amadey | 2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Size

1.8MB
MD5

1a1ac94cc27bf21fa3f542a09658a2c7
SHA1

d0242b0a3a14d9d12c84ed6552b8e1e0280a41c0
SHA256

2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61
SHA512

5209536829cd3052f20169719fa80486398115149fddd3943653f53f17357dbecc0a44a240e72793a390e040619db8b1e5daba02d4cfdd98e712f831c2902228
SSDEEP

49152:vopf4CbB40MG8/SU50BJGcGq0V052j4qNNHd3HajHlgRwEpYrCjAt:ApfLBjTa0BkoX5vqNBoB1AY

Score

10^/10

amadey lumma redline stealc 9c9aa5 default2 doma fed3aa newbundle2 tg cloud @rlreborn admin @fatherofcarders credential_access discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

https://clearancek.site

https://licendfilteo.site

https://spirittunek.store

https://bathdoomgaz.store

https://studennotediw.store

https://dissapoiznw.store

https://eaglepawnoy.store

https://mobbipenju.store

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019aec-175.dat	family_redline
behavioral1/memory/1740-185-0x0000000000D50000-0x0000000000DA2000-memory.dmp	family_redline
behavioral1/memory/1636-342-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1636-348-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1636-346-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1636-345-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1636-340-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a31a867952.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b6485bb1ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	58e06d807d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fa2d93e7cf.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fa2d93e7cf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	58e06d807d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b6485bb1ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fa2d93e7cf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a31a867952.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	58e06d807d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a31a867952.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b6485bb1ff.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	splwow64.exe

Executes dropped EXE 24 IoCs

pid	Process
2740	axplong.exe
660	gold.exe
2968	legas.exe
1664	NePrLrZmRG.exe
1864	R92g5Ngz9R.exe
2240	stealc_default2.exe
1740	newbundle2.exe
2764	fa2d93e7cf.exe
2880	a31a867952.exe
1264	skotes.exe
1136	MK.exe
1788	Nework.exe
1704	Hkbsse.exe
1780	processclass.exe
1328	1ad51bad25.exe
2688	splwow64.exe
3712	num.exe
3180	context.exe
3276	b6485bb1ff.exe
3764	58e06d807d.exe
3776	sadsay.exe
1424	Set-up.exe
2572	out.exe
1608	service123.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	b6485bb1ff.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	58e06d807d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	fa2d93e7cf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	a31a867952.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	skotes.exe

Loads dropped DLL 52 IoCs

pid	Process
2504	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
2740	axplong.exe
2740	axplong.exe
1252	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
2740	axplong.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2784	WerFault.exe
2304	MSBuild.exe
2304	MSBuild.exe
2740	axplong.exe
2740	axplong.exe
2740	axplong.exe
2740	axplong.exe
2740	axplong.exe
2740	axplong.exe
2880	a31a867952.exe
2740	axplong.exe
2740	axplong.exe
1788	Nework.exe
2740	axplong.exe
2240	stealc_default2.exe
2240	stealc_default2.exe
1264	skotes.exe
2740	axplong.exe
1264	skotes.exe
1264	skotes.exe
1264	skotes.exe
1264	skotes.exe
1264	skotes.exe
1264	skotes.exe
1264	skotes.exe
1704	Hkbsse.exe
1704	Hkbsse.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
3936	WerFault.exe
2740	axplong.exe
2740	axplong.exe
2740	axplong.exe
2740	axplong.exe
3776	sadsay.exe
3776	sadsay.exe
1608	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\fa2d93e7cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\fa2d93e7cf.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\a31a867952.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\a31a867952.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ad51bad25.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000332001\\1ad51bad25.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000336001\\num.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\b6485bb1ff.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000349001\\b6485bb1ff.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\58e06d807d.exe = "C:\\Users\\Admin\\1000350002\\58e06d807d.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001a4a2-438.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2504	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
2740	axplong.exe
2764	fa2d93e7cf.exe
2880	a31a867952.exe
1264	skotes.exe
3276	b6485bb1ff.exe
3764	58e06d807d.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 660 set thread context of 288	660	gold.exe	33
PID 2968 set thread context of 2304	2968	legas.exe	37
PID 1136 set thread context of 1636	1136	MK.exe	51
PID 2688 set thread context of 4004	2688	splwow64.exe	84

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	a31a867952.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe
File created	C:\Windows\Tasks\axplong.job	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1252	660	WerFault.exe	32
2784	2968	WerFault.exe	36
3936	3180	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6485bb1ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sadsay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ad51bad25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa2d93e7cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	num.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a31a867952.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58e06d807d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sadsay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sadsay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2852	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1136	taskkill.exe
2900	taskkill.exe
1792	taskkill.exe
1652	taskkill.exe
4032	taskkill.exe
1760	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	newbundle2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	NePrLrZmRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NePrLrZmRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	NePrLrZmRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	NePrLrZmRG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	b6485bb1ff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	b6485bb1ff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	newbundle2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	NePrLrZmRG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	NePrLrZmRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	NePrLrZmRG.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1932	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3180	context.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2504	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
2740	axplong.exe
2240	stealc_default2.exe
2764	fa2d93e7cf.exe
1864	R92g5Ngz9R.exe
1664	NePrLrZmRG.exe
2880	a31a867952.exe
1264	skotes.exe
1636	RegAsm.exe
2240	stealc_default2.exe
1636	RegAsm.exe
1636	RegAsm.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
3276	b6485bb1ff.exe
3276	b6485bb1ff.exe
3764	58e06d807d.exe
3764	58e06d807d.exe
3764	58e06d807d.exe
3180	context.exe
3180	context.exe
3180	context.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeBackupPrivilege	1664	NePrLrZmRG.exe
Token: SeBackupPrivilege	1864	R92g5Ngz9R.exe
Token: SeSecurityPrivilege	1664	NePrLrZmRG.exe
Token: SeSecurityPrivilege	1864	R92g5Ngz9R.exe
Token: SeSecurityPrivilege	1664	NePrLrZmRG.exe
Token: SeSecurityPrivilege	1864	R92g5Ngz9R.exe
Token: SeSecurityPrivilege	1664	NePrLrZmRG.exe
Token: SeSecurityPrivilege	1664	NePrLrZmRG.exe
Token: SeSecurityPrivilege	1864	R92g5Ngz9R.exe
Token: SeSecurityPrivilege	1864	R92g5Ngz9R.exe
Token: SeDebugPrivilege	1664	NePrLrZmRG.exe
Token: SeDebugPrivilege	1864	R92g5Ngz9R.exe
Token: SeDebugPrivilege	1636	RegAsm.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	2624	firefox.exe
Token: SeDebugPrivilege	2624	firefox.exe
Token: SeDebugPrivilege	1780	processclass.exe
Token: SeDebugPrivilege	2688	splwow64.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	3180	context.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
2504	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
2880	a31a867952.exe
1788	Nework.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
2624	firefox.exe
2624	firefox.exe
2624	firefox.exe
2624	firefox.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
2624	firefox.exe
2624	firefox.exe
2624	firefox.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe
1328	1ad51bad25.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2740	2504	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe	30
PID 2504 wrote to memory of 2740	2504	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe	30
PID 2504 wrote to memory of 2740	2504	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe	30
PID 2504 wrote to memory of 2740	2504	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe	30
PID 2740 wrote to memory of 660	2740	axplong.exe	32
PID 2740 wrote to memory of 660	2740	axplong.exe	32
PID 2740 wrote to memory of 660	2740	axplong.exe	32
PID 2740 wrote to memory of 660	2740	axplong.exe	32
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 288	660	gold.exe	33
PID 660 wrote to memory of 1252	660	gold.exe	34
PID 660 wrote to memory of 1252	660	gold.exe	34
PID 660 wrote to memory of 1252	660	gold.exe	34
PID 660 wrote to memory of 1252	660	gold.exe	34
PID 2740 wrote to memory of 2968	2740	axplong.exe	36
PID 2740 wrote to memory of 2968	2740	axplong.exe	36
PID 2740 wrote to memory of 2968	2740	axplong.exe	36
PID 2740 wrote to memory of 2968	2740	axplong.exe	36
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2304	2968	legas.exe	37
PID 2968 wrote to memory of 2784	2968	legas.exe	38
PID 2968 wrote to memory of 2784	2968	legas.exe	38
PID 2968 wrote to memory of 2784	2968	legas.exe	38
PID 2968 wrote to memory of 2784	2968	legas.exe	38
PID 2304 wrote to memory of 1664	2304	MSBuild.exe	39
PID 2304 wrote to memory of 1664	2304	MSBuild.exe	39
PID 2304 wrote to memory of 1664	2304	MSBuild.exe	39
PID 2304 wrote to memory of 1664	2304	MSBuild.exe	39
PID 2304 wrote to memory of 1864	2304	MSBuild.exe	40
PID 2304 wrote to memory of 1864	2304	MSBuild.exe	40
PID 2304 wrote to memory of 1864	2304	MSBuild.exe	40
PID 2304 wrote to memory of 1864	2304	MSBuild.exe	40
PID 2740 wrote to memory of 2240	2740	axplong.exe	41
PID 2740 wrote to memory of 2240	2740	axplong.exe	41
PID 2740 wrote to memory of 2240	2740	axplong.exe	41
PID 2740 wrote to memory of 2240	2740	axplong.exe	41
PID 2740 wrote to memory of 1740	2740	axplong.exe	42
PID 2740 wrote to memory of 1740	2740	axplong.exe	42
PID 2740 wrote to memory of 1740	2740	axplong.exe	42
PID 2740 wrote to memory of 1740	2740	axplong.exe	42
PID 2740 wrote to memory of 2764	2740	axplong.exe	45
PID 2740 wrote to memory of 2764	2740	axplong.exe	45
PID 2740 wrote to memory of 2764	2740	axplong.exe	45
PID 2740 wrote to memory of 2764	2740	axplong.exe	45
PID 2740 wrote to memory of 2880	2740	axplong.exe	47
PID 2740 wrote to memory of 2880	2740	axplong.exe	47
PID 2740 wrote to memory of 2880	2740	axplong.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
"C:\Users\Admin\AppData\Local\Temp\2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 96
      4⤵
      Loads dropped DLL
      Program crash
      PID:1252
- - C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Users\Admin\AppData\Roaming\NePrLrZmRG.exe
        
        "C:\Users\Admin\AppData\Roaming\NePrLrZmRG.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Users\Admin\AppData\Roaming\R92g5Ngz9R.exe
        
        "C:\Users\Admin\AppData\Roaming\R92g5Ngz9R.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 52
      4⤵
      Loads dropped DLL
      Program crash
      PID:2784
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\1000354001\fa2d93e7cf.exe
    "C:\Users\Admin\AppData\Local\Temp\1000354001\fa2d93e7cf.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\1000355001\a31a867952.exe
    "C:\Users\Admin\AppData\Local\Temp\1000355001\a31a867952.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1264
    - - C:\Users\Admin\AppData\Local\Temp\1000332001\1ad51bad25.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000332001\1ad51bad25.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1328
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:2456
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2624
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.0.613012935\36548035" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eebaa1d2-a7fc-4618-b10d-0adc4f5f1220} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 1300 122d5e58 gpu
        8⤵
        
        PID:936
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.1.1499644439\753743350" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7229399-4a7f-4fa3-9c8e-cdbf7681edb4} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 1500 e73658 socket
        8⤵
        
        PID:856
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.2.140277744\1350474374" -childID 1 -isForBrowser -prefsHandle 1916 -prefMapHandle 1912 -prefsLen 21668 -prefMapSize 233414 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afa31850-038e-419b-a0af-5010f12cf0dc} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 1760 19bd0458 tab
        8⤵
        
        PID:1256
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.3.285652003\510495995" -childID 2 -isForBrowser -prefsHandle 2784 -prefMapHandle 2780 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2860b591-f788-4833-ba79-781076bfe893} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 2808 1aedcb58 tab
        8⤵
        
        PID:868
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.4.804019783\587607139" -childID 3 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22864b6e-f5ae-446d-95e3-467033e0e2f9} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 3788 19cf9d58 tab
        8⤵
        
        PID:3348
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.5.424552190\2048971854" -childID 4 -isForBrowser -prefsHandle 3896 -prefMapHandle 3900 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d07aa6c-48ee-4806-94e0-e76ccf4e0063} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 3884 19cfa358 tab
        8⤵
        
        PID:3360
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2624.6.799340395\2064576319" -childID 5 -isForBrowser -prefsHandle 3964 -prefMapHandle 3908 -prefsLen 26197 -prefMapSize 233414 -jsInitHandle 836 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3abe93a-c1ed-4a99-837c-dc01b9cca717} 2624 "\\.\pipe\gecko-crash-server-pipe.2624" 3952 19cfa658 tab
        8⤵
        
        PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3712
    - - C:\Users\Admin\AppData\Local\Temp\1000349001\b6485bb1ff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000349001\b6485bb1ff.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:3276
    - - C:\Users\Admin\1000350002\58e06d807d.exe
        
        "C:\Users\Admin\1000350002\58e06d807d.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3764
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        
        PID:2564
- - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- - C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:3776
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1608
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1932
- - C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
    "C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start context.exe
      4⤵
      PID:3100
    - - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 728
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:3936
- - C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
    "C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2852
- - C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1424
- - C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe
    "C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe"
    3⤵
    - Executes dropped EXE
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9156c5260f7e93c4ab8b8c1ec26bd817

SHA1
a6ec6354f81825742dcc3f0c6947d3e02d3a30cf

SHA256
943dc2f1b6ed6f363b73a5876d38ffe9a0dc4ceeb3ac3dc534750deb6296aaf4

SHA512
c6e5382ba718fd8ffb56697471ad99bb722f0f52b73b9db1ad0858876f47fec5d4c1270d6811ec56a0993985177afd5dbfdd0558527189d2848edd00824f29a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccbce8d6f73a006ebb28d55a7bd4b803

SHA1
7e317d0107ace7f903ff29b6c85c71a2ed717415

SHA256
5cbd4fe08be49efff641d1fd35c3d3164175cb4005dca47833b8e6c16ec62670

SHA512
860e8abc5f44ec8d8f3a2d19135f81f58946accaa34b22f85b8536b7282409281d31c414dc6ccaefce034f604f302588c62c2fae657ded925abb6d07da679b36

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
d4205dbb25736013afc89b84b889fc65

SHA1
bf34918a0a1d81a3da54a5937256c52e2dbf7c73

SHA256
a5f4a14ea834a882b5179a7919e14f7f5f9256889f69b671a5adc585d8d8f4b4

SHA512
ce972266baa616452c77a16bb8d356f91642b66cb5d1b334ebbdcbb8c5805235c4b26082ebb09ab98db6bf1befd28adf749c5653b4850698483f109770141017

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
566KB

MD5
049b6fe48a8cfb927648ad626aba5551

SHA1
9555d23104167e4fad5a178b4352831ce620b374

SHA256
b78402483c46cd37e2c204d95690aa2a213616a1f904d779ceec0e22fcdd6531

SHA512
ed787f90966ca1ea4b1e67c4026dd44393c7d312cd52e376f4ba5e5c49616938ec9e913044def29b40b441eb4c913a5134bb78317a179f62067bef3f9d913c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe

Filesize
1.3MB

MD5
24402fc0617a2740c16ea9c81518d669

SHA1
a0476ef848cd11bb20f8efd06e295a0f44c956ca

SHA256
c02fcc32573f4546201515667154d9e51e2636af52a1790d1063183c0d012566

SHA512
dd90c0036a8a109c5645b481f1bd7b193fa86518183790b75dbc400416793fb8f9e7d4d4621d7c0227cbbf483758a03a94581397686b09c6f65218b651b5bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\fikbbm0902845.exe

Filesize
18B

MD5
174ef859dfe296a48628dc40ef8e05ed

SHA1
59a0e43e3ae9c8f638932b9cf83bf62ad91fb2b7

SHA256
84520353f099eee2117b00aa16cde461e573a835e8ddd64334efd871d4ce292c

SHA512
c6d0e9d1842a4ce05929f8941b8e30729567626cf1594f3b11958cde9347e1d8e8cde5f9f9584953122fd035fedec0b09c0bd184abc0f33eac4862d85e164ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe

Filesize
7.4MB

MD5
735bb5f55a17215700840c04a8b40a03

SHA1
55e0828c6d08653939eee2b1af8fd737e92266c4

SHA256
5ea6a5e3bc6c02cc41637028050c3738c38a07917e373637928b314c5d22f84d

SHA512
7e742677e35099d8cd4a5163eea6633e3ec7deeb4840aba1f8adad8f0022e72f7416ac6367802eceab8f9f2e9dd04e1546b141e911495d025b98575a92f3865c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\red.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000332001\1ad51bad25.exe

Filesize
898KB

MD5
8eb80d6a4bf81ccc902a45a404c7ed9d

SHA1
94bd95a6c577963d3608de4b659c892aa4013f84

SHA256
98cdc2aed91cb1294429e43cebfe79adfe311761db9b00ae74ce4b424e38e808

SHA512
95ccca01f61452d25c34f05525d1a2d5e63b61ce62402e06ed9d6be26aa4621041d6480ef310356fbff4dac0b311e57b03cdf3b527238a14b598def1e53696e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe

Filesize
307KB

MD5
791fcee57312d4a20cc86ae1cea8dfc4

SHA1
04a88c60ae1539a63411fe4765e9b931e8d2d992

SHA256
27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d

SHA512
2771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000349001\b6485bb1ff.exe

Filesize
1.8MB

MD5
8bf0d4785c3b0a19bb39b04ec92dd194

SHA1
918d36638f5fd4047d9be21b47eb1b759c7791cd

SHA256
64ebff6e8bc8771871fc410bbda0c6ceef6ffde7c01714913e69f074d3d94210

SHA512
368af90055d7d2c435f03cc0e48490c0cf672d3746d05a06ef8a7577b8d34924a0072a19937640d87a858346f83ba4cd5ed53ff5ac9d2e7ce2091aa38b60e3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\fa2d93e7cf.exe

Filesize
1.8MB

MD5
caf461eb8ed93f9c6693644c9a00bf91

SHA1
bde1937a55f1aba923ef6710d56585192aa29f66

SHA256
bd7cb47cbacea170edf4777a5d5d592493f8bdeb475b25cde03208bd49eae092

SHA512
ddb8711e95899cb09798f0add44805ed5aa90c1ca80e94fa73fa42568c07c9aa93dca21ff0db314fead43d84ec87583d9b8c6e7d1799daa8e3a58befdf678642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\a31a867952.exe

Filesize
1.8MB

MD5
f69f1b099abe6b8ec4d6319db86fd01d

SHA1
374021521d524c3c4e8e54937eb21b1982511277

SHA256
f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab

SHA512
edc4b8d8171de84234379bb1a4658aef0c1197b584f5b035779fae7689695edf05675b3578342c893383e3b18a5bdd35cd598da3e2847873c29946414695ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe

Filesize
1.1MB

MD5
ed9393d5765529c845c623e35c1b1a34

SHA1
d3eca07f5ce0df847070d2d7fe5253067f624285

SHA256
53cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a

SHA512
565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe

Filesize
6.3MB

MD5
65eeea19b373583f916bf3070acbfd58

SHA1
78ce3479d5d0148ba855d89ecb48a3f0c12d9957

SHA256
c671e33f6757cef930713d2e4efeb8642177675e95fc05de92e124213022a00b

SHA512
f726327e977a85dcc3b0c217a8dacc9cd375bbe3f238558c9b9adf35233c0b4959e6014ff46bf742a7a822e4fe757d4f3bcc1e63709c6ec4c84c29c1f47483c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe

Filesize
5.5MB

MD5
f2930c61288bc55dfdf9c8b42e321006

SHA1
5ce19a53d5b4deb406943e05ec93bc3979824866

SHA256
d3a53533949862449edb69c1916bf56681e3f2ec3a1c803043b1f3b876698603

SHA512
67a1ea68fafae8c7c9da322b7c5821e5cc78fcce3c9454a552a13ebc812bec334f60533991147b0b95151ade77ff2fbf244945f8318b48082173b64c71e6308f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8D2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF9EE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2A1.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\76b53b3ec448f7ccdda2063b15d2bfc3_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
2KB

MD5
051c2eae194c648f6b5b5e3009d8baae

SHA1
c8fd0004b3bcfc8ce5040690ef411056fdf34538

SHA256
3d2c85821e6e79633fd65d46b82a75f574c5e585c3e28bf432c8a89de53221bc

SHA512
1f5044f8e3c5f118487c82ea1a94b2a41226259af0aadfc097e7776fcd03608d9ae4447d0ea03926e4f400a92bd53d0abc0a267e5cbe4cb28285cd6adbe0e9e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
cea8377a842189bff814b8f7ac7fb4a6

SHA1
4a2ae9bc352d3aa57a8f23281b464b306c6de886

SHA256
f4224ee6d2bcf77aef135da55f696cdac3240e6945783fb65128beee256063e0

SHA512
752570dea47239d677d8e77fc301a1763eb52d299a3b59bee84f6d7f9f26569e9b375732eac4bc32b21d7c143eecbff9c0dc28e9c34d5487fc7dc5f53c9ea5ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\0ec0b588-32d9-4d75-ba41-b7d7d3f91b47

Filesize
733B

MD5
660adae622014efcc43334209aae1a7f

SHA1
84e8c10768c4300feb41bfc08a737b6d19975173

SHA256
b2aef2ce9d1ae69c67cc1ff93fd4c9b0de141d70f54eab4ca2ff8a40e1d51f68

SHA512
cc20ab54588a1f28fbfd19507c7bc76d2fbe7690f3b7ceb0dcc3afb4cf3a1724778b362bb8637a78611c0d23a79264cdbf873059964580960d085c8a187a0076

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

Filesize
6KB

MD5
35fe5ae04a14bd622ac6b30e5f52b775

SHA1
67317b4d9982852dca9136582ce3acf760730ea1

SHA256
fbba7d6f1232046b7a33994ee336308166d42df748491f0a4564a3241800e5ba

SHA512
4ffea8496dd5710ffe88ce8bf9dc7024cbe912f5389599a716b4171e14bf2810acb5a799c2ab76f74a8f29cc1d2b9d30877cb2f89d7ac71efc8bf045fb09abea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

Filesize
7KB

MD5
f639da76d40e281b737a0ca4351418b4

SHA1
95f3cef75c1be4599a4d7db2e9a6b3058b1e43b6

SHA256
853eb8d93c17ef90f2ece1752161fb3b82db1f329c257d939a1b7960728de065

SHA512
81cc1530f8577dfcb48cb2af5237cbc4d28f44c78b9c142304f5ff1b7abc850bdff31c0866391ca1ee5a5c1eac11446fcdb154a468f2d8aac8c17e5efddbde2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

Filesize
6KB

MD5
571940d220bb41e70b4154003fd164cf

SHA1
7ef90a3ee0b69080c862c58f1fe2e4d13e9c3c2c

SHA256
c19d8a8b7fcd17658da243ae0405ac6fa32100adf4df45a143cb7325190a5ebd

SHA512
3eeba44fb6d0275542b49acd1c62548ec090797e5955ad35ed2257607942347c75ce230b94837e6d7c9232e60f9fee141a5513bd0f4222d97c8379d1cb8e5d91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\prefs-1.js

Filesize
6KB

MD5
235cc434e69362bc5f465c2c9c1ae8db

SHA1
b75b846892c96d19089b87cc9c85118cb1d681bd

SHA256
6beae1d4bc7ba52e5e7fc36ce503c894d9e42c0170e23bc34aed9b1ed692b571

SHA512
efde62abeb3fb966db1912770935b168abe900d76496576e4170bb28d046ff3a6408a430cc6c6e065a9c5caeed105a802c4a4912cddcb9486e32662e85080ba7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
12489749a18e089b09f3da38d044e3ff

SHA1
7b87d06eef63e97c4a715dc959867ba202dfd796

SHA256
d64694774b78b7ac14980e864b5d7579d6af337f25a7b0b70e09ff1b993119ef

SHA512
bdf367e936981f6bcda1dfc67a119026392ee6cec39e6ac9e21e3ba6fefc2d0355c7c36ecb33dd1e79a353f94f529b686ca14b329925816e21174345c6d6ee94

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
28a920d47f649873e8d806c6ccbde06a

SHA1
1d6769939deaa51a598251feb1a8331f06860e05

SHA256
eb0855c7f9d290990c7a91544d70d0f0ca84f228f1cb9c8d17c104f425c02de5

SHA512
f7e8dacfd995ebde50de1acc48f4b2f8e0b00708fb2fa1afc8883e23f11b4bfa47caa4a8d8cacd8a59a754fd2cccf5feff6fa15f756855268630a9a2a9069243

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
1a1ac94cc27bf21fa3f542a09658a2c7

SHA1
d0242b0a3a14d9d12c84ed6552b8e1e0280a41c0

SHA256
2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61

SHA512
5209536829cd3052f20169719fa80486398115149fddd3943653f53f17357dbecc0a44a240e72793a390e040619db8b1e5daba02d4cfdd98e712f831c2902228

Download Submit
\Users\Admin\AppData\Roaming\NePrLrZmRG.exe

Filesize
602KB

MD5
e4fc58d334930a9d6572c344e5129f6b

SHA1
d38fbd0c4c86eee14722f40cc607e2128c01b00f

SHA256
973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

SHA512
a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

Download Submit
\Users\Admin\AppData\Roaming\R92g5Ngz9R.exe

Filesize
393KB

MD5
7d7366ab79d6d3d8d83d13a8b30de999

SHA1
75c6c49a6701d254c3ce184054a4a01329c1a6f3

SHA256
3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

SHA512
64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

Download Submit
memory/288-47-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/288-58-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/288-48-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/288-51-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/288-46-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/288-45-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/288-44-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/288-42-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/288-40-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/660-52-0x0000000001107000-0x0000000001108000-memory.dmp

Filesize
4KB

Download
memory/1136-334-0x0000000000900000-0x0000000000954000-memory.dmp

Filesize
336KB

Download
memory/1136-335-0x0000000002340000-0x0000000004340000-memory.dmp

Filesize
32.0MB

Download
memory/1264-724-0x0000000006B30000-0x0000000006FFF000-memory.dmp

Filesize
4.8MB

Download
memory/1264-679-0x0000000006B30000-0x0000000006FFF000-memory.dmp

Filesize
4.8MB

Download
memory/1264-732-0x0000000006B30000-0x00000000071CC000-memory.dmp

Filesize
6.6MB

Download
memory/1264-694-0x0000000006B30000-0x00000000071CC000-memory.dmp

Filesize
6.6MB

Download
memory/1264-695-0x0000000006B30000-0x00000000071CC000-memory.dmp

Filesize
6.6MB

Download
memory/1264-314-0x0000000000240000-0x0000000000702000-memory.dmp

Filesize
4.8MB

Download
memory/1264-427-0x0000000000240000-0x0000000000702000-memory.dmp

Filesize
4.8MB

Download
memory/1264-578-0x0000000006510000-0x0000000006771000-memory.dmp

Filesize
2.4MB

Download
memory/1264-680-0x0000000006B30000-0x0000000006FFF000-memory.dmp

Filesize
4.8MB

Download
memory/1264-591-0x0000000000240000-0x0000000000702000-memory.dmp

Filesize
4.8MB

Download
memory/1264-729-0x0000000006B30000-0x0000000006FFF000-memory.dmp

Filesize
4.8MB

Download
memory/1264-411-0x0000000000240000-0x0000000000702000-memory.dmp

Filesize
4.8MB

Download
memory/1264-576-0x0000000006510000-0x0000000006771000-memory.dmp

Filesize
2.4MB

Download
memory/1264-902-0x0000000006510000-0x0000000006771000-memory.dmp

Filesize
2.4MB

Download
memory/1264-903-0x0000000006510000-0x0000000006771000-memory.dmp

Filesize
2.4MB

Download
memory/1264-733-0x0000000006B30000-0x00000000071CC000-memory.dmp

Filesize
6.6MB

Download
memory/1636-336-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1636-338-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1636-344-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1636-340-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1636-346-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1636-348-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1636-342-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1636-345-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1664-144-0x0000000001060000-0x00000000010FC000-memory.dmp

Filesize
624KB

Download
memory/1740-185-0x0000000000D50000-0x0000000000DA2000-memory.dmp

Filesize
328KB

Download
memory/1780-408-0x0000000001350000-0x0000000001358000-memory.dmp

Filesize
32KB

Download
memory/1864-143-0x0000000000C60000-0x0000000000CC8000-memory.dmp

Filesize
416KB

Download
memory/2240-163-0x00000000010A0000-0x00000000012E3000-memory.dmp

Filesize
2.3MB

Download
memory/2240-257-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2240-433-0x00000000010A0000-0x00000000012E3000-memory.dmp

Filesize
2.3MB

Download
memory/2304-86-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-88-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-95-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-140-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-92-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-90-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-96-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-97-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-82-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2304-84-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2504-4-0x00000000013A0000-0x000000000185B000-memory.dmp

Filesize
4.7MB

Download
memory/2504-17-0x00000000013A0000-0x000000000185B000-memory.dmp

Filesize
4.7MB

Download
memory/2504-0-0x00000000013A0000-0x000000000185B000-memory.dmp

Filesize
4.7MB

Download
memory/2504-3-0x00000000013A0000-0x000000000185B000-memory.dmp

Filesize
4.7MB

Download
memory/2504-14-0x0000000006BC0000-0x000000000707B000-memory.dmp

Filesize
4.7MB

Download
memory/2504-2-0x00000000013A1000-0x00000000013CF000-memory.dmp

Filesize
184KB

Download
memory/2504-1-0x0000000077E70000-0x0000000077E72000-memory.dmp

Filesize
8KB

Download
memory/2688-463-0x0000000009F60000-0x0000000009FE4000-memory.dmp

Filesize
528KB

Download
memory/2688-462-0x0000000000910000-0x0000000000A28000-memory.dmp

Filesize
1.1MB

Download
memory/2740-313-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-60-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-364-0x0000000006A10000-0x00000000070AC000-memory.dmp

Filesize
6.6MB

Download
memory/2740-394-0x0000000006A10000-0x0000000006ED2000-memory.dmp

Filesize
4.8MB

Download
memory/2740-858-0x00000000063F0000-0x0000000006633000-memory.dmp

Filesize
2.3MB

Download
memory/2740-855-0x00000000063F0000-0x0000000006633000-memory.dmp

Filesize
2.3MB

Download
memory/2740-161-0x00000000063F0000-0x0000000006633000-memory.dmp

Filesize
2.3MB

Download
memory/2740-160-0x00000000063F0000-0x0000000006633000-memory.dmp

Filesize
2.3MB

Download
memory/2740-254-0x0000000006A10000-0x00000000070AC000-memory.dmp

Filesize
6.6MB

Download
memory/2740-253-0x0000000006A10000-0x00000000070AC000-memory.dmp

Filesize
6.6MB

Download
memory/2740-319-0x0000000006A10000-0x00000000070AC000-memory.dmp

Filesize
6.6MB

Download
memory/2740-15-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-18-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-296-0x0000000006A10000-0x0000000006ED2000-memory.dmp

Filesize
4.8MB

Download
memory/2740-19-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-426-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-68-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-590-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-53-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-49-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-31-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-22-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2740-21-0x0000000001350000-0x000000000180B000-memory.dmp

Filesize
4.7MB

Download
memory/2764-471-0x0000000000D00000-0x000000000139C000-memory.dmp

Filesize
6.6MB

Download
memory/2764-256-0x0000000000D00000-0x000000000139C000-memory.dmp

Filesize
6.6MB

Download
memory/2764-393-0x0000000000D00000-0x000000000139C000-memory.dmp

Filesize
6.6MB

Download
memory/2764-365-0x0000000000D00000-0x000000000139C000-memory.dmp

Filesize
6.6MB

Download
memory/2880-297-0x0000000000990000-0x0000000000E52000-memory.dmp

Filesize
4.8MB

Download
memory/2880-312-0x0000000000990000-0x0000000000E52000-memory.dmp

Filesize
4.8MB

Download
memory/3180-661-0x0000000001140000-0x0000000001258000-memory.dmp

Filesize
1.1MB

Download
memory/3276-726-0x00000000008E0000-0x0000000000DAF000-memory.dmp

Filesize
4.8MB

Download
memory/3276-681-0x00000000008E0000-0x0000000000DAF000-memory.dmp

Filesize
4.8MB

Download
memory/3712-577-0x0000000001380000-0x00000000015E1000-memory.dmp

Filesize
2.4MB

Download
memory/3712-583-0x0000000001380000-0x00000000015E1000-memory.dmp

Filesize
2.4MB

Download