppData\Local\Temp\Files\66ae9cc050ded_file0308.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\55b3248f-55f7-4b86-b7f2-584a50a00954" /deny *S-1-1-0:(OI)(CI)(DE,DC)5⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:360
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66ae9cc050ded_file0308.exe"C:\Users\Admin\AppData\Local\Temp\Files\66ae9cc050ded_file0308.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\Files\66ae9cc050ded_file0308.exe"C:\Users\Admin\AppData\Local\Temp\Files\66ae9cc050ded_file0308.exe" --Admin IsNotAutoStart IsNotTask6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"4⤵
- Executes dropped EXE
PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"C:\Users\Admin\AppData\Local\Temp\Files\armadegon.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"6⤵
- Executes dropped EXE
PID:3144
-
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"6⤵
- Executes dropped EXE
PID:2724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\098.exe"C:\Users\Admin\AppData\Local\Temp\Files\098.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"4⤵PID:3372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"4⤵PID:1208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"4⤵PID:4568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"4⤵PID:4848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 12285⤵
- Program crash
PID:420
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 5605⤵
- Program crash
PID:3244
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Suselx.exe"C:\Users\Admin\AppData\Local\Temp\Files\Suselx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 5605⤵
- Program crash
PID:3504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 5605⤵
- Program crash
PID:1572
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\VIZSPLOIT.exe"C:\Users\Admin\AppData\Local\Temp\Files\VIZSPLOIT.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con cols=854⤵PID:2772
-
C:\Windows\system32\mode.commode con cols=855⤵PID:2076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con lines=254⤵PID:2460
-
C:\Windows\system32\mode.commode con lines=255⤵PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c TITLE Visploit4⤵PID:3792
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\mountain-pasture.exe"C:\Users\Admin\AppData\Local\Temp\Files\mountain-pasture.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffecdb23cb8,0x7ffecdb23cc8,0x7ffecdb23cd85⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:25⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:85⤵PID:244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:15⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:15⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:15⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:15⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:15⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:15⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:15⤵PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1232 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15813634323176199920,14621959541260173332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:15⤵PID:1428
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\r.exe"C:\Users\Admin\AppData\Local\Temp\Files\r.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:3396 -
C:\Windows\sysmablsvr.exeC:\Windows\sysmablsvr.exe4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\159604083.exeC:\Users\Admin\AppData\Local\Temp\159604083.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\Files\11.exe"C:\Users\Admin\AppData\Local\Temp\Files\11.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\sysarddrvs.exeC:\Windows\sysarddrvs.exe4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: SetClipboardViewer
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"5⤵PID:3832
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS5⤵
- System Location Discovery: System Language Discovery
PID:1112 -
C:\Windows\SysWOW64\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3144
-
-
C:\Windows\SysWOW64\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3208
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:2100
-
-
C:\Windows\SysWOW64\sc.exesc stop DoSvc6⤵
- Launches sc.exe
PID:1504
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS6⤵
- Launches sc.exe
PID:328
-
-
-
C:\Users\Admin\AppData\Local\Temp\313465787.exeC:\Users\Admin\AppData\Local\Temp\313465787.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"3⤵
- Executes dropped EXE
PID:1872
-
-
C:\Users\Admin\AppData\Local\Temp\Files\updater.exe"C:\Users\Admin\AppData\Local\Temp\Files\updater.exe"3⤵
- Executes dropped EXE
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\Files\updater.exe"C:\Users\Admin\AppData\Local\Temp\Files\updater.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"3⤵
- Executes dropped EXE
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3812
-
-
C:\Users\Admin\AppData\Local\Temp\Files\autoupdate.exe"C:\Users\Admin\AppData\Local\Temp\Files\autoupdate.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\Files\test.exe"C:\Users\Admin\AppData\Local\Temp\Files\test.exe"3⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\onefile_4388_133700460751985212\test.exe"C:\Users\Admin\AppData\Local\Temp\Files\test.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵PID:2952
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\s.exe"C:\Users\Admin\AppData\Local\Temp\Files\s.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3932
-
-
C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe"C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4000
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\explorer"4⤵
- Scheduled Task/Job: Scheduled Task
PID:4848
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe"C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4104
-
-
C:\ProgramData\qjvgpo\xsom.exe"C:\ProgramData\qjvgpo\xsom.exe"4⤵
- System Location Discovery: System Language Discovery
PID:8528
-
-
C:\ProgramData\qjvgpo\xsom.exe"C:\ProgramData\qjvgpo\xsom.exe"4⤵
- System Location Discovery: System Language Discovery
PID:8244
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\t.exe"C:\Users\Admin\AppData\Local\Temp\Files\t.exe"3⤵
- Executes dropped EXE
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe"C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\stealc_valenciga.exe" & del "C:\ProgramData\*.dll"" & exit4⤵
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1168
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\notebyx.exe"C:\Users\Admin\AppData\Local\Temp\Files\notebyx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Files\notebyx.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\new1.exe"C:\Users\Admin\AppData\Local\Temp\Files\new1.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66b2871b47a8b_uhigdbf.exe"C:\Users\Admin\AppData\Local\Temp\Files\66b2871b47a8b_uhigdbf.exe"3⤵
- Executes dropped EXE
PID:4044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "4⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.execlamer.exe -priverdD5⤵
- Executes dropped EXE
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fseawd.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2256
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\1.exe"C:\Users\Admin\AppData\Local\Temp\Files\1.exe"3⤵
- Executes dropped EXE
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"C:\Users\Admin\AppData\Local\Temp\Files\tt.exe"3⤵
- Executes dropped EXE
PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"3⤵
- Executes dropped EXE
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"C:\Users\Admin\AppData\Local\Temp\Files\2020.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3624 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵PID:1064
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\m.exe"C:\Users\Admin\AppData\Local\Temp\Files\m.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66c0f6e668215_stealc_test.exe"C:\Users\Admin\AppData\Local\Temp\Files\66c0f6e668215_stealc_test.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEHJKFCGHID.exe"5⤵
- System Location Discovery: System Language Discovery
PID:6988 -
C:\Users\AdminEHJKFCGHID.exe"C:\Users\AdminEHJKFCGHID.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6500 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- Checks processor information in registry
PID:6492 -
C:\ProgramData\EGHJKFHJJJ.exe"C:\ProgramData\EGHJKFHJJJ.exe"8⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵PID:5844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 128010⤵
- Program crash
PID:1060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 125610⤵
- Program crash
PID:4712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 132810⤵
- Program crash
PID:3028
-
-
-
-
C:\ProgramData\BKEBFHIJEC.exe"C:\ProgramData\BKEBFHIJEC.exe"8⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"9⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KFIDAFBFBKFH" & exit8⤵PID:6560
-
C:\Windows\SysWOW64\timeout.exetimeout /t 109⤵
- Delays execution with timeout.exe
PID:4448
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminEHDAAECAEB.exe"5⤵
- System Location Discovery: System Language Discovery
PID:7120 -
C:\Users\AdminEHDAAECAEB.exe"C:\Users\AdminEHDAAECAEB.exe"6⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵PID:6208
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵PID:6984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵PID:7068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
PID:5916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 12968⤵
- Program crash
PID:6100
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66b4b10e9ef0b_stealc_default.exe"C:\Users\Admin\AppData\Local\Temp\Files\66b4b10e9ef0b_stealc_default.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 12884⤵
- Program crash
PID:7940
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66bf3574eb3f2_FocusesAttempted.exe"C:\Users\Admin\AppData\Local\Temp\Files\66bf3574eb3f2_FocusesAttempted.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Shaped Shaped.cmd & Shaped.cmd & exit4⤵
- System Location Discovery: System Language Discovery
PID:3108 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6988
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵PID:5700
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6236
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"5⤵
- System Location Discovery: System Language Discovery
PID:5428
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2775325⤵
- System Location Discovery: System Language Discovery
PID:6184
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "FiguresNeonDownloadableGmt" Lynn5⤵
- System Location Discovery: System Language Discovery
PID:1108
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Gc + ..\Invasion + ..\Fit + ..\Libs + ..\Reader + ..\Wizard + ..\Plans + ..\Breeds + ..\Rare + ..\Census + ..\Ve + ..\Bd + ..\Configured + ..\Safety + ..\Accounts P5⤵
- System Location Discovery: System Language Discovery
PID:6056
-
-
C:\Users\Admin\AppData\Local\Temp\277532\Forestry.pifForestry.pif P5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:5840
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵PID:5540
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\ApertureLab.exe"C:\Users\Admin\AppData\Local\Temp\Files\ApertureLab.exe"3⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:200 -
C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe"C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:752
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\jp.exe"C:\Users\Admin\AppData\Local\Temp\Files\jp.exe"3⤵PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\Files\random.exe"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"3⤵PID:1492
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\590F.tmp\5910.tmp\5911.bat C:\Users\Admin\AppData\Local\Temp\Files\random.exe"4⤵PID:1116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"5⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffeb907cc40,0x7ffeb907cc4c,0x7ffeb907cc586⤵PID:4760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1844 /prefetch:26⤵PID:6540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1988,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2156 /prefetch:36⤵PID:6560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2264 /prefetch:86⤵PID:6588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3124 /prefetch:16⤵PID:6180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3168 /prefetch:16⤵PID:6192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3568,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4428 /prefetch:36⤵PID:5604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4316,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4624 /prefetch:36⤵PID:4712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5028,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5044 /prefetch:86⤵
- Drops file in System32 directory
PID:9172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4884,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4872 /prefetch:86⤵PID:6252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,5733239215060371276,6528887259868310033,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4796 /prefetch:86⤵PID:7580
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"5⤵PID:2224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffecdb23cb8,0x7ffecdb23cc8,0x7ffecdb23cd86⤵PID:2900
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"5⤵PID:4116
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4352 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1688 -prefMapHandle 1680 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc4d1f43-831d-4625-bd62-c02110be7584} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" gpu7⤵PID:5368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3df13833-2833-4ccd-abe6-5f06d9f6c400} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" socket7⤵PID:6780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3244 -childID 1 -isForBrowser -prefsHandle 3236 -prefMapHandle 3232 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b88e484-04fe-4fef-9727-5e4c59191264} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab7⤵PID:6604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {296944ae-2eb6-442d-87be-30e5631b63da} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab7⤵PID:7152
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5000 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 5008 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed7b0329-d7e5-4af9-b914-41d80b083c3a} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" utility7⤵
- Checks processor information in registry
PID:5956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 3 -isForBrowser -prefsHandle 5576 -prefMapHandle 5512 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {831daf03-8dc6-4caf-a917-37f1bcd40662} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab7⤵PID:6908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5888 -childID 4 -isForBrowser -prefsHandle 5968 -prefMapHandle 5964 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf1a80a-e394-47d6-8523-814deac4819a} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab7⤵PID:6952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6068 -childID 5 -isForBrowser -prefsHandle 6076 -prefMapHandle 6080 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {480c50eb-061b-4f22-94bf-930ea06a4fb5} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab7⤵PID:2292
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 6 -isForBrowser -prefsHandle 6108 -prefMapHandle 6112 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1627b126-d319-40ce-93ec-5a6a4ee4ef8c} 4352 "\\.\pipe\gecko-crash-server-pipe.4352" tab7⤵PID:6760
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe"C:\Users\Admin\AppData\Local\Temp\Files\66c3721bc46fe_Ernrnmkio.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5132
-
-
C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe"C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe"3⤵
- System Location Discovery: System Language Discovery
PID:6304
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66b38609432fa_sosusion.exe"C:\Users\Admin\AppData\Local\Temp\Files\66b38609432fa_sosusion.exe"3⤵
- Suspicious use of SetThreadContext
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\乂婎Z"C:\Users\Admin\AppData\Local\Temp\乂婎Z"4⤵PID:7028
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe"C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe"3⤵PID:7312
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"3⤵PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66c9dc4089598_update.exe"C:\Users\Admin\AppData\Local\Temp\Files\66c9dc4089598_update.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:8364 -
C:\Users\Admin\AppData\Local\Temp\Files\66c9dc4089598_update.exe"C:\Users\Admin\AppData\Local\Temp\Files\66c9dc4089598_update.exe"4⤵PID:8420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8420 -s 10645⤵
- Program crash
PID:8592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8420 -s 6445⤵
- Program crash
PID:8616
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66af45d13a3cb_xincz.exe"C:\Users\Admin\AppData\Local\Temp\Files\66af45d13a3cb_xincz.exe"3⤵PID:8520
-
-
C:\Users\Admin\AppData\Local\Temp\Files\66b623c3b1dcb_Mowdiewart.exe"C:\Users\Admin\AppData\Local\Temp\Files\66b623c3b1dcb_Mowdiewart.exe"3⤵
- Suspicious use of SetThreadContext
PID:7220 -
C:\Users\Admin\AppData\Local\Temp\Files\66b623c3b1dcb_Mowdiewart.exeC:\Users\Admin\AppData\Local\Temp\Files\66b623c3b1dcb_Mowdiewart.exe4⤵
- System Location Discovery: System Language Discovery
PID:6404
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Team.exe"C:\Users\Admin\AppData\Local\Temp\Files\Team.exe"3⤵PID:7372
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Instructors" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CloudShift Dynamics\CloudPilot.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
PID:6528 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Instructors" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CloudShift Dynamics\CloudPilot.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:6984
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CloudPilot.url" & echo URL="C:\Users\Admin\AppData\Local\CloudShift Dynamics\CloudPilot.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CloudPilot.url" & exit2⤵
- Drops startup file
PID:6184
-
-
C:\Users\Admin\AppData\Local\Temp\277532\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\277532\RegAsm.exe2⤵
- System Location Discovery: System Language Discovery
PID:6564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4848 -ip 48481⤵PID:2028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4848 -ip 48481⤵PID:4716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3240 -ip 32401⤵PID:792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3240 -ip 32401⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵
- Executes dropped EXE
PID:8
-
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵
- Executes dropped EXE
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵
- Executes dropped EXE
PID:3232
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2512
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵
- Executes dropped EXE
PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵
- Executes dropped EXE
PID:4736
-
-
C:\Users\Admin\explorerC:\Users\Admin\explorer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵
- Executes dropped EXE
PID:1848
-
-
C:\ProgramData\oljjgu\opswgxt.exeC:\ProgramData\oljjgu\opswgxt.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360
-
C:\Users\Admin\explorerC:\Users\Admin\explorer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵
- Executes dropped EXE
PID:2500
-
-
C:\Users\Admin\explorerC:\Users\Admin\explorer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵PID:6956
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:6404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5916 -ip 59161⤵PID:5880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5916 -ip 59161⤵PID:6220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5948 -ip 59481⤵PID:5456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5948 -ip 59481⤵PID:5540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5948 -ip 59481⤵PID:6496
-
C:\ProgramData\qjvgpo\xsom.exeC:\ProgramData\qjvgpo\xsom.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:7236
-
C:\Users\Admin\explorerC:\Users\Admin\explorer1⤵PID:7280
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:8048 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵PID:7640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4432 -ip 44321⤵PID:7916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 8420 -ip 84201⤵PID:7180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 8420 -ip 84201⤵PID:8584
-
C:\ProgramData\qjvgpo\xsom.exeC:\ProgramData\qjvgpo\xsom.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:7768
-
C:\Users\Admin\explorerC:\Users\Admin\explorer1⤵PID:7620
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- Suspicious use of SetThreadContext
PID:8168 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵PID:7640
-
-
C:\ProgramData\qjvgpo\xsom.exeC:\ProgramData\qjvgpo\xsom.exe1⤵PID:868
-
C:\Users\Admin\explorerC:\Users\Admin\explorer1⤵PID:5836
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exeC:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe1⤵
- System Location Discovery: System Language Discovery
PID:7304 -
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵PID:5320
-
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵PID:7740
-
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"C:\Users\Admin\AppData\Local\Temp\69c36458f5\ednfosi.exe"2⤵PID:6352
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:7444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:8088
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5dd0753d538ec3e7164e5de76f268ff95
SHA1ab7b74a045ed53e48a1c16f71c8dfb9fbe6b651e
SHA256bf7ce934f5bad1713e29a4028e7cc1e8b6cffac889cbc2c2831755ccfaa4c987
SHA512d92e0c725cbafb455f890bca865da7bb6a19381c1befb606efa1a766f44bbdbc6a311f84f740becb7f0c4a77cd2d9ea52fae7d783c70d2841039b539ecec9128
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0
-
Filesize
10KB
MD5311359c1b98893e170bddfde6467cb1a
SHA16b892ad7b14f460cc3af7f2463b3184e88b6636b
SHA25654a6d8db62e1b3b4a39d07f4696ce5d7b76eceecf838f83abdc6c7d18957ffa6
SHA5120b96840631b295d40fd8549ee1db53f8bf6db5b53e4bdc2c67a350c0151b91688c54f36bb42322bc584bab45e1c54d5fe51c35b53913509351e536e2e1cafa88
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5680e3a7cc5b8db656a220cac416e9d8b
SHA1e8ae000ece5ce31bbe87166c848a40861303e9b1
SHA25640a09df0c9b1156f629d971957d0776f1474fce63731f790a85cc9d9a100a53d
SHA5127299e71e777f7b177659ec8fd683369b9edd3fc23e4b3bd821db9ea9f9f8c7dea4153b651c112278859d3f6e842799fbfc589092ee8ab83628ae5b322f23dc86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD55991d063c348844d641d360d0e8f4858
SHA156954b28fb87589161e2441e346988322882da51
SHA256451212b0bc87f08f19d3d6d2c762244aca6cf9e1315ea889df3b250e7ab358b5
SHA512d7da85d4530ac051c877fa3df81697301222c4b30ec943ad4df7c43eb101b5c7d86e3afab1384c0984bc22430b17a1ee3b20f5b3a2fae36c228642fb3b3ee3a3
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
649B
MD5e806b90da775bbd6af9e1411e90026c7
SHA17f77250d037c424a2768b855ab54d91b62b9f9b3
SHA2564d321df2edf537748a0ec8634069ce962b7a31bfcf57067286632bce3f0b4e0a
SHA512397e0608fb14619fa4a797d43c8ec3d54d561224d08bdf12054cf5ffc58918f41ce5cc31030734265ca0a4e1da90dcb4844e94ccaf8bfead72ae70e4036e74f7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD56e72d1f077ceed8f7e61554784f4011c
SHA1d640b7043cccae5783de5d12469c2fdc935e1f02
SHA256e822a097f7612126a34f2f743eb3c76e347b55596dab319c8ae543ba490caaa7
SHA51272b31186e9583d1e1188ee09023f1abad7d0aaebc730bad044e00298c4e67aeee92343cbf078b2bd8a61301359d152d5932989c5000a79169098991faa4b8ef7
-
Filesize
9KB
MD59a9564708cf8f4d60881766dac1c8440
SHA19bee8365297cb076251f3496967898deddf15253
SHA2567702ce4bb54e628d89a6d62267b62cac338006b758813a1b4a0e99b4a1afa98e
SHA512bcec9a65a2b92debe0f156897b8a1e222c99053d957a417933a5c9974ba7b354ff4d7aea8885800458f8770e1d35d65cead3bc7a8732a7f396870d1cd8da8998
-
Filesize
9KB
MD5c167f99804ea314b7e22555bf2243078
SHA1d8372f25d9e113453ddfd655be2308bb8dd2ce77
SHA2563daea95d7735f23a1d9ce00a537757e57a6eeba58d30c532c63e993893bed6d7
SHA51200db2ba75f02114a227f9f848b8264b1731ea117a6170f39f21277332779d5379ca22bf87ce39f8f7d721d373d8859d45b4aa0d819846251c96846f77b664d52
-
Filesize
9KB
MD59d5497a3f5c1063d788c101f78355c00
SHA1ad7d1f295a86e2579ef8468efb207ef413046dc1
SHA25608695c9c75802f8f99bf78384d8b6f3aab9074ac25f11005b9c17d8e9288f6db
SHA512909bf2b772ec307cfc1df249436f4733fe084c76ab7d956c2154ca21321d99414ccf89928237726b5ac95b9ec3ec582427fd514f17bcb564e86d91d508b8fd25
-
Filesize
9KB
MD5919794219608c625230d90643f8a19c9
SHA1d3d2672f6bf81522247446983c8cd14f15c63854
SHA256aa3158aaa18ac5facde76cfaf6b52c236a23c4161835d50bafb3b794f73006a7
SHA5120bf603ac9d70d26b6b0a81510546d876f498f2cc1fc044515965cc769db97a5fb984bf698c8a727eec13be66a11553811bb37179b852d12e303e6db177881d44
-
Filesize
9KB
MD51a6a655c7e095781eb33924b0d7088da
SHA120868bba1949ef4d31fdfa6f25fd2226b598cbd2
SHA2561429683335d23f3fc029561805e5f58c95effd2f0f8cecba2cdee9f13b09ca48
SHA512e466b1caa8295be51ac103904d260c9b6d6e07f3354439ceee8920d46ed9195cbd52a7e49674a10a5affc57ff9ebeb8c0b058818e14162122a12a842fd76d155
-
Filesize
9KB
MD56dca6980c339b4aa8a648c26ee777701
SHA151d33ca2b4fcf5d50a287cee2a8f2d9f13025a43
SHA2566698e10cc5f97474fcea782cf38d3a1b5da6a85f4bd8d28368afa237d3e2f669
SHA5127ab749c8be1fff35fc6cb6c6ec878a654522b0c9344a924af0f4cb856bf34026e6a1f8aad8b314f3bc09c5d725d3b499c310b69eb8ff7437efcc6747028f59c7
-
Filesize
9KB
MD5a5e1b7e55a0d1bfd7dbbf951b39e691d
SHA1e82348a017cc359dd7e93b98ab62f380013b74cc
SHA25669e0e662b9e4c35f41f1415aabbed390cde5e3cea1b1fa5b0ba0294a708a8fbb
SHA51240c464a4a72cccca40c68b0a703de9606ab0bf13f14341a807f8f1587926a12f289526e9fdb43a4913713e7519a9bfd5434ddc52824771f1c4c87f6797855915
-
Filesize
9KB
MD5bec82ca631e165929c7c29f258d2db37
SHA1b4bc4927cdf9a442aef7214148201a87214d5bc2
SHA25684e96de4d82447a280a8e79c12f4d42be925a95acbae5fe68ba00f5a28e9a713
SHA5120105a9982ca23a1afceb849484d24371472bc7821296a54bb1a2de1419448958a60ff92640f10f4ade7d4975d241db6a61c83ffc08b53d4661f0b2c25036d13f
-
Filesize
9KB
MD5303da6bdaf39a51b68fddcc3a5fb8ef7
SHA1685ee4212b276c084478e19ac67ecdb5cb05d5d8
SHA25646ca1acf3ed64d25d59b100170e89bb157824f90fbf737a166f5e43f91a1fb22
SHA512479616a9503e05b2deccf540b79cea3ba35ce1b54cd6389999ac33dc7438835cde1a5924ca1f009859e829508d94f2b1b4d6f8205dfc18991f244ba2e86b85e7
-
Filesize
9KB
MD5617c2b5e0633e47c287dedd781a820dd
SHA1ca3835320f4ff85e2b9e9032b0d074130f404e3f
SHA256c99484bc5a48c08ef355cca8634fdbe9e4b706fcd9de3c3490b2384eaa8f38d5
SHA5123a277018d1e9116208cc459dbd225309c73cee87e6cc60eca1653ea5c1395f3649fe4a93ed1eb5408c6ab72fbc191199651bc29709fcca94f88c45b665b2a3d9
-
Filesize
9KB
MD50e1f6726edb8beb889ed28af3c536017
SHA147f1697c7bd25840f89023c9853d49123813115c
SHA2564ec12fc97a829a5e0183cc1bfe290ee92501d9a17a9bbaa4bdab9c06dbdd4031
SHA512213cc104dc5b7027b10b2711c805242913999e8aa6781e6031fc1e7eca1759d73835075fe96364cb9390e134cb0163a57179f79e95831dc8527ae30428ca3a41
-
Filesize
15KB
MD5b8938f633b89384023f8ec54cbaa30d4
SHA164b3d373251b7af8127d33a2436f2daed96353db
SHA25604b408410ef2a354b7bd0830ac32efe7ad00b118753339513b3e79629a835f03
SHA512d823f4e9845b6eb052c2e432b79128aa790fc0c8155bece7588eedcff5b1be0c0a6e48eda7530711b125e538ba5f139874356c38fb9e741bfdb3a4bdad7bdbe1
-
Filesize
100KB
MD5574c29525ad32872f20d675c5ece6274
SHA1aa1ecf5fa9a54fd5ff62cb15ff0e85426e736f4c
SHA256a0a066aa8c484633e92426294693399522e9e29366ce955c549c759997c61bc9
SHA512d2d462af91c12cfa3238246a0530946b80fc564b254d0985d1750755e561b4602da04572611187500ec5d4c54cbc443ad7edbc3716ca6870edcfa9763154ac20
-
Filesize
100KB
MD5f4e5c2f6dd02b546dee2d4085ed809bd
SHA1c509f92f27ab5dbede89ef65326244f48bdb2cb8
SHA2565245e3ffbcbb191048432e0904c61b6725391a3c958e4dc4daa20b1ad84d13ae
SHA5125ff5afabe2cf5938ff40856ecde52afbaa8b3845462314d6133895152fc4a917bbd12bdc77b4c81789ccdaad7ec21d4b7d60368da22f21a49967af184f969e90
-
Filesize
205KB
MD5e09d55d99c8ed37c764e4a51728505a9
SHA1ce00b80a3153981f676683279b171d24edd22d80
SHA2563ebb9297c12e6d55cc3df3c80b81d68f14486adcb5a3328b1e6885fc239eacc9
SHA512460457d8e2738e70078c9e828d22ba52efb8d2fa4e8fd55e7c38f6ea38b14b75f88de0a0caf411a07992f98a32879a457950f109a75fbbf5b02fce1c078072ad
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
1KB
MD52f13af6aee5f8bb7506e5bb1c5db5503
SHA1f90001d0ddbcf42bdf726d15194c02968e4c6e27
SHA256954f692df2fb645ad94c0d8a397f8a6776f13bd16d7a4974138fd0f0cb2895f3
SHA5124dcd079e6707e6f087f2ecda602bf54e6e96c275385130d5512eb8da4061fe7d36c57eb32b833a6fb3bfc7860830af161f874f75f78dde34660a9de87b78669b
-
Filesize
152B
MD55578283903c07cc737a43625e2cbb093
SHA1f438ad2bef7125e928fcde43082a20457f5df159
SHA2567268c7d8375d50096fd5f773a0685ac724c6c2aece7dc273c7eb96b28e2935b2
SHA5123b29531c0bcc70bfc0b1af147fe64ce0a7c4d3cbadd2dbc58d8937a8291daae320206deb0eb2046c3ffad27e01af5aceca4708539389da102bff4680afaa1601
-
Filesize
152B
MD50487ced0fdfd8d7a8e717211fcd7d709
SHA1598605311b8ef24b0a2ba2ccfedeecabe7fec901
SHA25676693c580fd4aadce2419a1b80795bb4ff78d70c1fd4330e777e04159023f571
SHA51216e1c6e9373b6d5155310f64bb71979601852f18ee3081385c17ffb943ab078ce27cd665fb8d6f3bcc6b98c8325b33403571449fad044e22aa50a3bf52366993
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize456B
MD536bdebf864ce88bb5b96273f44a8b3d3
SHA1334044bdc9ba9b524c36ec949b18cd11a7de70d2
SHA25602c1982f26cc4af7c5a03022ad8f78a1dd7b44ef6401fd406737e21bef8031cc
SHA512adee929a852939b4082d9223ec3a74d1c6097deba7dc18a928b0b80a337cce7a03e7b7ec5701dd67557985c56b8849c057673d633f0549646e5196bc4a12e3e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD59df8423278db49e2ed92c0232a6e4480
SHA17e726cdb193063893d6c3f7d1739b8c822135b71
SHA2561b4e2cf1b6f29c977ab334e17703b0891e0618b5d4e0540658ec4b66e54f8817
SHA512c66c08330217e3209068d4ccb5d62597af4c5297f63ed45b6a15bdff20bdb39adf4c21d7adfa8ac834263db68dd444e882a250595b3f5c3df01e08c8fca094f1
-
Filesize
1KB
MD5d1954d656c2e4a79c35f648c1e6bed03
SHA18df8bbcdb3c12ca3acb6d615bd117361592249ee
SHA256000b7fc5d9deaf5b561a1837915783b1d107e9e8f1fccbe7818533aa17b85a22
SHA5122939dfa9d1345a6940d89574eb2223b6b6780e36af7dd925922b43c09379f8b6517a1aa58cd61a1046036028ff77268d00c2432308d6786769498b834e69741b
-
Filesize
2KB
MD5391829c45e3357819b83ae3636181ad5
SHA1206d221383a7845c7fb6a45a3ccc23a8fecfda4e
SHA256fc2ceee80211fa56a1ccdbffd818edfbb11054d4ba35c0024ae4f1e1b03a6cb8
SHA5122904111d6b0307957630e798bdf1fe7efbf8485625758958ef80fde77b1571c076c6251aa82d4d0bdd5e2b5f53bb1e89f71003cd9306560edffaa8060b76176e
-
Filesize
6KB
MD5c6882a6ef72ddfebec2871e37ff97ebb
SHA1f9996987c2fc4379da1f5a0ea4678dedf71bbc13
SHA256279d24f2bc724c4fd39e09c087892fd07f84209b1de13a7072d06dccf145c38b
SHA5125e64f60331434e70ed6930ae0c2adcb361784d016edd8c75eefc55ff7f035740e9e1d0782c9d5f4be38d379b5d55edc350577356a8a2f08df5a218fc0355b2de
-
Filesize
5KB
MD5a19d90125a96989ab964853ed0b42323
SHA1524a0754160989e3441e6a3658be26fcf3c2eada
SHA25618007d1bfcd0674e5398dba2146a53839c10c272f8a39ba0acdce67569791d18
SHA5127c8953041f3af1e9bb620a9afd332eb5a055e6dc9074b65531c7a958295ba9079b851452e862020b4c2ff44cfef0e040a6c8e20f606ec53ef2b9b188d422ba2e
-
Filesize
6KB
MD5235fff4971fe13d3c5e0ef7697db9f57
SHA1f38007193344e40aa5befcac4c92dad4231fc341
SHA256b679b8119440d235c2df9ef6e5057ebb93600e3dadfb49d3117bc10f1e20a675
SHA512be316a81f7e9b4c78dcace2fdf5171f5eae08e719ad619f0baa6e09441b8ae0964907a2be4bb37dc1ac9f009f5bd09b48681c0bc481cae815779777e63177352
-
Filesize
203B
MD5d88914c5073c538f72235a4e5c6932d3
SHA1cac044a94c1ab4cf57b8e4e363957fce524ee4b7
SHA256c4d414dd3052d099c8f18c233d3adbc28dc49229c8927b59e75dbd451dac7232
SHA51263d7d211928a472aaadc78d5f80f610002a6ad817119edbe46395fed8f930e7d6fcf571f01954e0e84b345aaff99548251f23af59a03a56fe040249bc39be4c4
-
Filesize
203B
MD55facb882bc2ee723507f683217cd5fba
SHA19ddc427b45cac93de1588aece2f09567067538a9
SHA2564f1b633777099fa9ee1dbb5805b60065ce1f7015b45fe29045ef7c352c383ff0
SHA5120598b2091571c58418aa869cabdceb2bb0e762457fdb8ef494ec18ab9e7fd3d8842f53323c47d0ee75c01c91de4576fb4d8ed421ca8221a966610359897a1012
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b09cc1e8-72b2-4b95-9c62-dcd9fa51ece8.tmp
Filesize2KB
MD58cd332894371c9363bd2045902de26c7
SHA127be02330f13e6b79317d608e10d6308c90e073c
SHA2565fca623e082b24b3d85ada47b566c29029d19fefcb12c5e88c1b2c578ca3be40
SHA5121acebf9cf27ea9f8e32004680c3fae9d05c0cf994665d51179704ba6a0b2cc78c03cf1962611fe0688177ef7ec23c4be1d98fd635269bb20bcdb7135942b9aab
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD52358812339bc2a613481ceae1e5bcb02
SHA14fd8a479bf83886e185f8a6cb8facda564a36f32
SHA2560aabd5604e2eb6292449324757da4bd0de2c096029314aa9d8f7d6d3e5929d33
SHA512fbb3b7b079f0bac3c02a394a7d23e8744df919c46d74579c2de980154d0df5e70273d8940c0a300a86486dd5f37dac100d392409104fed0d0efcd2a5e45200e3
-
Filesize
669KB
MD5550686c0ee48c386dfcb40199bd076ac
SHA1ee5134da4d3efcb466081fb6197be5e12a5b22ab
SHA256edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa
SHA5120b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e
-
Filesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
Filesize
345KB
MD5521ff465e12f61e850baf7699f4414bf
SHA1948c8cf589b0177961fb000f2e1f20fa6c00aeac
SHA2561e388f5689c063b9bef05855256d1783eed47c0c4f6b4c47bcf79563ad1d17ca
SHA51240abd5b775ec3a602b29057ef0e1e0349e11354822350477fea636aeefb371bca9c59b4819dc5ead55a8b29a8c16433c9ba2730e4778d1cb516c51e81a6c9d5b
-
Filesize
294KB
MD55f7bdc962aa76f272673ffb86ae8d634
SHA10d78738b625c66f105c24484920a78ac02bd1533
SHA2569482245f504dc281027c12eed58c987147b2d982c3669e1c7dca3bc0911e7b97
SHA51262b6be5a24108c685a0824399dc78b33b5b52149d0e1b7792ac90a30d6fbd7bb2b0650563861e493c79f2313c33a2112f0bd9366e0947d24bee9b1206b4c0141
-
Filesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
Filesize
251KB
MD54e52d739c324db8225bd9ab2695f262f
SHA171c3da43dc5a0d2a1941e874a6d015a071783889
SHA25674ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA5122d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\activity-stream.discovery_stream.json
Filesize31KB
MD50951cfa70aff1c25bb679a518dd53f83
SHA155e1b82bc83e45328562f16fadb15de02d2c12a2
SHA256dc5dac540cb385290073f4040215b68efbf91b0f8bf08bb2e93fd4eb08a87a8e
SHA5129cd4dba3f9ed6e2fbda5b326294e911bdb0dcc35b84111db0d88b193d31ebe566102348d88357d9d6d07111d0c11b75760811a9e7595778c6d08ed85adb5debe
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9lt6socl.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F
Filesize13KB
MD55e0dd7d04f06eb25948b328085465d6a
SHA1458a5a1f48761f04d57f3c333893d899419d7eeb
SHA256655d8c1f2683373c896d9ca461f06970a539bb19bcdd72a99543ae74f301c5e1
SHA512a406fae4a83751ebcfc59ee5bc7520a71c2caa6b7821619ef6eafa8ce91e7d4eaccf28dccccc94779af718557a4868dc30ad898c24bc43c3d65d5fbab083ca08
-
Filesize
8KB
MD57c5c1bbd7fb8e463263e94d555506ee3
SHA137363b9dbd3c58a4c3703f6263d8c9081e01eb0d
SHA256cee5508c8c9fd3c480fedc5ac5c929ce613ba1ebefb261ee9e49cfc4178ea63a
SHA512732bfc5f7ba3121841fa59d229fbeeb4048614a00228950f1e7c149e965d6bd32770dc865c77c5357ae0c43e91925f4d02b6af3e818915553d4b7626af12bd51
-
Filesize
234KB
MD5c90a0eeaf9e328a24a557f4d9044798c
SHA12842b9c94e5ea500cb9f50a9f432c96df5472cd6
SHA256e6c7f30f77ac3fd1f63b01e296524e4e7895bad8f59d015f2c05a0eec7a9b95d
SHA512dfbb413f8b75b508596ee1c816b0e4b56c5d049d7d0a2581fbf25cbcd1d18b28e44e7a433e2378ef50008aed5f81a7edd80e8b73c199c800bba7ebb099a84715
-
Filesize
13KB
MD5d62734be89eafc36d0f9fc8f3d3f0b60
SHA172a5683731178990c6b2e11f18ffdcdca7f60622
SHA2561d17ebf5d32ebbba8a50b9e44e3fa76a3430c1949e12b66d76d39e8e2ce51191
SHA51265bfe8c8bbed1ef35b7280b08895b86f5783f38e2dd0d86173075358430dfa523c44dbe3e7dbb0e476a5626154143f0f8404a8a9ca6ac760702662f76b035007
-
Filesize
79KB
MD5e2e3268f813a0c5128ff8347cbaa58c8
SHA14952cbfbdec300c048808d79ee431972b8a7ba84
SHA256d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3
SHA512cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc
-
Filesize
12.3MB
MD595606667ac40795394f910864b1f8cc4
SHA1e7de36b5e85369d55a948bedb2391f8fae2da9cf
SHA2566f2964216c81a6f67309680b7590dfd4df31a19c7fc73917fa8057b9a194b617
SHA512fab43d361900a8d7f1a17c51455d4eedbbd3aec23d11cdb92ec1fb339fc018701320f18a2a6b63285aaafafea30fa614777d30cdf410ffd7698a48437760a142
-
Filesize
729KB
MD5d7528cd33b73718b5949277420681f90
SHA161d97f8da20ff2995890ce5f2c8a2c9e6e51c078
SHA2563b8d07693e296aee36e7607c71503d981396a21b367e169146afdd052cdcf4d1
SHA512b3dab709e19a2a8bad92b259ea1739ad55564f6fe31e9f4e502b6280ae6c70cdf5a0f1fda208887da4bbcf9213986e2038abe6a09dc2940998df08d82e87d474
-
Filesize
6.4MB
MD550d48645ac2526fbc7f99c5d7fb9eb42
SHA1a8b957dc3e3ef9b107e9d78763b99f97243e439c
SHA256c87c25e553cfef58e858edeb6ee9d1b7391f5ee164c4e3ec801a991823420bea
SHA5124c16a157c27d1d8aa035f8fb01b646af816c5bf6aa476496def909b64bc6adaed4c3947ef6d868a3e30a1b1f54b21f5da353ed076878cd3a6568a203b5bcd64b
-
Filesize
898KB
MD5eeecdefa939b534bc8f774a15e05ab0f
SHA14a20176527706aea33b22f436f6856572a9e4946
SHA2563bdbca5f67754b92ff8d89e2db9f0ed3c5d50f8b434577866d18faa4c1fd343c
SHA5123253eaebc2b14186131ac2170f8a62fe8271bf20ddf8b1024036fd1f9a00ea2d8d8b79646af9a8476d440374146bec3130591779b083905563146921b969b381
-
Filesize
2.8MB
MD50031946b83cbec1b920f827478e68c17
SHA13553f0e44e812a38798fea106b0b081827713d6d
SHA2567518651b8d76be49723b20618d03479549e945c841435e49dae6fb9d0bba2ab3
SHA512401d70a7774cdde53d42abee593179e96eca83c4d5db0eeaf6d8491fb02018d6f7ce3c93ed00b32f36f47aa37e031c1f72445a3fe9eac186a81e175876ebca47
-
Filesize
262KB
MD59b43256a33142e469adbe046a1552781
SHA178a2e20024df6e3769c1f07805e6394aa63a9381
SHA256ece19f874768ea52ebe95047c61508402dec21104ca6a5857c09c1f990ec983e
SHA512f94cd9add9aed084d8ee41b46e8fdfe881bceb55a26954c9e413b5e1dd79efe4b3463cce48f18c86ddc80bbc0acd528a82c168c8c8554b8c7ea1c27422280885
-
Filesize
517KB
MD5b8d875d94fbd7df91b1dbbbc308a057f
SHA1517cc89e653fa1a90da8ed5fb5e5068673f43589
SHA256b950ba1e7368756512fb9c1c8210e4282b3705ab3a7fe1e134c01b397905a674
SHA512127ac147d6c0a0dc130d92e20db83591c040af5931578623a0ca61f7a3f495b0e3b9fb83c0f81e81ad7e53e6775bc9c7eade5d8272f96c5b28d15986fb92e9d2
-
Filesize
1.5MB
MD5635508b01c2a8f9ceb1ab024c149b020
SHA1daad64bb85c6526e4426043c36f40d0f80732d6f
SHA256baa3581920b2e641a504d5b7d2f1637d456244adbc66790de991b88650bcbd09
SHA512fef0d25f6912eacf74a483a7c19bae6d52502c70c3f9d52a7de496e6a5fd3c989d2e038fde895150e0a979a3f16c911b4c2e7b0a4342a82f58b116ad2ae1d21f
-
Filesize
205KB
MD59dcd1be11b36b327ced51156db4f63be
SHA1bec8c8b96db8fdd3108b9effaa9903a446621615
SHA256d5c9d358c21a766b5a856276585686517ff818f36ee501b97884c062cdd1853d
SHA512ac81c8e1855ec993ba7ede0605f7b129a9c49af05a58cb902018998906f5b0ccc6a900256ee47c6b188501cfca8d3d1a72ff7264424af79423fea8e68caf136f
-
Filesize
976KB
MD5902f14b6f32cc40a82d6a0f2c41208ec
SHA1c01e5bc3e9dbb84a5b36841045055999fc0a16cf
SHA25681f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
SHA512d55e184309e122ffbe3097bfb64b3e23829228cd16030dca5856bfa1725bc60c2da04bf04c8919ca658ca4b7b03e4be6e6bc9240b5816903609969213be2f97c
-
Filesize
4.1MB
MD5857d79717817a2a9831add6dccf79305
SHA15969bff40e0af7b5219af243bec2666069247629
SHA256d68c0cbd111da5fb8346d2612734f34e34cc975b73c2a5729c2793dde3d3d791
SHA512d9c019ef1da6e04d888e3cc544b29b3b5f3aba376023946e035e98bb2b4cc833f92475d71dd622979b640d2046d3fcf45d164bd48aabfce1801351ed8c4872ab
-
Filesize
901KB
MD5b5ca92538a485317ce5c4dff6c5fd08f
SHA12d61611f3e34cdfc4d7442f39c7a2818bc0f627d
SHA2560aff775071bc938ee44ac07e20e4cabddd5235edb34a437c4d7006a8dab91a5e
SHA512e3318ac45418d83baf0d5c84ce1714e7367bd4e3e8ecb98cc801ef1636a2098d07a718a83bcccbb0bbf725c9d3f1e066501e86171eb45e7167afbe280c6101f6
-
Filesize
2.1MB
MD577970896073bbafdc8c1811414c62536
SHA1c2d2fdbc9e80daa95e3046e2d3bd13e7ca312e18
SHA256980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d
SHA5125fc31572ad864ca15cd2eb7e8baadc62b72a72ad5d28da4ae04158f67b6cbfd1985983586fd6e51a4781bdffbdd557b30d44d38a3a37ae88cf785c834d739a30
-
Filesize
11KB
MD5861873bea9393352992bef6d85e34dd1
SHA1f8a159493e0744acc4eb8ab588698142d226a199
SHA2564ec32a563818c5c7050a9ff249a38b0d423ba5d06a6aae37ba86de6ee70b2fa5
SHA512dc03a223071b88315a641a7607d0591f6a1f6734ba086b1c1c69162534144b59c43a9d540094a3b44a7790b87403cadd77b7c807aa238b00385a01769badd93a
-
Filesize
9.2MB
MD55f283d0e9d35b9c56fb2b3514a5c4f86
SHA15869ef600ba564ae7bc7db52b9c70375607d51aa
SHA25641657910cd010c7e5ebbbfc11a2636fa1868a9bffe78d98b8faa7bd0e9c5c3b8
SHA512b5b78975c6328feb5e1986698174a85ddf722a639234eb6fe80cfccabaa7d0c09678c9465fd6a9586a0a412f2586d9e9d38eb5243626a2b44a8c8512322415b3
-
Filesize
13KB
MD538ed1440052033df654a6b802b40b67e
SHA1bd55276ac9386934109203c2ce8af60b4808d52a
SHA25685f5007071a14edcfe974ada640a91ba7af11fd04a788f8bf7865e6ddcc95b41
SHA512a93b23982cf7bdebe7bc1ee6b870ce1b16a5e106d2e2ff8dec45dc036daa8a85ebeacb513bdb7c9bdc19bca9837ec6df62f10dd0ae4708d93b3ca7474e6e483f
-
Filesize
14.4MB
MD52f208b17f8bda673f6b4f0dacf43d1bf
SHA15131b890e8f91770039a889e72464b5ce411c412
SHA2561fc3e92f7f30f4f68861d3ceb8284853ae30c11cbd0ed3e46ea9eb698b3ec348
SHA5122830984abc5476e23609c947304f1124fd33f38e654b98bccbcde44e7fbadb75584983243e83a006b69403ac3d42ab379e1665989bec368320efdd5e98ad62df
-
Filesize
194KB
MD51f29ee3673fc717fcb8f6007c3f840cd
SHA15efd71aa728a1699a890e7acbff5f38402b56b4e
SHA2565d8159897acac6a7349dad41208004e071e0ad0388142d81bb4cc72ef459a500
SHA512c1b79a9edfbf8ef9536c28131a9a800cc911ccfb4a7504675566ce9e9bde69965fa4c7e04902f206dfa63c1bb58071809939c8ca3f8ae5adca79ee7d59cab4c3
-
Filesize
941KB
MD5f5b93d3369d1ae23d6e150e75d2b6a80
SHA16f6914770748ad148154e1576d9c6fe6887f2290
SHA256343ea56746b6f08c7eccbfbb9fe1a544952a9a933140c677179f4f8c7bb60b81
SHA512dcedaed2df62386b980cc1957f224fc48224aeb0f5bf8d0241acc7a0a552b0ae90697ed333189963540f8391cbecfa0977a8685723c5025c9a4f95918032cf1e
-
Filesize
2.5MB
MD5e1dd2552700e2ddf9eff47d0b1c651ed
SHA19e4e05f5826821ca7699fff12006877d3b4d97be
SHA256cacd7d6382c30fc4e26ddd30311c259f9e4216f31c80eb41edbe8f3e7fa31009
SHA512b4a44295c1e8aaf88cef975394bc2a4afcb5bac40aef5eb57670213171e28fef5a8b80f2b1ca7ee6ad22196e3b9f40a5089e473c8e4045b20237a3bb3e6402f8
-
Filesize
24.1MB
MD5f8c2769b1490e6eabeb8dd5faa8e6e70
SHA16b2a22035f5a132302506ec6cad5f54882b059d4
SHA2562a3d500e6ad9c96fc55f57e8571d51ab639ca626997f348c0d21db23389a3df3
SHA5120deb225c581c8387f5ebd20636e679b398d57c0a7234383f83dc3edc9e4a08f396a2aee1af2382a8865f0632b81810be70b0bac5b290110d980a633a79a993e9
-
Filesize
87KB
MD57bc9e427746a95ed037db5e0b3230780
SHA1e5fb0551239eb8edf5b117b04a86742c7780355c
SHA2563d8b1b6802f265ff8eb229c38ff81824f3652f271eb97b7bfef86db369902a08
SHA512ae6e823d72a1a976401726ba3dfb61919bf529719fc555c680a99b3a58c15c982b9a8024d4ca2dab933acd1cc22c1f66bc0d46e7d0e7422825dad9c77852808b
-
Filesize
281KB
MD55c71794e0bfd811534ff4117687d26e2
SHA1f4e616edbd08c817af5f7db69e376b4788f835a5
SHA256f5740aded1f401665ab8bde43afee5dc0b01aa8aacabe9b8bb61b1ef52134a39
SHA512a7a489d39d2cabdd15fd23354140c559a93969a7474c57553c78dbb9ebbf045541f42c600d7d4bea54a2a1f1c6537b8027a1f385fde6040f339959862ac2ea54
-
Filesize
339KB
MD5808502752ca0492aca995e9b620d507b
SHA1668c40bb6c792b3502b4eefd0916febc8dbd5182
SHA2560f56c703e9b7ddeb90646927bac05a5c6d95308c8e13b88e5d4f4b572423e036
SHA5129a35ea626bb411531efe905a4a81c3dfdebf86b222d3005e846c87f9501b3d91a6164ef44c2ca72070fe8c33f2bfbfb58b4f96353be1aa8c2c6f9390827a5afa
-
Filesize
15.0MB
MD53bcb9a06b0a213eef96cbd772f127a48
SHA1359470a98c701fef2490efb9e92f6715f7b1975e
SHA256563f37e8208427a38cde013f785d2a4cbb9aac29e93dc1233d28b9762d3eddec
SHA51260431dd4aa91c43dadfbcb698cf1b6590b098fbd3b41c37fdcc22dc13a9a9085cfd38182bbbc9ef68a22070029d7613359d938a8fe6827ae7107376ded8022ba
-
Filesize
80KB
MD568223d364e39c180a897c6dbbcec201b
SHA18d7880dea1e6051c097e9519ca3e16bc89e5fe7a
SHA2563c4e62376166bf7e84bdc3f34c0297ea6e5f69c93d2c062d69fb9fd33ff88d2c
SHA51204bbcdf00ba30621f88908d6e366a56b95d8de74262a6fb2a62fdbf4cb2037f255076dd489a09178f661182e508024d6b5c255704f5c3a3d60f4a7b2b4cc1459
-
Filesize
304KB
MD5b5e07492b13633eacab4b4f57853b439
SHA1673f25d3b8ca435846dc04eabf6f5b412d9e7ed5
SHA256d86a4ac9ab81a74a638e659821fd1d76d9b240d2a4e9fd1dc25c387d356d9828
SHA512cc555116a570db59dfae1beb8587ecda1a25f520bc7aa45423a276a56ab89d21c84cb60df336dc114e388760798399451f1431a9e290b2b4a4d078164bdab999
-
Filesize
1.0MB
MD57a8463b22eb60bf18f4df8444e006d96
SHA1f1577856bf96eea03ba84a5fd85dfc9426d60def
SHA25607dfcd4aad4d53de15bd688a17d31ce50d591173d60fa2cb629b9ed94179cc2a
SHA5125bc787b6e6cc02c96481bfa87fa3336ba53aa596c1c4b053de40e18d400305481a7059a71c9ee9ad1e6ce3260a743860595a7cddbdbcffd7dfeb8eed06de9779
-
Filesize
20KB
MD51382c0a4a9e0a9a2c942458652a4a0e4
SHA155ed8ebd6281c280c3e77763773d789a6057e743
SHA2564cb590dfafb7653379326e840d9b904a3cf05451999c4f9eb66c6e7116b68875
SHA512cc1ba7e779536b57409c974f16b0d8706fdf8749fb9eca36716d4e84d4f420a650b6476ac08570e684ad1e492da3bbacc15a4e5be4b94a1b708909d683da0b7e
-
Filesize
88KB
MD5ababca6d12d96e8dd2f1d7114b406fae
SHA1dcd9798e83ec688aacb3de8911492a232cb41a32
SHA256a992920e64a64763f3dd8c2a431a0f5e56e5b3782a1496de92bc80ee71cca5ba
SHA512b7fc70c176bdc74cf68b14e694f3e53142e64d39bd6d3e0f2e3a74ce3178ea606f92f760d21db69d72ae6677545a47c7bf390fb65cd5247a48e239f6ae8f7b8f
-
Filesize
89KB
MD53a5b4b8abd47c6ac3177ec6c3a7c8951
SHA12e5a631a2f17f6c1be17c63cf7f158a1bf4d69e9
SHA25614ec1f2fcddd2294e6ba9cfbef2a86068be8a858ef223f29a692f09897095ffd
SHA51252a69aa0c1af757484a0629808495e9f0c82bf4a269cf0966b3899d8797b9a3429ac2a366fa191e1e3c91ef3c37d8e180561811bc6f1dce3b6366ce952a32d8b
-
Filesize
187KB
MD5cb24cc9c184d8416a66b78d9af3c06a2
SHA1806e4c0fc582460e8db91587b39003988b8ff9f5
SHA25653ebff6421eac84a4337bdf9f33d409ca84b5229ac9e001cd95b6878d8bdbeb6
SHA5123f4feb4bbe98e17c74253c0fec6b8398075aecc4807a642d999effafc10043b3bcf79b1f7d43a33917f709e78349206f0b6f1530a46b7f833e815db13aeeb33a
-
Filesize
14.0MB
MD5c04a91e68f4d54aac6959c0f8bfa38b7
SHA150578031ed4a270b3e51a1a99d121c0a47546386
SHA256fd8aed52f0a913f9d59e2f1116da4ce8c8d35d95e631b11972aba80933160923
SHA512133ca344372a8634e5bc4a87851dfe6c8d0ae1cac38d59b6004cec4a29a65973b9b65d0ab4d5dc7ce899672a5361f57e8ecf566b1a1f87f34050dcb97083b3fb
-
Filesize
6KB
MD5cfb7fbf1d4b077a0e74ed6e9aab650a8
SHA1a91cfbcc9e67e8f4891dde04e7d003fc63b7d977
SHA256d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0
SHA512b174d0fed1c605decc4e32079a76fbb324088b710ce1a3fe427a9a30c7bdcd6ac1ad223970cdc64061705f9a268afa96463ee73536b46991981d041517b77785
-
Filesize
6.7MB
MD5527c1c5841fd2fd71c52ab28c7f23dde
SHA189e3ffb22a93326c8eabb260861d28f768369246
SHA256712c4b8dec4f54698e0bab7f9e994438fceab73c0fe120ef60ee8d9b8b1b8088
SHA512a34bf0748522fb2e9390ca98b4d377e7078128077d9f826ec4df22f7a0125b61322333daf698fe2a790523825eef1e6794b61e0ec27c0e53be9f161b3d3090df
-
Filesize
44KB
MD57d46ea623eba5073b7e3a2834fe58cc9
SHA129ad585cdf812c92a7f07ab2e124a0d2721fe727
SHA2564ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5
SHA512a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca
-
Filesize
16KB
MD5e7d405eec8052898f4d2b0440a6b72c9
SHA158cf7bfcec81faf744682f9479b905feed8e6e68
SHA256b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
SHA512324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD5d753362649aecd60ff434adf171a4e7f
SHA13b752ad064e06e21822c8958ae22e9a6bb8cf3d0
SHA2568f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586
SHA51241bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d
-
Filesize
623B
MD54ce3693cf85438339a173071fbe2281a
SHA165cafac1056cda4d8a960b2de279dfe8be8429e0
SHA256ad39edc563664a99a06df0b4760a9f3d88244534823089f6d1b790af6e8287ea
SHA512de13013493898b3f93c16802f0c612e6365e697667f1d8eb1d0afde4c5a26a4272e046519fa5379fb8e6ebe0fe3632ec3c3bb6367f295dd41dbe8c54733aa907
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin
Filesize6KB
MD5245d49ada4ac6e76e13550fc9b7f1b2c
SHA1d2ab8a0c06ff988c78fae053eb14b61dc6a4d8f6
SHA256d20697c5e88b297ca9330b5de30bcd3aa2319ba13f1136d4f927f0608b540ddf
SHA512165d2b8debad358b544f68c53a09431e6b6060086ae4bf7457d672bdb69ebe1b3c315eea97740c121b6f4981a6c7b17a23e88119c7b6b5a4377fdbdbc525d761
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin
Filesize8KB
MD5b033dc538bec03a2af8bb002e050f0dd
SHA148e320399bdf43f577b43a513c986a9ceece8394
SHA256b7650ff401c943fb8e92f64a6e01c1d76813ff22f20cf59731a6552e2e826f16
SHA51204e88dc0ffd59d899210ce7ce6b971da3308d6498d1036b28e9258528bf7645c4ffd8a686b814ce27b03a034c093d30b3af6e30883fb3246dac6beaba0ef4fe7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin
Filesize13KB
MD51a891aeb8622e78e97303fcd5edfeac5
SHA17c3fe1d08097558f791f1e08095cd44f17e7eb98
SHA25611060e82002feb2cf12db23903c801e093e78dd8ac3e502d5ee3584e1ed803c2
SHA51217c6ecbb15c34de83b684697466decd291199b4c15807e077971ade7fdaec537065aaedc86ec50fefc0611afc74fa683efb2eceeddf0484622b62455b355f057
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\AlternateServices.bin
Filesize16KB
MD51d87bf9847973325e546d3ef33a3b693
SHA15ed429a6234f8438e58f83988f8157fd3b16ab1a
SHA256b44b4ddf2e71c195ebfcf8989628357e9d40d7d7fbd1d73d3203f45908ca9257
SHA512120db8ad5e3ad31066a42d469d05fb46f3fa9864066234474f37834c2c47b1f55a64dd4c5f425bf98cb82a427b5f7d35b07ec4f2a1bf734935881484014ffc6d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD508ef323a86a784f90c464cc8eec27f38
SHA18e25456b4d222261212dfcd63c03d36ddba4ce9b
SHA2565396d0b8c7f29154773ccbd9293c7c18abaecf72cd8fbf3d1b2c11dddb56707c
SHA512a91733f89d2506d7932fc56238e306b9cbe4c421517ec105cdf5f1a2fb43c8cf840bdc8f5d56cd4d90f3e086fe040acfb2fd30aa8485bf8c375720ccdbae52dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD54ab3428a2b59aa58c5d5512fffb1e526
SHA1f94e3ffe0e0a982bb7700eb5d71a4256454b2717
SHA256b180c2893741bc49f865419e5c63a569e79178a43eb433c254d6d3d295ec68f8
SHA51218b9e36641daeaf2a15d5cf49d6057eceaf675fcc58a3901f6974e274655d1dddd5d9a1debe6bca99e96f2ca3cf409a9c35d3d74a6c05f4fa56e0dfd85a998e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\455f6505-8549-486f-a166-ea11be415c57
Filesize982B
MD5f028f42cdc84d3db149daf8057dfcc63
SHA1fed6e1485591941fa2da631c56ec243ead48682c
SHA256c0c86400503284d61b8f687000512f2442ccb534b72d62c6ba5c212be59ecb2c
SHA512a45af69285856024571bba67d80a2348ce3c0a3ce68a668b98ec4736bd7660dca7f7b0a2cfb4edea8d907f0157a5d7823e7c76938ae5b85f5dde5ea31cb4be2b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\cfacbc90-f705-45d9-890c-e50e81e47cd5
Filesize671B
MD5972dab9f18f75478a60f89a868eaeda9
SHA1cb75d200471d1cb548793a8a98b40c6ecc6e85fd
SHA256c51f027900f6c6582c2177035a87b3ae6aa254229926e442f325eaddac107893
SHA5121da0e2b08257d6dce72ebfd4affd0a833d4636e1f80353fb3ebfb9ab18898a03ff57279e8eb23865d892d5ec8e2945349dee661a885a4261a97254db3a74253c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\datareporting\glean\pending_pings\d055c580-7731-489c-b9e2-33c4dff353a3
Filesize25KB
MD51b6ec8c118939aba1cba0ca34eaa6064
SHA1864c71091c6d7cca06b097c41e9ade8762ff6aaa
SHA2568c289a24bff17db87fb65a08e5fe5ee447ec1c27e2e86a73261a9b7040c1c496
SHA512582281f005fd3d23aef422733bf7ab2bc037e89e935b2cd9cb101b7845bd1726694deaa629a4b6e22d4ba12f7d3db64bdba00d7a5cb7331b241ac40ab15638c0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5bec32c53ee30164ea453c4483b183ff4
SHA1204cbfc0dad28c83cbc086fe03d15dcb61ce0d34
SHA2561f28f3d2fb1151d8648565410ebe17ed68ac208f8fab0a3110846423c4c38691
SHA5120c1a67e9e494c1fbefcf2074454c61b60e66e2f228a1db84e151d7cfa08ad98c90acefcf81dbe1166264def8029ac98435fb8b835125c98f2679bfd5e84ed765
-
Filesize
12KB
MD5b099027bdcbdaa0abb43ca5fb5459135
SHA192711a9dbf413a444234f45f3ebb7edc557651e7
SHA2568e6bb0528cba6817007ed937a725aa37ef9c7934eb04f62166fec8869ed5e6f5
SHA512188a9fcf814eb29062fcbdff6c7846707ff6a2af7cf86a696b3875816c5f4c6f4a96af986cf951aa71d6734c690ee641c336f0ad031bf3a1b1f2e4772a011e63
-
Filesize
16KB
MD5565dd2a6840016c12458b28b1a5aa503
SHA1440ba33512477bedddc38be868d453df563f321b
SHA256bbe80e3f796ead05a6fcbe77744ee704ef34f3ebf4a74e7dd016a103410bc9a4
SHA512f0b5d6554593e8e664d9bd9abe4d8f578d1c9f9c5e8e7e5157f0e522f2728986683396eb43e9688efbdd41e59d95379d4f2986a85592ac484c0c98f9689f9402
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD552e88e15ed94c4b4780ab9a960e36486
SHA17d24b8c212aac0664f9826a0393acbba48be978f
SHA2563814b44e64aa0f84dcd13120cb134cdaaa8114f164415ca17cd1a8fe507159ac
SHA51233c063f713f17aad6a89a9f402a7301db8aebf3057e807aa8092353a0fb13ad8ea2f7f00ec8380b5f1a036a421ee1de44aebe98d59298434c56957624c754f09
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize376KB
MD5d1783d5af9066b03e5b2b100318a9886
SHA15b3b7cd1e62a8506265bf970d659b5fa966ed47d
SHA25641c94a266169fcc9fb5029088c7135d1be8570c95c67e068090cf83801bc67fa
SHA512ebdd7b791344e77c6c5ea4f075440f382532bec9cdf2e73dfb5077e3fc8c3867c29593b518010a2ff19519f36f993c451649c90532af3b73fdda8d40d6239f90
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9lt6socl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.0MB
MD51759514ca6c0ca631d39aa9a77564539
SHA1b801835d36d1a19a649758d0553c995ddfeb88c1
SHA256fc9ed9ba239f6237be236152b2ebb795a694a96315009718b4f52c7677bba93d
SHA512c1a7768fe7aebafcd85006fe05abdb2ddb86f1ec76960f3fda690cffff21ace9314c098d39b569791e03c2d5f896214f2c98371f4d781d41beb095e6435a39d7
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
3KB
MD58f585cfd4bcb25d0c06778ef82f37804
SHA13e7f6d52f672a3f17d7da0d2f141fcb44d621b0a
SHA2569fe63f3bb2d7a142c208fe8e9978b8cc2a7de22cf5256fd60581bb461614d1be
SHA512057a5c7985a9ccab37258b5f49a7bfe814b82e4bcddef200ab1ee19e78bc61c173821059e0b410cb3cb44c2dd55adc72300ed8b2908da596d64eb8ad36d1532a
-
Filesize
4KB
MD57c171c638900e6a460a9991d5c89ee75
SHA1251b0a7df959843c829926d02687702c84b3b8ec
SHA256533de9adeeb0f04c0cf8a7a35820753862beeee5e4436a7de64b730873b46c97
SHA51287fdc8150a13a3ace1eae5181cc92330614f540d6877e83c26f8fbd19e2e90d062f26eecb72eee73c8fcf2aadb41da791dec169cc7f7776b7d7d1f1a67398d20