amadey | 1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
Size

1.8MB
MD5

1ffa4102583628826fa4536dbbf521a0
SHA1

c3cc8501e03cd7b7694c634bc78948dd493c6168
SHA256

1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69
SHA512

8a8b16f9b0d4073cb65fcc2c127ac1d724f5fe198ef1f80e0429b158fd7904fdaf627b4042a077bba79ab6b13c22a1e4c20712815c7850fe4b8395ee1d097c21
SSDEEP

24576:0ecBq+jT6+HkDP6KYigqqUpqjNdoBnMz45cRBTjUW8+AqaOeIJNJ472db8Onu9I7:sVTSDCIgqqmqb4qAnXoJ47Sb8OoIKjS

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

https://clearancek.site

https://licendfilteo.site

https://spirittunek.store

https://bathdoomgaz.store

https://studennotediw.store

https://dissapoiznw.store

https://eaglepawnoy.store

https://mobbipenju.store

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

cryptbot

analforeverlovyu.top

tventyvf20vt.top

Attributes

url_path
/v1/upload.php

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
behavioral2/memory/5476-791-0x0000000069CC0000-0x000000006A377000-memory.dmp	family_cryptbot_v3

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023bcb-124.dat	family_redline
behavioral2/memory/964-138-0x0000000000A20000-0x0000000000A72000-memory.dmp	family_redline
behavioral2/memory/4768-304-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bbb562ac28.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	23516ace46.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c806c02133.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	746002aa3e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	746002aa3e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	23516ace46.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bbb562ac28.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bbb562ac28.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	746002aa3e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	23516ace46.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c806c02133.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c806c02133.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	sadsay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c806c02133.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Nework.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	processclass.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	splwow64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	context.exe

Executes dropped EXE 31 IoCs

pid	Process
4980	axplong.exe
4824	gold.exe
2576	legas.exe
3140	FzNmWHG0dg.exe
1460	G4jsKSqId2.exe
4800	stealc_default2.exe
964	newbundle2.exe
4708	bbb562ac28.exe
4444	c806c02133.exe
2392	skotes.exe
5032	MK.exe
4628	Nework.exe
4944	Hkbsse.exe
1608	processclass.exe
888	splwow64.exe
2952	b41b7e7c2c.exe
880	num.exe
5476	sadsay.exe
980	746002aa3e.exe
5968	Set-up.exe
5268	23516ace46.exe
5748	Hkbsse.exe
5732	skotes.exe
5804	axplong.exe
6004	context.exe
452	out.exe
2952	service123.exe
1440	Hkbsse.exe
6104	skotes.exe
3228	axplong.exe
4364	service123.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	746002aa3e.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	bbb562ac28.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	c806c02133.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	23516ace46.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine	skotes.exe

Loads dropped DLL 4 IoCs

pid	Process
4800	stealc_default2.exe
4800	stealc_default2.exe
2952	service123.exe
4364	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000336001\\num.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\746002aa3e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000349001\\746002aa3e.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\23516ace46.exe = "C:\\Users\\Admin\\1000350002\\23516ace46.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbb562ac28.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\bbb562ac28.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c806c02133.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\c806c02133.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b41b7e7c2c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000332001\\b41b7e7c2c.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023c70-408.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
4224	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
4980	axplong.exe
4708	bbb562ac28.exe
4444	c806c02133.exe
2392	skotes.exe
980	746002aa3e.exe
5268	23516ace46.exe
5732	skotes.exe
5804	axplong.exe
6104	skotes.exe
3228	axplong.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4824 set thread context of 1368	4824	gold.exe	88
PID 2576 set thread context of 3036	2576	legas.exe	93
PID 5032 set thread context of 4768	5032	MK.exe	108
PID 888 set thread context of 5900	888	splwow64.exe	175
PID 6004 set thread context of 4872	6004	context.exe	185

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
File created	C:\Windows\Tasks\skotes.job	c806c02133.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3716	4824	WerFault.exe	87
2680	2576	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	746002aa3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b41b7e7c2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sadsay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbb562ac28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23516ace46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c806c02133.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	num.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sadsay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sadsay.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1516	timeout.exe
3984	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	269	Go-http-client/1.1

Kills process with taskkill 12 IoCs

evasion

pid	Process
4472	taskkill.exe
4044	taskkill.exe
5404	taskkill.exe
2576	taskkill.exe
5116	taskkill.exe
1616	taskkill.exe
5464	taskkill.exe
5752	taskkill.exe
1804	taskkill.exe
2240	taskkill.exe
4100	taskkill.exe
264	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	newbundle2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	newbundle2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4224	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
4224	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
4980	axplong.exe
4980	axplong.exe
4800	stealc_default2.exe
4800	stealc_default2.exe
4708	bbb562ac28.exe
4708	bbb562ac28.exe
1460	G4jsKSqId2.exe
1460	G4jsKSqId2.exe
3140	FzNmWHG0dg.exe
3140	FzNmWHG0dg.exe
4444	c806c02133.exe
4444	c806c02133.exe
2392	skotes.exe
2392	skotes.exe
4800	stealc_default2.exe
4800	stealc_default2.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
4768	RegAsm.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
980	746002aa3e.exe
980	746002aa3e.exe
5268	23516ace46.exe
5268	23516ace46.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
5732	skotes.exe
5732	skotes.exe
5804	axplong.exe
5804	axplong.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
452	out.exe
452	out.exe
452	out.exe
452	out.exe
452	out.exe
452	out.exe
452	out.exe
452	out.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1460	G4jsKSqId2.exe
Token: SeSecurityPrivilege	1460	G4jsKSqId2.exe
Token: SeSecurityPrivilege	1460	G4jsKSqId2.exe
Token: SeSecurityPrivilege	1460	G4jsKSqId2.exe
Token: SeSecurityPrivilege	1460	G4jsKSqId2.exe
Token: SeBackupPrivilege	3140	FzNmWHG0dg.exe
Token: SeSecurityPrivilege	3140	FzNmWHG0dg.exe
Token: SeSecurityPrivilege	3140	FzNmWHG0dg.exe
Token: SeSecurityPrivilege	3140	FzNmWHG0dg.exe
Token: SeSecurityPrivilege	3140	FzNmWHG0dg.exe
Token: SeDebugPrivilege	3140	FzNmWHG0dg.exe
Token: SeDebugPrivilege	1460	G4jsKSqId2.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	4472	taskkill.exe
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	2292	firefox.exe
Token: SeDebugPrivilege	2292	firefox.exe
Token: SeDebugPrivilege	4768	RegAsm.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	5404	taskkill.exe
Token: SeDebugPrivilege	5464	taskkill.exe
Token: SeDebugPrivilege	5752	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1608	processclass.exe
Token: SeDebugPrivilege	2096	firefox.exe
Token: SeDebugPrivilege	2096	firefox.exe
Token: SeDebugPrivilege	888	splwow64.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	6004	context.exe
Token: SeDebugPrivilege	2240	taskkill.exe
Token: SeDebugPrivilege	452	out.exe
Token: SeIncreaseQuotaPrivilege	5448	wmic.exe
Token: SeSecurityPrivilege	5448	wmic.exe
Token: SeTakeOwnershipPrivilege	5448	wmic.exe
Token: SeLoadDriverPrivilege	5448	wmic.exe
Token: SeSystemProfilePrivilege	5448	wmic.exe
Token: SeSystemtimePrivilege	5448	wmic.exe
Token: SeProfSingleProcessPrivilege	5448	wmic.exe
Token: SeIncBasePriorityPrivilege	5448	wmic.exe
Token: SeCreatePagefilePrivilege	5448	wmic.exe
Token: SeBackupPrivilege	5448	wmic.exe
Token: SeRestorePrivilege	5448	wmic.exe
Token: SeShutdownPrivilege	5448	wmic.exe
Token: SeDebugPrivilege	5448	wmic.exe
Token: SeSystemEnvironmentPrivilege	5448	wmic.exe
Token: SeRemoteShutdownPrivilege	5448	wmic.exe
Token: SeUndockPrivilege	5448	wmic.exe
Token: SeManageVolumePrivilege	5448	wmic.exe
Token: 33	5448	wmic.exe
Token: 34	5448	wmic.exe
Token: 35	5448	wmic.exe
Token: 36	5448	wmic.exe
Token: SeIncreaseQuotaPrivilege	5448	wmic.exe
Token: SeSecurityPrivilege	5448	wmic.exe
Token: SeTakeOwnershipPrivilege	5448	wmic.exe
Token: SeLoadDriverPrivilege	5448	wmic.exe
Token: SeSystemProfilePrivilege	5448	wmic.exe
Token: SeSystemtimePrivilege	5448	wmic.exe
Token: SeProfSingleProcessPrivilege	5448	wmic.exe
Token: SeIncBasePriorityPrivilege	5448	wmic.exe
Token: SeCreatePagefilePrivilege	5448	wmic.exe
Token: SeBackupPrivilege	5448	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4224	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
4444	c806c02133.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2952	b41b7e7c2c.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2952	b41b7e7c2c.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2952	b41b7e7c2c.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2952	b41b7e7c2c.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2292	firefox.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2952	b41b7e7c2c.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2096	firefox.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe
2952	b41b7e7c2c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2292	firefox.exe
2096	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4980	4224	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe	86
PID 4224 wrote to memory of 4980	4224	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe	86
PID 4224 wrote to memory of 4980	4224	1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe	86
PID 4980 wrote to memory of 4824	4980	axplong.exe	87
PID 4980 wrote to memory of 4824	4980	axplong.exe	87
PID 4980 wrote to memory of 4824	4980	axplong.exe	87
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4824 wrote to memory of 1368	4824	gold.exe	88
PID 4980 wrote to memory of 2576	4980	axplong.exe	92
PID 4980 wrote to memory of 2576	4980	axplong.exe	92
PID 4980 wrote to memory of 2576	4980	axplong.exe	92
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 2576 wrote to memory of 3036	2576	legas.exe	93
PID 3036 wrote to memory of 3140	3036	MSBuild.exe	96
PID 3036 wrote to memory of 3140	3036	MSBuild.exe	96
PID 3036 wrote to memory of 1460	3036	MSBuild.exe	97
PID 3036 wrote to memory of 1460	3036	MSBuild.exe	97
PID 4980 wrote to memory of 4800	4980	axplong.exe	98
PID 4980 wrote to memory of 4800	4980	axplong.exe	98
PID 4980 wrote to memory of 4800	4980	axplong.exe	98
PID 4980 wrote to memory of 964	4980	axplong.exe	99
PID 4980 wrote to memory of 964	4980	axplong.exe	99
PID 4980 wrote to memory of 964	4980	axplong.exe	99
PID 4980 wrote to memory of 4708	4980	axplong.exe	103
PID 4980 wrote to memory of 4708	4980	axplong.exe	103
PID 4980 wrote to memory of 4708	4980	axplong.exe	103
PID 4980 wrote to memory of 4444	4980	axplong.exe	104
PID 4980 wrote to memory of 4444	4980	axplong.exe	104
PID 4980 wrote to memory of 4444	4980	axplong.exe	104
PID 4444 wrote to memory of 2392	4444	c806c02133.exe	105
PID 4444 wrote to memory of 2392	4444	c806c02133.exe	105
PID 4444 wrote to memory of 2392	4444	c806c02133.exe	105
PID 4980 wrote to memory of 5032	4980	axplong.exe	106
PID 4980 wrote to memory of 5032	4980	axplong.exe	106
PID 4980 wrote to memory of 5032	4980	axplong.exe	106
PID 5032 wrote to memory of 4768	5032	MK.exe	108
PID 5032 wrote to memory of 4768	5032	MK.exe	108
PID 5032 wrote to memory of 4768	5032	MK.exe	108
PID 5032 wrote to memory of 4768	5032	MK.exe	108
PID 5032 wrote to memory of 4768	5032	MK.exe	108
PID 5032 wrote to memory of 4768	5032	MK.exe	108
PID 5032 wrote to memory of 4768	5032	MK.exe	108
PID 5032 wrote to memory of 4768	5032	MK.exe	108
PID 4980 wrote to memory of 4628	4980	axplong.exe	110
PID 4980 wrote to memory of 4628	4980	axplong.exe	110
PID 4980 wrote to memory of 4628	4980	axplong.exe	110
PID 4628 wrote to memory of 4944	4628	Nework.exe	111
PID 4628 wrote to memory of 4944	4628	Nework.exe	111
PID 4628 wrote to memory of 4944	4628	Nework.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
"C:\Users\Admin\AppData\Local\Temp\1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 296
      4⤵
      Program crash
      PID:3716
- - C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Users\Admin\AppData\Roaming\FzNmWHG0dg.exe
        
        "C:\Users\Admin\AppData\Roaming\FzNmWHG0dg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3140
    - - C:\Users\Admin\AppData\Roaming\G4jsKSqId2.exe
        
        "C:\Users\Admin\AppData\Roaming\G4jsKSqId2.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 264
      4⤵
      Program crash
      PID:2680
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:964
- - C:\Users\Admin\AppData\Local\Temp\1000354001\bbb562ac28.exe
    "C:\Users\Admin\AppData\Local\Temp\1000354001\bbb562ac28.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4708
- - C:\Users\Admin\AppData\Local\Temp\1000355001\c806c02133.exe
    "C:\Users\Admin\AppData\Local\Temp\1000355001\c806c02133.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2392
    - - C:\Users\Admin\AppData\Local\Temp\1000332001\b41b7e7c2c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000332001\b41b7e7c2c.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2952
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:4060
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0694f31b-5a87-4861-af65-c2d5ac21fab2} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" gpu
        8⤵
        
        PID:3076
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c47987a0-22ce-4ba2-87bb-0aa687afb0d2} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" socket
        8⤵
        
        PID:5084
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3152 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb57bb60-aa9f-48c3-a17e-6d8830bda9c9} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" tab
        8⤵
        
        PID:1120
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3980 -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21ebee3f-5065-451f-8961-3a93f22eb07a} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" tab
        8⤵
        
        PID:1128
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4708 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4684 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae4f903-aa6c-45f7-b87e-2062be44168d} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" utility
        8⤵
        Checks processor information in registry
        
        PID:5288
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 3 -isForBrowser -prefsHandle 5184 -prefMapHandle 5172 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6b047e2-701c-4952-9b9d-f455cf9f3607} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" tab
        8⤵
        
        PID:6044
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 4 -isForBrowser -prefsHandle 5420 -prefMapHandle 5416 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48c3f7ea-77ed-4482-a90e-7575bd4a2b8d} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" tab
        8⤵
        
        PID:6056
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5316 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 964 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33d60cb0-06a1-47b3-a551-59ae1f7df977} 2292 "\\.\pipe\gecko-crash-server-pipe.2292" tab
        8⤵
        
        PID:6068
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5404
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5752
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:4344
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1960 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23737 -prefMapSize 244710 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffcb17cb-32ff-44f1-a160-4472990b0226} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" gpu
        8⤵
        
        PID:5536
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24657 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4f66a6f-6005-4095-bd33-8e2b9aa2bde5} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" socket
        8⤵
        
        PID:2688
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3200 -prefsLen 22652 -prefMapSize 244710 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09c42f30-69c7-41ba-820a-baeae6f9d5c1} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" tab
        8⤵
        
        PID:5608
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3188 -prefsLen 29090 -prefMapSize 244710 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d37e582-3be4-473d-97b9-5161ff685ac2} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" tab
        8⤵
        
        PID:5196
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4740 -prefsLen 29144 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79ea4cb9-034f-45d0-b68a-122128c8760e} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" utility
        8⤵
        Checks processor information in registry
        
        PID:404
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5084 -childID 3 -isForBrowser -prefsHandle 5072 -prefMapHandle 3932 -prefsLen 26998 -prefMapSize 244710 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7fae0ab-a3e9-4e9d-b4d6-280bae08c33b} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" tab
        8⤵
        
        PID:5384
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 4 -isForBrowser -prefsHandle 5232 -prefMapHandle 5092 -prefsLen 26998 -prefMapSize 244710 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {561dae72-e0b6-460b-92f7-6e48ad6d597e} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" tab
        8⤵
        
        PID:936
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 5 -isForBrowser -prefsHandle 5432 -prefMapHandle 5436 -prefsLen 26998 -prefMapSize 244710 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af52642-b531-4c36-9951-f9050c1cf09e} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" tab
        8⤵
        
        PID:5296
    - - C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:880
    - - C:\Users\Admin\AppData\Local\Temp\1000349001\746002aa3e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000349001\746002aa3e.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
    - - C:\Users\Admin\1000350002\23516ace46.exe
        
        "C:\Users\Admin\1000350002\23516ace46.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5268
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        
        PID:4060
- - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4768
- - C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:5476
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5096
- - C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
    "C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start context.exe
      4⤵
      PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6004
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3984
- - C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
    "C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:888
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5364
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1516
- - C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5968
- - C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe
    "C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic nic where NetEnabled='true' get MACAddress,Name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5448
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4824 -ip 4824
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2576 -ip 2576
1⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5748

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5732

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5804

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3228

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6104

C:\Users\Admin\AppData\Local\Temp\service123.exe
C:\Users\Admin\AppData\Local\Temp\/service123.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
df9c4cf2c5d569f5190ee44e50a7b373

SHA1
a76b8c8ae3642a6d6a22ef1246fb28c785563faa

SHA256
303c1b82da0b3ca72ac2214d2aa77f226c3c149b4c0f54f5c38c3d5d1240f694

SHA512
7a56ca7dad0ce72d22aac364d93ce4ae8affe452f704b29a0493cca2865b9f9d028ac484a0be5e90301f317cad91650cef3e7e2086c2d19e33f302d1d8988fce

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
71012c5483c97222d28714c3152799db

SHA1
a29222c56dfd293f838f32412a8781ab3437ee5a

SHA256
c9ec2d95c4e73dc6a180b4063974c9d74481d3e3815c6b46f97b4587449078b5

SHA512
322fe04d3c0a75e90f8c88bc0bc0d43d9a3a64b7c1809da720b664a6d62ae22fa4d51a4278baf0a5ab488cfcc5cd6a7167baa426c4534772552874f52d3edc84

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
78d946cab0b1417f4963f3fdae622598

SHA1
898877be8ff5b63c7912772febc58c0ed20d13c1

SHA256
ea8866e9fb4798a5b2a15695bf019c8ffa43f6b8e231914f8ad896dfb674a586

SHA512
38ee8a9051f602e23990c35d2331ece5703b0fd46d06297a639d5528e9b14c8b5ec129f9e196f03c04464b54e1b5db94dad6cb2a4e2e6b42e9b2c6824abe86a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
b1de1e9fd5855a3c55c211685c05ce55

SHA1
06b2b447de193d9a19f4a2ed5db14e8e90b6ae08

SHA256
281df5664adf9debf549e3f933c4eae7b7ec6e8ca7f00ba914eb193f8a324ce3

SHA512
2d616e9b1f4ae797b426ea21f12304bf0b3c3df696e068d34052f9ac983c0eb38f82a90a159489693533486c46feb2f6407892d6795956d3de9a73b98f9774d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
6991299616e6cdb678c75dda7f7b865f

SHA1
83629184b3171a316a5450294a4b04826806ce3e

SHA256
56011acff92dde9a295854d1352944e02803110835995d4f1e6f2920cc2bb11c

SHA512
277747121c1fd8b002d17154d681013741fe3ae3feb5cb3eabeeda1800d564d346c7ccded6af709687a2b85c45979bda060f42695b17d2d1d40565902c84f68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
566KB

MD5
049b6fe48a8cfb927648ad626aba5551

SHA1
9555d23104167e4fad5a178b4352831ce620b374

SHA256
b78402483c46cd37e2c204d95690aa2a213616a1f904d779ceec0e22fcdd6531

SHA512
ed787f90966ca1ea4b1e67c4026dd44393c7d312cd52e376f4ba5e5c49616938ec9e913044def29b40b441eb4c913a5134bb78317a179f62067bef3f9d913c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe

Filesize
1.3MB

MD5
24402fc0617a2740c16ea9c81518d669

SHA1
a0476ef848cd11bb20f8efd06e295a0f44c956ca

SHA256
c02fcc32573f4546201515667154d9e51e2636af52a1790d1063183c0d012566

SHA512
dd90c0036a8a109c5645b481f1bd7b193fa86518183790b75dbc400416793fb8f9e7d4d4621d7c0227cbbf483758a03a94581397686b09c6f65218b651b5bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\fikbbm0902845.exe

Filesize
18B

MD5
174ef859dfe296a48628dc40ef8e05ed

SHA1
59a0e43e3ae9c8f638932b9cf83bf62ad91fb2b7

SHA256
84520353f099eee2117b00aa16cde461e573a835e8ddd64334efd871d4ce292c

SHA512
c6d0e9d1842a4ce05929f8941b8e30729567626cf1594f3b11958cde9347e1d8e8cde5f9f9584953122fd035fedec0b09c0bd184abc0f33eac4862d85e164ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe

Filesize
7.4MB

MD5
735bb5f55a17215700840c04a8b40a03

SHA1
55e0828c6d08653939eee2b1af8fd737e92266c4

SHA256
5ea6a5e3bc6c02cc41637028050c3738c38a07917e373637928b314c5d22f84d

SHA512
7e742677e35099d8cd4a5163eea6633e3ec7deeb4840aba1f8adad8f0022e72f7416ac6367802eceab8f9f2e9dd04e1546b141e911495d025b98575a92f3865c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\red.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000332001\b41b7e7c2c.exe

Filesize
898KB

MD5
8eb80d6a4bf81ccc902a45a404c7ed9d

SHA1
94bd95a6c577963d3608de4b659c892aa4013f84

SHA256
98cdc2aed91cb1294429e43cebfe79adfe311761db9b00ae74ce4b424e38e808

SHA512
95ccca01f61452d25c34f05525d1a2d5e63b61ce62402e06ed9d6be26aa4621041d6480ef310356fbff4dac0b311e57b03cdf3b527238a14b598def1e53696e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe

Filesize
307KB

MD5
791fcee57312d4a20cc86ae1cea8dfc4

SHA1
04a88c60ae1539a63411fe4765e9b931e8d2d992

SHA256
27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d

SHA512
2771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000349001\746002aa3e.exe

Filesize
1.8MB

MD5
8bf0d4785c3b0a19bb39b04ec92dd194

SHA1
918d36638f5fd4047d9be21b47eb1b759c7791cd

SHA256
64ebff6e8bc8771871fc410bbda0c6ceef6ffde7c01714913e69f074d3d94210

SHA512
368af90055d7d2c435f03cc0e48490c0cf672d3746d05a06ef8a7577b8d34924a0072a19937640d87a858346f83ba4cd5ed53ff5ac9d2e7ce2091aa38b60e3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\bbb562ac28.exe

Filesize
1.8MB

MD5
caf461eb8ed93f9c6693644c9a00bf91

SHA1
bde1937a55f1aba923ef6710d56585192aa29f66

SHA256
bd7cb47cbacea170edf4777a5d5d592493f8bdeb475b25cde03208bd49eae092

SHA512
ddb8711e95899cb09798f0add44805ed5aa90c1ca80e94fa73fa42568c07c9aa93dca21ff0db314fead43d84ec87583d9b8c6e7d1799daa8e3a58befdf678642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\c806c02133.exe

Filesize
1.8MB

MD5
f69f1b099abe6b8ec4d6319db86fd01d

SHA1
374021521d524c3c4e8e54937eb21b1982511277

SHA256
f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab

SHA512
edc4b8d8171de84234379bb1a4658aef0c1197b584f5b035779fae7689695edf05675b3578342c893383e3b18a5bdd35cd598da3e2847873c29946414695ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe

Filesize
1.1MB

MD5
ed9393d5765529c845c623e35c1b1a34

SHA1
d3eca07f5ce0df847070d2d7fe5253067f624285

SHA256
53cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a

SHA512
565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe

Filesize
6.3MB

MD5
65eeea19b373583f916bf3070acbfd58

SHA1
78ce3479d5d0148ba855d89ecb48a3f0c12d9957

SHA256
c671e33f6757cef930713d2e4efeb8642177675e95fc05de92e124213022a00b

SHA512
f726327e977a85dcc3b0c217a8dacc9cd375bbe3f238558c9b9adf35233c0b4959e6014ff46bf742a7a822e4fe757d4f3bcc1e63709c6ec4c84c29c1f47483c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe

Filesize
5.5MB

MD5
f2930c61288bc55dfdf9c8b42e321006

SHA1
5ce19a53d5b4deb406943e05ec93bc3979824866

SHA256
d3a53533949862449edb69c1916bf56681e3f2ec3a1c803043b1f3b876698603

SHA512
67a1ea68fafae8c7c9da322b7c5821e5cc78fcce3c9454a552a13ebc812bec334f60533991147b0b95151ade77ff2fbf244945f8318b48082173b64c71e6308f

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
1ffa4102583628826fa4536dbbf521a0

SHA1
c3cc8501e03cd7b7694c634bc78948dd493c6168

SHA256
1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69

SHA512
8a8b16f9b0d4073cb65fcc2c127ac1d724f5fe198ef1f80e0429b158fd7904fdaf627b4042a077bba79ab6b13c22a1e4c20712815c7850fe4b8395ee1d097c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\932230532004

Filesize
96KB

MD5
a8991c4387f8cbafe6979b1155ddf833

SHA1
698f50cff86972759b5b1b9b7f3c4f4f39c2c9c8

SHA256
cabfe360ff2f121f166bfd31510fe01a19bddb74e8e3b0596588171032c40956

SHA512
4f35aa77c9c89d91311dbc369cc372d22b253a3f2e23373b675f959d9435c0930a23c1f9f865505ec86ea5b5b964614371faad181ec287e4c20067e5739b99f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpB41D.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\FzNmWHG0dg.exe

Filesize
602KB

MD5
e4fc58d334930a9d6572c344e5129f6b

SHA1
d38fbd0c4c86eee14722f40cc607e2128c01b00f

SHA256
973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

SHA512
a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

Download Submit
C:\Users\Admin\AppData\Roaming\G4jsKSqId2.exe

Filesize
393KB

MD5
7d7366ab79d6d3d8d83d13a8b30de999

SHA1
75c6c49a6701d254c3ce184054a4a01329c1a6f3

SHA256
3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

SHA512
64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-493223053-2004649691-1575712786-1000\76b53b3ec448f7ccdda2063b15d2bfc3_755b0f1a-bb38-4bb2-bc7e-240c892146ee

Filesize
2KB

MD5
e450acd56541890176ffad26ab9f4d85

SHA1
4fcc8b8fd203ca789f8b7c4758bcfb4493f2be53

SHA256
181723083bffe9c29904ccccbc0e17951749cf5e6ca2f32f2fee78df2978be91

SHA512
a8a2f634b5faef4a10d05d1d6c6544a42ec190618341716790ed51d1109f594636dd60a5105860f43f47456c4141ab12ab09993c0b0f81dd67d4f2b05846186d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
16KB

MD5
08b30c8ef17f6f7e0e89bd2fb17b6643

SHA1
c6de25d8658467c5391dbd7514b8968c72ef8154

SHA256
51d2b0fd8cc7423ef638a4c77f777b5bd43847964283330688ffb4839ce06c1b

SHA512
8bcc6db82a6c5860f47388c88c1349e82156f97530ceef029080f1855ecf485179563b24d2085645f7ed7a5ff5499c08ed1e9c75047acc3c51880470936020cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
18KB

MD5
c3b7071b6c0591f9646ab8d09a33527f

SHA1
19d9a7961a20fbdadaa5880d8217778a41fe4b4b

SHA256
c84b47e5c6d224348ac5c48eb59ef61d9a38b207359afb21de0e0027c65d7e64

SHA512
57639a5e3d7876eb76e0a5be5a2e8046364cdd91670cff32ec45ce1f987146729bc36cca7cbb75a936ff0bd35fbf4e4b03765a3529d34cbc1d5c70ac60f60ac4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
8KB

MD5
c4ea50ac1b00049000e3e20c0ee5f3f9

SHA1
44d8e372c3d0a6ce00f935ceb938cfdd2347bdbe

SHA256
e866fcb8c36e3a020a5c38aa48608d75e8bec705a4c20f03a67c9864136c2eb1

SHA512
27a7c271f4c6fcae58b6fea31c8ecd031590760a70770f65aca8ebc41ba40cf779dbd1761363f0ecb39020aec94fa02a2e68aadb5836563a8f2c9961a023b873

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
13KB

MD5
0f02b8af48f300b15908fb23cfe48590

SHA1
bca3c296eff781c98783a99c768721edb1a33ab0

SHA256
7b45c3f94fab9f92d7166d890dc97c9ca6335998a96b0ab36f7da6e076dccd28

SHA512
4517921ac1ee6154a97bceea2b61254099785e5d0fb8d3e197348a53f9869903986f08b81a85242d1897e768f26d06aa6c83073bd8c7dae14781cf1bc9920001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin

Filesize
13KB

MD5
420637ea6804393e9fb75d68395c890a

SHA1
157deccdf8da12bdc0814c006d9914b691d0020a

SHA256
d69b5c7893b6f59e9d756b1ef497f8bd25d24e7fc5787d0981fff24adccf84a4

SHA512
b1a69913353d570d3ac83ed9e7a6ec59f3dd6e3fcdb4d525532a396bfcdab97c037d066106a0b14959793a89a7ac4949f54f2413e39a23d64bb7a15147c9a24b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\SiteSecurityServiceState.bin

Filesize
1KB

MD5
a3bee69e9ab5c9bde95e6c56ed68df74

SHA1
445d6650f05b7acfd2b9b421359d8e6eddc737be

SHA256
934d9d97d09d02a989f98d0ce4999d128fe63ea9038700c6cc4e234a6d116f4b

SHA512
1f02884ce4b6f1e90fa613b574116983e7d8ebd05765819a3082f51fad85467a9429ec10c8ace84b208291756e2542b63674a1e0e444669316630cf2d8ed502c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cert9.db

Filesize
224KB

MD5
a07a354c01ebc1281c6629d3b3e20500

SHA1
881843a11017ec1d8d51b1686a3d3463356e002d

SHA256
c998051a07bb1aaa53f5b8efa3e17ce3f18a4602fdfc66953c464b508566a114

SHA512
fce96effbf135f434662428122beb4f75fa74b2f58995d6067065052cba4151960c2d59f81c58a3e2594a55e134d21fad508f855d367ef50481f0078d5fbe2b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cookies.sqlite-wal

Filesize
256KB

MD5
c0b42cd56a69bf75c60050bd5a7f0f94

SHA1
b5d6ae0d3eb337c8e523b56d8b0341e689ac3817

SHA256
1f0f2047e94605f490f1b5b22e6a078d200f380d50b527ddef4a1fdfde5dd466

SHA512
467b9da64e4d6aa1f3cb925463d35c14eb6c2a901d0ea46e95b8d60ce4ef16c190833cf58f15b399ffc4072f722e2600429d4b261540af7cc483712eae2f781b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
096a8f5e68e3021fa8305278e7136fde

SHA1
1f24871bf07d70960a13e57b40c70b874e797932

SHA256
83c9ae384a0cb278304e2b8d4ed70024c8367b6c8c8449c0aae54506c288072a

SHA512
488120826d72b005ac942677d005464efba3a9b99e68c4af70c9a5199c2335ed733389690ebcf9cf08c402cd65d63a884348832c909239eadb25460b6b2d0441

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
7bbfa7ffe1c777bf78220b880c0c1223

SHA1
166326e4f439db795265ba9c2254aca8c76e369d

SHA256
355adf51f7fc5ffbffcc195a42a41c08ca42476b1dbfd05f2da3a8efa3edf7ab

SHA512
d221c9fe68cbaeddeac2836b5a14a06d4e73c78f3b94988db6bfce8085782c56aebb0121f87969440a2ccb9c83baa5d5c34f7fe0667f815877df8fcc5bd45ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
d5ee737323e2482e5d874dbf08612444

SHA1
053dc848491d4bf1f0d99ab7dd4b993c2555ef0a

SHA256
048e94ee02e739541abbccfff56670923863380d23b9d6475d863007fc00c575

SHA512
625cadf2a34c5caea30bf55895d3e06b28cec7f16b9fc09dd40527cf0d0c0ecbaf663c3e8b04abd1af12700b32099ae48bf92337b14ae4c4cb485bd02a81ba10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
a6b6a5b2882a2843bf348d3ffc43d2db

SHA1
787a836871b6a95e0c3d15fd18f0904beb768b16

SHA256
1f19da8f9d28bfc25618c8b647bfa96811ce1b5938b7ed34377d278345e2ac1d

SHA512
c8e5b7a224948b1749e778acefb090ef923fc666bf0e02096294c8c19c9d2e24ca1312c37c4d9f6c8f358699dc0b0383381620f16688584c15861164f4e211ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
f391fca51106aac7daf9dbab53db808e

SHA1
c0bc3b872620a65539f2569fea8c42dc2c49d91d

SHA256
c42add92c428de88a6d8a4a171a3aeff8c94e927ec18573736d1b580ead87710

SHA512
ace394b75a6f647d8854416641eec21600b1e5cb1221a8084122eafc1c5e17c12a1a43d8ba96ec964e064465037fa738483beec2cebca34410f944a019386680

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\15816de0-0574-438e-8dbc-0bdb2b95fa76

Filesize
659B

MD5
5af3d91f1bf008c2ba41c254c567a1fc

SHA1
f30566c6c066b679b747ffec1a4e2d0d91fe4e99

SHA256
54bcdff1684d87b1fc1795f1b6439db0ed690447db6b2e0f8e78b962801d2f4b

SHA512
46f7a68bdd9c5d7bca502f778f8cb75f4372918d793806b091581e06d7b27ce776a4abb5471246cc5c5ffbcd4e4279670d5b9af61ad86409e5d6859637d79dde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\16c65cd5-a121-416f-9bdd-357ea8889273

Filesize
905B

MD5
244f72a39632fd5da6fdaf9af424ac2d

SHA1
205b284af89f87dba3a2dd370d5cc189c41a845d

SHA256
a52bd4be15eb5165158e7c5756da68258c06acf224740b1db83397d2c80f55f9

SHA512
dac4bd054119d5a59ae9d0a5180884db3758c2c044fe10c00ba22956f113aaf6ea4ad5389c9d038aababbfca638c652ca218c99255d02ce4ec157e65af79aa53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\975f7613-2c95-47e6-a760-b5ade46469a4

Filesize
982B

MD5
7c8dec586fe42ede214e6ed4b815b321

SHA1
d90bfcb318bc20a00d6fb83fb5698980879ce964

SHA256
e2a3536ba27b5d8977d2b93748327c9af92485bab4579aa2f9468aecd81f607d

SHA512
fee7f9733a3fa6adb3eaa52dde3f8f9a72ae2d9c4b8ddd991cb25f45aaff7aa288fbbe959eeccfb3f80233758bb46757efaf7077b400cbefd270f4e61cf79b03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\ab6f3acb-c943-44a5-847c-fa24c758a760

Filesize
789B

MD5
c9c1e5497e983c4dfcd4c71db56fec0d

SHA1
8414a32314f9f035005f4bb27ac07d0d5f10b9dc

SHA256
9f31b484c3f2b8c78610d4759ce09a28c29ae56d074d223189143dd3c86748d4

SHA512
1ed8c9dcec3833aae21f9a0954bc9770f2a378a4d43630540b6b4f79de6541d0ccffc275a33ee4f7986a111f49b8391aa2ed1aba586280ed242c87c7f23526bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\bc3c509d-605a-4c03-8f34-4d95bcc8fdaf

Filesize
661B

MD5
2c0076a497241bcda9f6af52990ff1ab

SHA1
fe7ff9c622d595baddd4ad3b88f2bf64d1f44faa

SHA256
8047036ab919613caaf1d488ca6fb6e4f837138e7835ad95177de1f11cb6d036

SHA512
609eba5e67ce40f7df3fd21391da771aca36c62ba3a5cb36e1936e4af0cec1787a33adbd9405fc4575ce70b7940eadb3f1844ec2d6525b362060823e826f9d9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\e36e23cf-00e1-4444-8575-4650cc18a769

Filesize
653B

MD5
b264fd74ac2e62e63c2342e4b48b7914

SHA1
0fa6d8d5d80209352a16226241fa766e9394574f

SHA256
0b0f863c2b5e336e8b1b950fe94e5ba0df8abdadc2cc8f86b6619e322123a66c

SHA512
55d2460b81f1ad0c66bc669d569bf88991c2be0855ae23071984133c78bee6140e4f337439c4ed0a5266862d81817f5773a9d9d0450a48c6099ac767c97a2054

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\permissions.sqlite

Filesize
96KB

MD5
74ec60e2438d75455babe4894a533667

SHA1
4dc2fbfeee71cf89f0d13a5b50a1714db9bcd6f1

SHA256
9ade02c165146d68ede866d56ee1f8668bf0677b0a7671cc0a9d7e4ab50a3545

SHA512
cc6583e5d062cb4994b9cb5534de48f221ee7cf752beafedbc62d9356140784de598f3af9671fd1ae6c111575dc59d5f6e593e3f03fef10e55e23f31446dd656

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\places.sqlite-wal

Filesize
2.0MB

MD5
93fedcbf67aa0bc642222af31006ed08

SHA1
f61b64b720e1a4f5c1d0e236f26cbd6dce1f9671

SHA256
5120cecfe75733938e742bf40eaf8f37bee9f6a6126571893a42cee0335d11a5

SHA512
ffd1e9fddfb39e9519a3a12fb897b17ea8d1694e208a2c8df0bd3f67d8139a1c7186ebb106ab20f960de4fec86406cef3620aab1b1518de537eaffa55ffd48b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
12KB

MD5
eb77a53857db6368cc15412abe1fad12

SHA1
ed52ec414affcb59f44a8e0ace4895f9e3e968c2

SHA256
e59d11a99043626a994b9d0fc7253c377e2ec6cb7b00c5032f5bdabe842501bb

SHA512
09d0e179ff0193058248055eb539bc35c4f7192e008d697114d531891e911f795a6483d2d92b5ffdea066919bb53fbdf11de722697403678de61547cbe593e92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
16KB

MD5
35dcceba9b10fdb2e6ce5cb072abd02d

SHA1
72bfdcf37543e09f3d509ad2b77849795263e941

SHA256
4b547e4d453a1afdcc1007211871bd06ba14633c88f34e1a22be116343c8d2d9

SHA512
996437cc072d44c7ee28251da3f66c377b2f4c58602e6e21e548d052a0f43dd7df090be01f5d9ad019d0c41bf76e9f66958a4155a0ee6cc00b6f707ebc6506cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js

Filesize
11KB

MD5
e8b04584f6fa8012540fac1b11b9b025

SHA1
25d6a7f85212e90a8879731ecdf5e794db2f95fe

SHA256
009dbd67344db5df05ace798d26260c9e7b7463a23d32ee2e561477f8301172c

SHA512
cef43c88e112d73833afaefe96b84967ee369765a7818413860f2b93f62688271fb5be9c97181269df687adee6382cef1726e0afb242c00e9e047f95220c4fec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

Filesize
11KB

MD5
82bf7e11b58d91cff434287fc63efe97

SHA1
192391867496961bc2f3d778fabc57c11b9e27f7

SHA256
225df34f6917ea96c0d48665283ec50c06d76a83921cd28de8edec209179c261

SHA512
c310facc29d8916efe5f41473a1d4529141c62016eb456295f24cc2fe8c50636774cf4a98bdf49991810b8befaf76f43500afa498a5f8176ba9995fff3386843

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

Filesize
10KB

MD5
9f2cf8e8c9530e0a9c9ad5b4034a33f1

SHA1
a2948f86a8c9789a92f3e59c9dd5ccb198ee433e

SHA256
9f32f6550a5ebb20dc80c9afb024eec62e5836e2af4364455168f4296b49e045

SHA512
2c59c240e8a0c8ce0d88020e94ce54b5b0dc7bd5e51f62b922eb13f14cf5d4889f5cc16eb521a0fad50157757ab791ede19b489ad74d1ae47d939da02d82117d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js

Filesize
11KB

MD5
94a167fbd7ede3848451a2e99c473e10

SHA1
64086b8a2efa6c6eab36794efd344367301a5606

SHA256
4143c0ba7277d462bf32d9a5d2161b4c10f987e4339346a6234c5c1b81ce3fe8

SHA512
d658a8508f706f887803f97d53d1c2cf256d2f924ed366453b64dce293903acfcbaeade661e795ff9d415d181c1e06415691d6a4986bf3ca7687dc1079b54237

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
c5cf7af26f2dad189a20a9dc1b4538de

SHA1
fc438cdc970827ff9cdd412a99717151b5e97edd

SHA256
bfd285119e3046ff4e48197fbe9c19e8ca5cf8e428d3839ac39d3a9f58148e55

SHA512
c02f6217063466a1fb6acfbedec6c9c31350be8f17eb630091b56439899c2bed4c535501c6bc1e1fa7b0323e6155d2fcb8611de76fddff04acc2b2c904589f2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage.sqlite

Filesize
4KB

MD5
ec5e1b7a89dd39a2aef55f9f149743f2

SHA1
554bfde8b06776a72d63a362710369dded7572fe

SHA256
1134e91b9c40a5c1063371117f90079b1aaf4b9bfb629fb6e452947fb9e8ebe0

SHA512
f480fd92ae952ebe7958dc7b3fddf3cd51b4ad9605db1cacd4e05382b2f2d15e9e05db4684c0fd5d7c939578a9e1e503b5799198a10251380895095846976825

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.1MB

MD5
a7f90f8c67bbd52ce7e2da514e6b4ce1

SHA1
d1b3e94cff5f28de963d0d65d874091e809d27f5

SHA256
5d662b0333da65547fb0755c1bb0cc0f41310ff19dd7d0d1f2dc69c6f1e4a9ae

SHA512
4614ccaf133e3899683468eb968891456124b1e07076ff9e122b6263024bd79a1b5baf3f27cbc960dd63aeea7bb89209df6fb34e934a0d69930a4adb1301f85f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
560KB

MD5
656c302f010fecc787d2948fbd535c8e

SHA1
feb3c59aa68a5613a6011c89cc0f830f3f330212

SHA256
2b875025be9279745052fdacbe79671eefcae5975ad7188926a068693f79f108

SHA512
06bb5e9088f67d67fcd41101705791957f00d94b954086baefa33c243ba374e22f5cf056b0f53cea968307cc0e9a003d1ef0a872b515a227e718a0fa07f13d7b

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
6636867f8e2b1a0ac6cf1e1655ccca8a

SHA1
07a0cb4eb983a908f9000fb96c9503cbc2f845e7

SHA256
e988445581a3aa967bd94c8ff20734ca0ca8bdd3b2adbe0de69d137afca6c9d3

SHA512
dc703293ef27737ab6bef5d21049024dd315b7d1d5b7805988d312c0e93cd3c90f1befde0002d0abf2e4ccbb000ace10f123885214f37ba80364bec6d728c3d7

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
813db215400b5a09950f86f8ef2738da

SHA1
0935d21a5779becbd06a728e3d85920173eac46e

SHA256
010dee57ced3e17375caab366cc52e1cefc41b1a2a90af3390724fde8240a543

SHA512
0c549f7903ec94043622d532f2c72febf6f63df37ea5eb1cbd3f57ef2368e943873acccb7d921eff4d1df08725a7ecd0920d3a45bb19e0758aa513a74d96e0be

Download Submit
memory/880-448-0x0000000000320000-0x0000000000581000-memory.dmp

Filesize
2.4MB

Download
memory/880-449-0x0000000000320000-0x0000000000581000-memory.dmp

Filesize
2.4MB

Download
memory/888-415-0x0000000000950000-0x0000000000A68000-memory.dmp

Filesize
1.1MB

Download
memory/888-426-0x000000000B4E0000-0x000000000B564000-memory.dmp

Filesize
528KB

Download
memory/964-168-0x0000000006BD0000-0x0000000006BE2000-memory.dmp

Filesize
72KB

Download
memory/964-165-0x0000000007140000-0x0000000007758000-memory.dmp

Filesize
6.1MB

Download
memory/964-162-0x0000000006A00000-0x0000000006A1E000-memory.dmp

Filesize
120KB

Download
memory/964-139-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/964-170-0x0000000006DA0000-0x0000000006DEC000-memory.dmp

Filesize
304KB

Download
memory/964-141-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/964-169-0x0000000006C30000-0x0000000006C6C000-memory.dmp

Filesize
240KB

Download
memory/964-158-0x00000000060F0000-0x0000000006166000-memory.dmp

Filesize
472KB

Download
memory/964-167-0x0000000006C90000-0x0000000006D9A000-memory.dmp

Filesize
1.0MB

Download
memory/964-140-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/964-138-0x0000000000A20000-0x0000000000A72000-memory.dmp

Filesize
328KB

Download
memory/980-816-0x0000000000180000-0x000000000064F000-memory.dmp

Filesize
4.8MB

Download
memory/980-833-0x0000000000180000-0x000000000064F000-memory.dmp

Filesize
4.8MB

Download
memory/1368-46-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1368-45-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1368-43-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1460-188-0x000000001B930000-0x000000001B94E000-memory.dmp

Filesize
120KB

Download
memory/1460-210-0x000000001FB30000-0x0000000020058000-memory.dmp

Filesize
5.2MB

Download
memory/1460-94-0x0000000000A90000-0x0000000000AF8000-memory.dmp

Filesize
416KB

Download
memory/1460-184-0x000000001E8B0000-0x000000001E926000-memory.dmp

Filesize
472KB

Download
memory/1460-159-0x000000001DCE0000-0x000000001DDEA000-memory.dmp

Filesize
1.0MB

Download
memory/1460-160-0x000000001C490000-0x000000001C4A2000-memory.dmp

Filesize
72KB

Download
memory/1608-379-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/2392-1232-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/2392-705-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/2392-264-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/2392-457-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/2392-1162-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/2392-1260-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/3036-69-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3036-68-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3036-70-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3036-91-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3140-95-0x0000000000540000-0x00000000005DC000-memory.dmp

Filesize
624KB

Download
memory/3140-207-0x000000001EAE0000-0x000000001ECA2000-memory.dmp

Filesize
1.8MB

Download
memory/3140-161-0x000000001DA00000-0x000000001DA3C000-memory.dmp

Filesize
240KB

Download
memory/3228-3522-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/3228-3526-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4224-3-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/4224-2-0x0000000000D31000-0x0000000000D5F000-memory.dmp

Filesize
184KB

Download
memory/4224-18-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/4224-0-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/4224-4-0x0000000000D30000-0x00000000011E7000-memory.dmp

Filesize
4.7MB

Download
memory/4224-1-0x00000000776E4000-0x00000000776E6000-memory.dmp

Filesize
8KB

Download
memory/4444-263-0x0000000000100000-0x00000000005C2000-memory.dmp

Filesize
4.8MB

Download
memory/4444-249-0x0000000000100000-0x00000000005C2000-memory.dmp

Filesize
4.8MB

Download
memory/4708-432-0x00000000006E0000-0x0000000000D7C000-memory.dmp

Filesize
6.6MB

Download
memory/4708-388-0x00000000006E0000-0x0000000000D7C000-memory.dmp

Filesize
6.6MB

Download
memory/4708-189-0x00000000006E0000-0x0000000000D7C000-memory.dmp

Filesize
6.6MB

Download
memory/4708-387-0x00000000006E0000-0x0000000000D7C000-memory.dmp

Filesize
6.6MB

Download
memory/4768-784-0x0000000009D00000-0x0000000009EC2000-memory.dmp

Filesize
1.8MB

Download
memory/4768-428-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/4768-788-0x000000000A400000-0x000000000A92C000-memory.dmp

Filesize
5.2MB

Download
memory/4768-429-0x00000000089E0000-0x0000000008A30000-memory.dmp

Filesize
320KB

Download
memory/4768-304-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4800-190-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4800-368-0x0000000000820000-0x0000000000A63000-memory.dmp

Filesize
2.3MB

Download
memory/4800-112-0x0000000000820000-0x0000000000A63000-memory.dmp

Filesize
2.3MB

Download
memory/4824-42-0x0000000000F67000-0x0000000000F68000-memory.dmp

Filesize
4KB

Download
memory/4872-1291-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4872-1358-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4872-1302-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4980-166-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-20-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-206-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-16-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-1248-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-111-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-19-0x0000000000E81000-0x0000000000EAF000-memory.dmp

Filesize
184KB

Download
memory/4980-427-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-850-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-1215-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-179-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-47-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/4980-21-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/5032-286-0x0000000000370000-0x00000000003C4000-memory.dmp

Filesize
336KB

Download
memory/5268-851-0x0000000000AF0000-0x000000000118C000-memory.dmp

Filesize
6.6MB

Download
memory/5268-849-0x0000000000AF0000-0x000000000118C000-memory.dmp

Filesize
6.6MB

Download
memory/5476-1198-0x0000000000B80000-0x00000000012F7000-memory.dmp

Filesize
7.5MB

Download
memory/5476-1281-0x0000000000B80000-0x00000000012F7000-memory.dmp

Filesize
7.5MB

Download
memory/5476-791-0x0000000069CC0000-0x000000006A377000-memory.dmp

Filesize
6.7MB

Download
memory/5732-1165-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/5732-1182-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/5804-1185-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/5804-1169-0x0000000000E80000-0x0000000001337000-memory.dmp

Filesize
4.7MB

Download
memory/5900-1224-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5900-1216-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5900-1213-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5900-1214-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5968-1212-0x0000000000400000-0x0000000001067000-memory.dmp

Filesize
12.4MB

Download
memory/6104-3521-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download
memory/6104-3524-0x0000000000870000-0x0000000000D32000-memory.dmp

Filesize
4.8MB

Download