amadey | 2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Size

1.8MB
MD5

1a1ac94cc27bf21fa3f542a09658a2c7
SHA1

d0242b0a3a14d9d12c84ed6552b8e1e0280a41c0
SHA256

2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61
SHA512

5209536829cd3052f20169719fa80486398115149fddd3943653f53f17357dbecc0a44a240e72793a390e040619db8b1e5daba02d4cfdd98e712f831c2902228
SSDEEP

49152:vopf4CbB40MG8/SU50BJGcGq0V052j4qNNHd3HajHlgRwEpYrCjAt:ApfLBjTa0BkoX5vqNBoB1AY

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

lumma

https://drawwyobstacw.sbs

https://condifendteu.sbs

https://ehticsprocw.sbs

https://vennurviot.sbs

https://resinedyw.sbs

https://enlargkiw.sbs

https://allocatinow.sbs

https://mathcucom.sbs

https://clearancek.site

https://licendfilteo.site

https://spirittunek.store

https://bathdoomgaz.store

https://studennotediw.store

https://dissapoiznw.store

https://eaglepawnoy.store

https://mobbipenju.store

Extracted

Family

stealc

Botnet

default2

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

redline

Botnet

newbundle2

185.215.113.67:15206

Extracted

Family

stealc

Botnet

doma

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

TG CLOUD @RLREBORN Admin @FATHEROFCARDERS

89.105.223.196:29862

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Extracted

Family

cryptbot

analforeverlovyu.top

tventyvf20vt.top

Attributes

url_path
/v1/upload.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Detects CryptBot payload 1 IoCs

CryptBot is a C++ stealer distributed widely in bundle with other software.

spyware stealer

resource	yara_rule
behavioral2/memory/5800-1231-0x0000000069CC0000-0x000000006A377000-memory.dmp	family_cryptbot_v3

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b4a-126.dat	family_redline
behavioral2/memory/2276-139-0x0000000000490000-0x00000000004E2000-memory.dmp	family_redline
behavioral2/memory/4372-312-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	52fa478621.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b02f0c69e5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a1410d332f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8e2c4fa9a5.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b02f0c69e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8e2c4fa9a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1410d332f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	52fa478621.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1410d332f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	52fa478621.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b02f0c69e5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8e2c4fa9a5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	b02f0c69e5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Nework.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	processclass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Hkbsse.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	sadsay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	axplong.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	context.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Manager.url	splwow64.exe

Executes dropped EXE 31 IoCs

pid	Process
2260	axplong.exe
1552	gold.exe
4276	legas.exe
1512	KCr7L9zd6g.exe
4516	niGCLm7t7T.exe
5056	stealc_default2.exe
2276	newbundle2.exe
3152	8e2c4fa9a5.exe
3272	b02f0c69e5.exe
1572	skotes.exe
2760	MK.exe
4740	Nework.exe
4440	Hkbsse.exe
1548	processclass.exe
2840	Hkbsse.exe
4504	skotes.exe
4152	axplong.exe
5040	225443976d.exe
2696	splwow64.exe
3992	num.exe
5464	a1410d332f.exe
5952	52fa478621.exe
5900	context.exe
5692	Set-up.exe
5800	sadsay.exe
5312	out.exe
1780	skotes.exe
5152	axplong.exe
5092	Hkbsse.exe
5128	service123.exe
4320	app.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	52fa478621.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	8e2c4fa9a5.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	a1410d332f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	b02f0c69e5.exe

Loads dropped DLL 3 IoCs

pid	Process
5056	stealc_default2.exe
5056	stealc_default2.exe
5128	service123.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000336001\\num.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1410d332f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000349001\\a1410d332f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\52fa478621.exe = "C:\\Users\\Admin\\1000350002\\52fa478621.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e2c4fa9a5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000354001\\8e2c4fa9a5.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b02f0c69e5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000355001\\b02f0c69e5.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\225443976d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000332001\\225443976d.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023b7a-395.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
4684	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
2260	axplong.exe
3152	8e2c4fa9a5.exe
3272	b02f0c69e5.exe
1572	skotes.exe
4504	skotes.exe
4152	axplong.exe
5464	a1410d332f.exe
5952	52fa478621.exe
1780	skotes.exe
5152	axplong.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 4336	1552	gold.exe	87
PID 4276 set thread context of 2848	4276	legas.exe	93
PID 2760 set thread context of 4372	2760	MK.exe	107
PID 2696 set thread context of 5268	2696	splwow64.exe	166
PID 5900 set thread context of 6088	5900	context.exe	174

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
File created	C:\Windows\Tasks\skotes.job	b02f0c69e5.exe
File created	C:\Windows\Tasks\Hkbsse.job	Nework.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2628	1552	WerFault.exe	86
1560	4276	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	225443976d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	newbundle2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	splwow64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e2c4fa9a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52fa478621.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gold.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	app.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	legas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b02f0c69e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1410d332f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	context.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sadsay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nework.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	num.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service123.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sadsay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_default2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_default2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	sadsay.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4436	timeout.exe
4828	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	301	Go-http-client/1.1

Kills process with taskkill 12 IoCs

evasion

pid	Process
5712	taskkill.exe
5224	taskkill.exe
5248	taskkill.exe
3480	taskkill.exe
4932	taskkill.exe
2100	taskkill.exe
3588	taskkill.exe
5324	taskkill.exe
5180	taskkill.exe
3096	taskkill.exe
2120	taskkill.exe
5104	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	newbundle2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	newbundle2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4684	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
4684	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
2260	axplong.exe
2260	axplong.exe
5056	stealc_default2.exe
5056	stealc_default2.exe
3152	8e2c4fa9a5.exe
3152	8e2c4fa9a5.exe
1512	KCr7L9zd6g.exe
4516	niGCLm7t7T.exe
3272	b02f0c69e5.exe
3272	b02f0c69e5.exe
1572	skotes.exe
1572	skotes.exe
5056	stealc_default2.exe
5056	stealc_default2.exe
4504	skotes.exe
4504	skotes.exe
4152	axplong.exe
4152	axplong.exe
5040	225443976d.exe
5040	225443976d.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
4372	RegAsm.exe
5040	225443976d.exe
5040	225443976d.exe
4372	RegAsm.exe
4372	RegAsm.exe
5464	a1410d332f.exe
5464	a1410d332f.exe
5952	52fa478621.exe
5952	52fa478621.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
4372	RegAsm.exe
4372	RegAsm.exe
5900	context.exe
5900	context.exe
1780	skotes.exe
1780	skotes.exe
5152	axplong.exe
5152	axplong.exe
5312	out.exe
5312	out.exe
5312	out.exe
5312	out.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	4516	niGCLm7t7T.exe
Token: SeSecurityPrivilege	4516	niGCLm7t7T.exe
Token: SeSecurityPrivilege	4516	niGCLm7t7T.exe
Token: SeSecurityPrivilege	4516	niGCLm7t7T.exe
Token: SeSecurityPrivilege	4516	niGCLm7t7T.exe
Token: SeBackupPrivilege	1512	KCr7L9zd6g.exe
Token: SeSecurityPrivilege	1512	KCr7L9zd6g.exe
Token: SeSecurityPrivilege	1512	KCr7L9zd6g.exe
Token: SeSecurityPrivilege	1512	KCr7L9zd6g.exe
Token: SeSecurityPrivilege	1512	KCr7L9zd6g.exe
Token: SeDebugPrivilege	4516	niGCLm7t7T.exe
Token: SeDebugPrivilege	1512	KCr7L9zd6g.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	3404	firefox.exe
Token: SeDebugPrivilege	3404	firefox.exe
Token: SeDebugPrivilege	4372	RegAsm.exe
Token: SeDebugPrivilege	5712	taskkill.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	5224	taskkill.exe
Token: SeDebugPrivilege	5248	taskkill.exe
Token: SeDebugPrivilege	1400	firefox.exe
Token: SeDebugPrivilege	1400	firefox.exe
Token: SeDebugPrivilege	1548	processclass.exe
Token: SeDebugPrivilege	2696	splwow64.exe
Token: SeDebugPrivilege	5324	taskkill.exe
Token: SeDebugPrivilege	5900	context.exe
Token: SeDebugPrivilege	5180	taskkill.exe
Token: SeDebugPrivilege	5312	out.exe
Token: SeIncreaseQuotaPrivilege	4540	wmic.exe
Token: SeSecurityPrivilege	4540	wmic.exe
Token: SeTakeOwnershipPrivilege	4540	wmic.exe
Token: SeLoadDriverPrivilege	4540	wmic.exe
Token: SeSystemProfilePrivilege	4540	wmic.exe
Token: SeSystemtimePrivilege	4540	wmic.exe
Token: SeProfSingleProcessPrivilege	4540	wmic.exe
Token: SeIncBasePriorityPrivilege	4540	wmic.exe
Token: SeCreatePagefilePrivilege	4540	wmic.exe
Token: SeBackupPrivilege	4540	wmic.exe
Token: SeRestorePrivilege	4540	wmic.exe
Token: SeShutdownPrivilege	4540	wmic.exe
Token: SeDebugPrivilege	4540	wmic.exe
Token: SeSystemEnvironmentPrivilege	4540	wmic.exe
Token: SeRemoteShutdownPrivilege	4540	wmic.exe
Token: SeUndockPrivilege	4540	wmic.exe
Token: SeManageVolumePrivilege	4540	wmic.exe
Token: 33	4540	wmic.exe
Token: 34	4540	wmic.exe
Token: 35	4540	wmic.exe
Token: 36	4540	wmic.exe
Token: SeIncreaseQuotaPrivilege	4540	wmic.exe
Token: SeSecurityPrivilege	4540	wmic.exe
Token: SeTakeOwnershipPrivilege	4540	wmic.exe
Token: SeLoadDriverPrivilege	4540	wmic.exe
Token: SeSystemProfilePrivilege	4540	wmic.exe
Token: SeSystemtimePrivilege	4540	wmic.exe
Token: SeProfSingleProcessPrivilege	4540	wmic.exe
Token: SeIncBasePriorityPrivilege	4540	wmic.exe
Token: SeCreatePagefilePrivilege	4540	wmic.exe
Token: SeBackupPrivilege	4540	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4684	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
3272	b02f0c69e5.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
3404	firefox.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
1400	firefox.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe
5040	225443976d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3404	firefox.exe
1400	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4684 wrote to memory of 2260	4684	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe	85
PID 4684 wrote to memory of 2260	4684	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe	85
PID 4684 wrote to memory of 2260	4684	2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe	85
PID 2260 wrote to memory of 1552	2260	axplong.exe	86
PID 2260 wrote to memory of 1552	2260	axplong.exe	86
PID 2260 wrote to memory of 1552	2260	axplong.exe	86
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 1552 wrote to memory of 4336	1552	gold.exe	87
PID 2260 wrote to memory of 4276	2260	axplong.exe	91
PID 2260 wrote to memory of 4276	2260	axplong.exe	91
PID 2260 wrote to memory of 4276	2260	axplong.exe	91
PID 4276 wrote to memory of 4892	4276	legas.exe	92
PID 4276 wrote to memory of 4892	4276	legas.exe	92
PID 4276 wrote to memory of 4892	4276	legas.exe	92
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 4276 wrote to memory of 2848	4276	legas.exe	93
PID 2848 wrote to memory of 1512	2848	MSBuild.exe	96
PID 2848 wrote to memory of 1512	2848	MSBuild.exe	96
PID 2848 wrote to memory of 4516	2848	MSBuild.exe	97
PID 2848 wrote to memory of 4516	2848	MSBuild.exe	97
PID 2260 wrote to memory of 5056	2260	axplong.exe	98
PID 2260 wrote to memory of 5056	2260	axplong.exe	98
PID 2260 wrote to memory of 5056	2260	axplong.exe	98
PID 2260 wrote to memory of 2276	2260	axplong.exe	99
PID 2260 wrote to memory of 2276	2260	axplong.exe	99
PID 2260 wrote to memory of 2276	2260	axplong.exe	99
PID 2260 wrote to memory of 3152	2260	axplong.exe	102
PID 2260 wrote to memory of 3152	2260	axplong.exe	102
PID 2260 wrote to memory of 3152	2260	axplong.exe	102
PID 2260 wrote to memory of 3272	2260	axplong.exe	103
PID 2260 wrote to memory of 3272	2260	axplong.exe	103
PID 2260 wrote to memory of 3272	2260	axplong.exe	103
PID 3272 wrote to memory of 1572	3272	b02f0c69e5.exe	104
PID 3272 wrote to memory of 1572	3272	b02f0c69e5.exe	104
PID 3272 wrote to memory of 1572	3272	b02f0c69e5.exe	104
PID 2260 wrote to memory of 2760	2260	axplong.exe	105
PID 2260 wrote to memory of 2760	2260	axplong.exe	105
PID 2260 wrote to memory of 2760	2260	axplong.exe	105
PID 2760 wrote to memory of 4372	2760	MK.exe	107
PID 2760 wrote to memory of 4372	2760	MK.exe	107
PID 2760 wrote to memory of 4372	2760	MK.exe	107
PID 2760 wrote to memory of 4372	2760	MK.exe	107
PID 2760 wrote to memory of 4372	2760	MK.exe	107
PID 2760 wrote to memory of 4372	2760	MK.exe	107
PID 2760 wrote to memory of 4372	2760	MK.exe	107
PID 2760 wrote to memory of 4372	2760	MK.exe	107
PID 2260 wrote to memory of 4740	2260	axplong.exe	110
PID 2260 wrote to memory of 4740	2260	axplong.exe	110
PID 2260 wrote to memory of 4740	2260	axplong.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe
"C:\Users\Admin\AppData\Local\Temp\2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 276
      4⤵
      Program crash
      PID:2628
- - C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:4892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Users\Admin\AppData\Roaming\KCr7L9zd6g.exe
        
        "C:\Users\Admin\AppData\Roaming\KCr7L9zd6g.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Users\Admin\AppData\Roaming\niGCLm7t7T.exe
        
        "C:\Users\Admin\AppData\Roaming\niGCLm7t7T.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 264
      4⤵
      Program crash
      PID:1560
- - C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe
    "C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\1000354001\8e2c4fa9a5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000354001\8e2c4fa9a5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3152
- - C:\Users\Admin\AppData\Local\Temp\1000355001\b02f0c69e5.exe
    "C:\Users\Admin\AppData\Local\Temp\1000355001\b02f0c69e5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\1000332001\225443976d.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000332001\225443976d.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5040
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:2408
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ff6f6ce-6d6e-4524-9c69-f549702c5fc1} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" gpu
        8⤵
        
        PID:4816
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbe05744-dd2f-48cf-bda6-270c398fea80} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" socket
        8⤵
        
        PID:1540
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3232 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {772b5852-7f4e-4c2e-8d3e-89dba5270c6b} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab
        8⤵
        
        PID:4952
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -childID 2 -isForBrowser -prefsHandle 3676 -prefMapHandle 3672 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40016683-66a6-4cc7-a38a-bb0e2d1ed63d} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab
        8⤵
        
        PID:5032
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4688 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bd63bdf-83fb-423d-ba74-07a8352f058b} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" utility
        8⤵
        Checks processor information in registry
        
        PID:5504
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 3 -isForBrowser -prefsHandle 3504 -prefMapHandle 5472 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b95b49ca-90c2-4b9a-a1a2-fae7978372bf} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab
        8⤵
        
        PID:6000
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b94fa101-e0bf-4e5d-a57e-98b415e98479} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab
        8⤵
        
        PID:6020
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5776 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1064 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82a5f8e5-1fd9-4461-9629-49dc371ecd3b} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab
        8⤵
        
        PID:6036
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5712
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5224
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5248
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        
        PID:5324
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23737 -prefMapSize 244710 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1051352-72b3-4043-adfe-9d1fafea46e4} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" gpu
        8⤵
        
        PID:5112
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 24657 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5248675c-0ad8-4ba4-9de1-10ab5374ce02} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" socket
        8⤵
        
        PID:3096
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2808 -prefsLen 22652 -prefMapSize 244710 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85872a63-f3d3-4e33-a92f-c3572957fb94} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab
        8⤵
        
        PID:6124
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3960 -prefMapHandle 3160 -prefsLen 29144 -prefMapSize 244710 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8abc886c-cf74-4a86-91ef-87d2e229e0e5} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab
        8⤵
        
        PID:5816
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4728 -prefsLen 29144 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ffcae5-73e9-495d-93ab-07dbada80bb0} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" utility
        8⤵
        Checks processor information in registry
        
        PID:5072
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5076 -childID 3 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26998 -prefMapSize 244710 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e53363ce-c199-4b6d-9a34-e53f28898756} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab
        8⤵
        
        PID:5492
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -childID 4 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 26998 -prefMapSize 244710 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e8b31ce-fd38-41f5-9b0d-13ecb8207e8a} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab
        8⤵
        
        PID:5512
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 5 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 26998 -prefMapSize 244710 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a94f197-7514-437b-a05d-065bd84089eb} 1400 "\\.\pipe\gecko-crash-server-pipe.1400" tab
        8⤵
        
        PID:5536
    - - C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\1000349001\a1410d332f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000349001\a1410d332f.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5464
    - - C:\Users\Admin\1000350002\52fa478621.exe
        
        "C:\Users\Admin\1000350002\52fa478621.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5952
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        
        PID:1232
- - C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe
    "C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4372
- - C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe
    "C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:5800
      - C:\Users\Admin\AppData\Local\Temp\service123.exe
        
        "C:\Users\Admin\AppData\Local\Temp\service123.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5128
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3116
- - C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe
    "C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start context.exe
      4⤵
      PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\context.exe
        
        context.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:6060
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4828
- - C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe
    "C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5268
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im "InstallUtil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5324
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4436
- - C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe
    "C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5692
- - C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe
    "C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5312
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic nic where NetEnabled='true' get MACAddress,Name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4540
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:3608
- - C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe
    "C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA0ADIANAAwADAAMQBcAGEAcABwAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAMAAwADAANAAyADQAMAAwADEAXABhAHAAcAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABzAHEAZABxAHMAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAHMAcQBkAHEAcwBkAC4AZQB4AGUA
      4⤵
      PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1552 -ip 1552
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4276 -ip 4276
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5152

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
c93f2a8eb064b4653e9e5c70eec63b12

SHA1
63eb0d49dbf0cf3111007dccde9994279b5aaac1

SHA256
3bc4697a90db5f59ee5a3fb5a31a7430e6daaa2b3da244c5ff22d82361a8a4fa

SHA512
5684b813cc3261af74e3ffff796c823c4dc2464ce3603118f9c4967affa36fe698480daabe31415de0503d7955a036d0d285d06ca5178fe2e0de603aa1011b32

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
f249e70ac2f1a19b38c1301c64fa8e5b

SHA1
cd5a8faa8be8290b9bd3b7ffcbdc489cb1a9d3a0

SHA256
d8d235373ba30b227a4c6b8a7a6d1736404d72e235ed40dcb97a6ddd14f45acf

SHA512
baabc1d0f69d16e2f79a3397e6230001e4c6ebc2786d5394a193584b11a36346737899d39e1a336b41671ba29ec6d1604736aae8f5f07db31150cae9a8f26520

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
ae96bafcc135491c538f7d0fc5f26acf

SHA1
58d4edb37e77c38dfc19f38c0549cb0cabddd272

SHA256
7feb55be844cf8982cc2fbddcd836de8acb35c007c0d9e923538a0b2125f8795

SHA512
d3a063cbc2d236a07d79cd4b926529b86da99b1fa3aab5c02f5807d353fb602be309ca954fafe17dfdf87263eb4d33fe5bd3f73a073f80e223e4fd4d82f75213

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
0103f9bca76bd5ea6d110a7319c3d409

SHA1
a1e8924da9212b4f89cc00f504df794b4f45ee1a

SHA256
b510ee24108b0fac8dea23e01396e82e6e1bde4efe9ccbe5de03606514c61c75

SHA512
a9929d1b02a97f70d25a764fb93edde11663e950f98d852083a3088abb645f84c05f305b23c088c4bb05d4c0baf35b4d5b2243b3bff385abdcb99eefac73bd08

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
0c009c388bdf6d4e31f0de29a237216e

SHA1
0f9fedba288e061baf6b59f90125d9396db5c07e

SHA256
82e825c229c8d21ab318c7bac3260b16b6e9db1b6460f2441d29ed664093496b

SHA512
a2c6c58b43acef3642f4d0d4755c25be278d54f7d1d53d04d3c3e69a5a16080c958261c684edfa7c018bca6f10a3576069e25efe8ecb6615f5ded6300c84848b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe

Filesize
566KB

MD5
049b6fe48a8cfb927648ad626aba5551

SHA1
9555d23104167e4fad5a178b4352831ce620b374

SHA256
b78402483c46cd37e2c204d95690aa2a213616a1f904d779ceec0e22fcdd6531

SHA512
ed787f90966ca1ea4b1e67c4026dd44393c7d312cd52e376f4ba5e5c49616938ec9e913044def29b40b441eb4c913a5134bb78317a179f62067bef3f9d913c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe

Filesize
1.3MB

MD5
24402fc0617a2740c16ea9c81518d669

SHA1
a0476ef848cd11bb20f8efd06e295a0f44c956ca

SHA256
c02fcc32573f4546201515667154d9e51e2636af52a1790d1063183c0d012566

SHA512
dd90c0036a8a109c5645b481f1bd7b193fa86518183790b75dbc400416793fb8f9e7d4d4621d7c0227cbbf483758a03a94581397686b09c6f65218b651b5bc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe

Filesize
187KB

MD5
7a02aa17200aeac25a375f290a4b4c95

SHA1
7cc94ca64268a9a9451fb6b682be42374afc22fd

SHA256
836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e

SHA512
f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000080001\fikbbm0902845.exe

Filesize
18B

MD5
174ef859dfe296a48628dc40ef8e05ed

SHA1
59a0e43e3ae9c8f638932b9cf83bf62ad91fb2b7

SHA256
84520353f099eee2117b00aa16cde461e573a835e8ddd64334efd871d4ce292c

SHA512
c6d0e9d1842a4ce05929f8941b8e30729567626cf1594f3b11958cde9347e1d8e8cde5f9f9584953122fd035fedec0b09c0bd184abc0f33eac4862d85e164ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000081001\sadsay.exe

Filesize
7.4MB

MD5
735bb5f55a17215700840c04a8b40a03

SHA1
55e0828c6d08653939eee2b1af8fd737e92266c4

SHA256
5ea6a5e3bc6c02cc41637028050c3738c38a07917e373637928b314c5d22f84d

SHA512
7e742677e35099d8cd4a5163eea6633e3ec7deeb4840aba1f8adad8f0022e72f7416ac6367802eceab8f9f2e9dd04e1546b141e911495d025b98575a92f3865c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000254001\red.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000322001\newbundle2.exe

Filesize
304KB

MD5
58e8b2eb19704c5a59350d4ff92e5ab6

SHA1
171fc96dda05e7d275ec42840746258217d9caf0

SHA256
07d4b7768e13d79ac5f05f81167b29bb6fbf97828a289d8d11eec38939846834

SHA512
e7655762c5f2d10ec246d11f82d437a2717ad05be847b5e0fd055e3241caaca85430f424055b343e3a44c90d76a0ba07a6913c2208f374f59b61f8aa4477889f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000332001\225443976d.exe

Filesize
898KB

MD5
8eb80d6a4bf81ccc902a45a404c7ed9d

SHA1
94bd95a6c577963d3608de4b659c892aa4013f84

SHA256
98cdc2aed91cb1294429e43cebfe79adfe311761db9b00ae74ce4b424e38e808

SHA512
95ccca01f61452d25c34f05525d1a2d5e63b61ce62402e06ed9d6be26aa4621041d6480ef310356fbff4dac0b311e57b03cdf3b527238a14b598def1e53696e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe

Filesize
307KB

MD5
791fcee57312d4a20cc86ae1cea8dfc4

SHA1
04a88c60ae1539a63411fe4765e9b931e8d2d992

SHA256
27e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d

SHA512
2771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000349001\a1410d332f.exe

Filesize
1.8MB

MD5
8bf0d4785c3b0a19bb39b04ec92dd194

SHA1
918d36638f5fd4047d9be21b47eb1b759c7791cd

SHA256
64ebff6e8bc8771871fc410bbda0c6ceef6ffde7c01714913e69f074d3d94210

SHA512
368af90055d7d2c435f03cc0e48490c0cf672d3746d05a06ef8a7577b8d34924a0072a19937640d87a858346f83ba4cd5ed53ff5ac9d2e7ce2091aa38b60e3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000354001\8e2c4fa9a5.exe

Filesize
1.8MB

MD5
caf461eb8ed93f9c6693644c9a00bf91

SHA1
bde1937a55f1aba923ef6710d56585192aa29f66

SHA256
bd7cb47cbacea170edf4777a5d5d592493f8bdeb475b25cde03208bd49eae092

SHA512
ddb8711e95899cb09798f0add44805ed5aa90c1ca80e94fa73fa42568c07c9aa93dca21ff0db314fead43d84ec87583d9b8c6e7d1799daa8e3a58befdf678642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000355001\b02f0c69e5.exe

Filesize
1.8MB

MD5
f69f1b099abe6b8ec4d6319db86fd01d

SHA1
374021521d524c3c4e8e54937eb21b1982511277

SHA256
f7352c0de9fbd32c95498fa67702ae6c63c11f9a1145161a850df4bd8272bdab

SHA512
edc4b8d8171de84234379bb1a4658aef0c1197b584f5b035779fae7689695edf05675b3578342c893383e3b18a5bdd35cd598da3e2847873c29946414695ca0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe

Filesize
314KB

MD5
ff5afed0a8b802d74af1c1422c720446

SHA1
7135acfa641a873cb0c4c37afc49266bfeec91d8

SHA256
17ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10

SHA512
11724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe

Filesize
6KB

MD5
c042782226565f89ce3954489075e516

SHA1
256dd5ba42837a33c7aa6cb71cef33d5617117ee

SHA256
a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6

SHA512
9f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe

Filesize
1.1MB

MD5
ed9393d5765529c845c623e35c1b1a34

SHA1
d3eca07f5ce0df847070d2d7fe5253067f624285

SHA256
53cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a

SHA512
565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000421001\Set-up.exe

Filesize
6.3MB

MD5
65eeea19b373583f916bf3070acbfd58

SHA1
78ce3479d5d0148ba855d89ecb48a3f0c12d9957

SHA256
c671e33f6757cef930713d2e4efeb8642177675e95fc05de92e124213022a00b

SHA512
f726327e977a85dcc3b0c217a8dacc9cd375bbe3f238558c9b9adf35233c0b4959e6014ff46bf742a7a822e4fe757d4f3bcc1e63709c6ec4c84c29c1f47483c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000423001\out.exe

Filesize
5.5MB

MD5
f2930c61288bc55dfdf9c8b42e321006

SHA1
5ce19a53d5b4deb406943e05ec93bc3979824866

SHA256
d3a53533949862449edb69c1916bf56681e3f2ec3a1c803043b1f3b876698603

SHA512
67a1ea68fafae8c7c9da322b7c5821e5cc78fcce3c9454a552a13ebc812bec334f60533991147b0b95151ade77ff2fbf244945f8318b48082173b64c71e6308f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe

Filesize
20.4MB

MD5
7172ee8de6490094d4a5112eceaaaa90

SHA1
46a82d7628f31d91fb883056dfbd4d15d26bbd77

SHA256
11cabbb368deb30bc1f45feb6509b222c2b360707ff31c8b1e056c617477f28e

SHA512
91e2da0921f8d2596ac2e99e91b108e4d7dba6a97800c775bc9d9b4411fae3b7f0d811f48b107054664aff69c7cdd2c052220960cec9c525470f7266de5780d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\227495264221

Filesize
96KB

MD5
a8991c4387f8cbafe6979b1155ddf833

SHA1
698f50cff86972759b5b1b9b7f3c4f4f39c2c9c8

SHA256
cabfe360ff2f121f166bfd31510fe01a19bddb74e8e3b0596588171032c40956

SHA512
4f35aa77c9c89d91311dbc369cc372d22b253a3f2e23373b675f959d9435c0930a23c1f9f865505ec86ea5b5b964614371faad181ec287e4c20067e5739b99f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
1a1ac94cc27bf21fa3f542a09658a2c7

SHA1
d0242b0a3a14d9d12c84ed6552b8e1e0280a41c0

SHA256
2bef7f94ae35ae24ec6580311d98315cf34e82402ae1f71396e17d03250ccc61

SHA512
5209536829cd3052f20169719fa80486398115149fddd3943653f53f17357dbecc0a44a240e72793a390e040619db8b1e5daba02d4cfdd98e712f831c2902228

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp8922.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\KCr7L9zd6g.exe

Filesize
602KB

MD5
e4fc58d334930a9d6572c344e5129f6b

SHA1
d38fbd0c4c86eee14722f40cc607e2128c01b00f

SHA256
973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a

SHA512
a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\76b53b3ec448f7ccdda2063b15d2bfc3_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3

Filesize
2KB

MD5
f5cbe064adea2419442b5f68c5435738

SHA1
5c657b9ed74a6f886dd22d11538e1cfc838e5fa5

SHA256
06f0fd3a21a6284780167167ea5da945e715a0613933b1b50c8e6e51fae9cd8e

SHA512
2c4d2ed32cafda2ff8733536d274053da425f4cce89ad833e9e2e066faf47e5e2cf5bce80f69a66d2ba5b25d7a1d1f276b2a85f6cc4a8271b0aa704d6e966c53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
7KB

MD5
72f6836cc4befef05c152a19c7e6f2bd

SHA1
129355611290d8fe3345696796e4c01ee81718f1

SHA256
9dc4bbc8ec8087cb0c00971ed396318637f3592cc705b64b8ce53461c8e3e44a

SHA512
54be0f419ce201f8e93d863439e487039673bb4f2a7f419ce5549ebcb1f73c96aaf88d1e205d3995adbb8c4f53e9287b6d7aac61832239a24458110b643b0bf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
12KB

MD5
054a153dd82aac655338406a943b2ac5

SHA1
50de25b85d4029b29f43fd4d06aee173cd833809

SHA256
4124451f623c737d6fcaf8e1feabbb37ce6e9edda4e7769187f10430188a2d0e

SHA512
34c52492cf68853ee403e364f2218cea5f086224b5827034de83cbf35fc5410d5421c22c080cd41ee4ab66dd21c5317dd2ad06238098ee15b242dfc0afa76166

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
13KB

MD5
8e197e0ec85c19ec0a8c88365a117c22

SHA1
aaf5dd3e44882e487bfd03bea3a9f2e02fbdf86d

SHA256
a3ed26d825254bf9379ce339f4100e622b9a093e47dcdb4854bf7c03809a0379

SHA512
51b92d55a62cac713b62f67f3a38c741c28a1fb31140916ad71407aa1c72d80cea352cf09deeb210bb6106b9934aba12b82c7f8058393c95b1ec668955823ee1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\SiteSecurityServiceState.bin

Filesize
1KB

MD5
5b94ab00ff1f66ec557653f606388c7b

SHA1
e053759847005afcdd7feaea367facca004ffe9e

SHA256
e030b84103dfe14fda629d86feec45d7d48a90fbf8d6c852e2506c191fba3ea8

SHA512
c2ad04c5ae69dbc758e1883445d2f0c8d363692613864e694187f47a5ad1c875f5a1e4d2ee6ac663149bf8386bce4a5225a2fc3d0adf1f8f2dd4e1d507e3a12e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\cert9.db

Filesize
224KB

MD5
463879a55941fb5cd34ace6731bd884a

SHA1
4b78fb5dd5cdac13a55b65a99afb07f8134b6cf8

SHA256
432df783f9716f486803e9b3633664bc79eff4ebf0f74c69119f29627366f6da

SHA512
cfa5782a96cd173478ff21b627d13fc7e75cd8f412a53649eb4cc86f6fda56a19a67226a2e9488913e6ba0f10ab83a34418ef5b7a6a0830095f252a7eb7a8739

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\cookies.sqlite-wal

Filesize
64KB

MD5
1a464a0df790397a369f8c0788fa0541

SHA1
424d712ba9ddf73b5385eaf50b30bd98ed241e90

SHA256
31017469f9e3aaccffe3c2ea1cc62e506c6659ab76f6f7f3001fa0ce0404a4af

SHA512
0f168f159341a16a3556c9e482e0d89c8cbfa6b85d95d26f189343a27eab376e708443a8d796755aa823c51bf4105cbe5043a36ce74f3c1fb5c18c8a853a0db2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
4ccf1527ff0f3f468ba3aa241d3a63b6

SHA1
60124bb5196b5800f7f450e7a6ba08640355bbf6

SHA256
3a454175a0adefc6368c07361cc05f2d5805531c21dfebce3b8a0d140100a589

SHA512
5cf46be6f398a7c96daa29a7e22a04b9df6a4938b8a7e0be69360793e969fa793822f8d17ecd32235781e9f52aaf3243213759d674335dd6298a90efd5f47377

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
4b0a57b2da77f9ff07763fed8372807c

SHA1
d0e30f7ca7d36204a0d995de7ab5ab7fcba99a64

SHA256
343768648d029e444477b919fab320fe22b02d3503c647f5b2797007aecb7c92

SHA512
742d20ac0ccb742f567133c7de7efef6ea58549b9f23eec5e58477cbcbd2c3a2e2cde5ca447fd9276b63a4c8c2a0d52395a9ba5529a1d8e938dfd2d752029e37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
0e4a78174e99cbd3a5fc2bb1cd82d1f2

SHA1
06d773613bff8613c12b63a45f406b1777654737

SHA256
ea38332495e26cf0e183dcee7ded5f7ec76a645f12e2409910827acae9e670cf

SHA512
051ce8e951cbd4fd58a844946a32cea2b254e8c8e2804f7311dacc48d10856f6b0228cac764e360faed9d2d2585583fe0c56e270718b088815aa310b3fc486ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
d7322a4104de196a240fda011ea1966c

SHA1
7e44abfda0a6c8414c609661ca541e03e2709c24

SHA256
bf5c0f116ddde86214212a8449ae551228992defc8bfc8e2500ad26331fbc513

SHA512
3931c11fa02849a728f1f6449a249f6e10b956e984e635ace5fcca9ded4c9cfa0f00f13b547eef7f621c70db7ef3c9d2066f9bdaa31a5d2e5f2ecdeffd0a72b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
c7a66aca45bc9c5a0744055db21ad897

SHA1
507a183adb88cac0e131d0c82ce668dcbb9f17b3

SHA256
f420b09bb29f7dd7092db50dd35664b22184461258eda4ec91af0eedeb78eb6c

SHA512
5a4bd4c7deaa541af95adada8e68eee00b120829cd4809677f1b451c08c1e9c8b27112bc445c4456b0a646cdb7210b1912e2423f65835e82e10a82e9740fc333

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
a70dbda0d1bc0750dadffa80caa5ea39

SHA1
1b5b5a8230e8796f5f451e1ce41002be1bc1343a

SHA256
b19fef5b3eb03d38ddb2244a152da2a98849ca81f34c2720e97388b81c9e08d2

SHA512
2a6758582a2873630adaf685faee96b933da05ce0079435066c6d9b578a3815b6263d93578ba752b7a80277b776542f6b4c2493273275b99f86cc73bcc07df69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
9a1fd0350ebe08ff1d246b1cff7b0ca7

SHA1
36b14238dc2c126d6a2202bb134bee5961620b2a

SHA256
3c80360d106164d3868e54972ee02742c69bed09105bddcc9224b9160218cfde

SHA512
d18df5c3c8ef0a3ea2c541aac928769c6fd6b94552855a5da300f9e0dc74328858b89aa9744c96dbbaaba0bdb8867600b28b7b8f15e9033159d7bc7daadd1d06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\events\events

Filesize
104B

MD5
defbf00981795a992d85fe5a8925f8af

SHA1
796910412264ffafc35a3402f2fc1d24236a7752

SHA256
db353ec3ecd2bb41dfbe5ed16f68c12da844ff82762b386c8899601d1f61031d

SHA512
d01df9cab58abf22ff765736053f79f42e35153e6984c62a375eb4d184c52f233423bb759a52c8eed249a6625d5b984a575ca4d7bf3a0ed72fc447b547e4f20a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\0408b5cc-1634-4e69-9751-6d1970f0698e

Filesize
982B

MD5
e656576b5dd2ca0043000b94e4bb2a63

SHA1
3efc087d0126ec8f6c18ea5bf6a071a742adb23a

SHA256
c02a3903898bbd992c95d05f64c74c12ff0796b71dff0a0cffa1314b6d6ea193

SHA512
3509ff496e6a6f494ca2b10d07beda1330d9df1e82de5c5c2bfa23f4315e785f2976fc207453686016359e60b8725653a9cee55cec2cd3b7661920c61573136e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\3773bd48-0706-460c-9b12-59d62c9a6d2d

Filesize
661B

MD5
427177dc3ee935d7b7865c2e518a716a

SHA1
c0fe20493130833519f237f61695d24ee3c011cc

SHA256
7ddbfad4b86650dda73e14b13dc753f0cc36ab3400d6d459ddc0ff9076cd1c34

SHA512
48d765055ab75eda6b479f1b040a3a8968b3fab15bc53146f6490a8dfe1b9bbc54605dfb504164a6541999f3b357ba01892d31779607a6434e3b0e744d711e1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\7cc6e110-2379-4bec-b690-e34d9d6642f7

Filesize
905B

MD5
65f4b5bb807909b3c078f956e152e378

SHA1
06612e1a675fa2a68a42416123f752164ca5ea76

SHA256
fba5c764ae1b70305d89312525ba2878622266a949390f2d2e42ef8f4281ab87

SHA512
780724c843412cbef0d27e2e12264da5da824b15e89d431306ea98223f99bb61f5416296924b3dd3c4aaf44bdc00d62235ee2d38e276a7106b8a651f038181c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\85c3eb31-4424-4149-9ba5-92bd1bef3e15

Filesize
792B

MD5
982f8a24b97852797135c2188b27d7f7

SHA1
dc2ae0defc49d56902a0d390896a1f539ba238c0

SHA256
71fc89b889359910734bf41730a41f7d58f1a4a95db26f885a282eaa1cb5dd29

SHA512
153ececfde6494767cd69fe3a7316c467b37b137f93fa0bd7c1a31612149fcb970b5207c9b2adfde87b4094458c00c336512ce7ac5dd8518422a93bb7470e885

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\add98fa1-ae5c-4415-9855-e7e36d908ad9

Filesize
653B

MD5
fe0312a12810a188ee13e412148e14fd

SHA1
efc859556bf6a61b662b7af7530db5bf6af33184

SHA256
a976a154b378b90041c9a37aea79daed3e694e9b4deb1bec71e2787a572efde5

SHA512
f3bb94a208268d6c536c59227bd929cfc30f48ea981f3eb614862e92e5ff54b09064088f893264acb564473e03f334fe5da27596f2f4a6d7e60077052c45c5cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\db857189-7f89-4e9b-8e4e-45d8caecf477

Filesize
659B

MD5
8a4b40e3669af0cc55d887df6abd30b4

SHA1
06346bdef8262570bd76a6939a0d5c2a915e3d2c

SHA256
1b0a10f47d16a0eb3f3f47f4997e46fc9948b43d238f15a1c01e91efffc5ee0f

SHA512
4484a3f0d3a53e30c0bf8a577bd980bcccfdd6f5b15b3890721a6aab1a51e683bf335cb6fc6f965fc354266fc17d981ceb36cef9b0feff7e95cb8cd62b33fa90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\permissions.sqlite

Filesize
96KB

MD5
c80d0218116bd3d349f782e0d6af0954

SHA1
b59711fd27d8c850687d883a78cfe744ce423a45

SHA256
91c0455743ac36cdae05b7d690b0a4ac660a177a56b1431cf96a043354fe8a86

SHA512
9440ca32d5b14b110f24e39fd960a5780f8a7415b23837b8250e0363d4b5bad4ac9dddbc6a6eeee821a6689d66b1680d76d676be82b0433e044d682d7ba3920e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\places.sqlite-wal

Filesize
2.0MB

MD5
148d4a63b66cc4250949674e69bf4b74

SHA1
1a45fa0cb0a7a03f36d50fa259d44975c6564edc

SHA256
d8b9a60538974fa1ec04554868bfd2f57f6e092d3e6375f7545998f397d0a4d0

SHA512
dc2145228e757b88d1034dd4bdb5a39d7c2d8b5a528e9d08f884c654f76f61ede2808344eef4be435531de53ea545cf9a0f2391786e4104f5053134639013746

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
12KB

MD5
1b10fd97cf1fdba83274dfdd1b98819e

SHA1
959ad16b1f2aab1fb7f117b7b5175421c4ddafee

SHA256
9529ddf4de23217c799f19150323026d02401e0e686e45bac0592258e0e506fe

SHA512
92d1b4701eb4169f53e2d0c98660ae8041eb54f5ba6754576f20b269070ed7abc5c0b08a1652c2c4ad095ac7dea0cdecf5b4296dce5877e350420dbe36639980

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
11KB

MD5
eef23bee423500ea6972e5ece6939538

SHA1
39f8b159a08d10ab061d85775f812cf860d0fc15

SHA256
50c1c35568b1a603638541e4e4cedd68ba61c878e6fc0666273cd32eed1d43d9

SHA512
3b46d56d9129cd6d69012129a973cc4ec6c7ccc02193a401f02e0fc5dea354e1705c45ae13ca2c79d135595c03aba3214786e5628db4e9b50ae1358599ff7b8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
10KB

MD5
e00c8857017e89084d62e78a6eb0580c

SHA1
1438ce92a7efa63e7361661a3bd01acd34d758f8

SHA256
f7f0334def855672c1af70af23735ddd7b85a0ab6b8a355c93cf81c477403924

SHA512
78f758717cbd107246f31f4b7fcfc16e7e88e653be8fda13ba09b30f26583429486ff69eaefd28f3378ac74b982667fea0171b1eab2d198dfedb2df3be510230

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
11KB

MD5
12404860e1c4a8dfd59bdf8b5de5cc07

SHA1
3b8259a7db5c2bc142273db936d34aec8e8cfd11

SHA256
8bde7528f5e7017163b7c695cee873118d29f70d67614bcd1c412b9fca4b3fe5

SHA512
398a15c0a604032785d809a333a6400abe536ac8b026beac9a2ab11f18c70872424cf4f6675b9120845b82cf83ebc8aafaac179f0723ef71a8954f0815cd1c53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
11KB

MD5
8e643cd3da39472e18f236c790a79758

SHA1
21e1c06bc882c09b6937e382e6e6526cb0012d8d

SHA256
2197a6fdc78a58fc8fa1227c317a1c830a698f1cd950bb873423df76a10887f0

SHA512
971821d39ca485d36090d554e7adf1a72146a40e9b6ae077aa0f7b83dff3f74a7368918842119567b5587c938443e9775d916e3485f9dc73b33e96ce347f7b77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
1b0094978eb251086dc17232dada592a

SHA1
7bbdb00b3bdb1c06b69a79aebd4dc8ac6ebe1141

SHA256
b073c51c404c26027aa2628f9fe1e139e46dbf80e1c1b4c80cc2e81f42fdd5ca

SHA512
980e44e4944130402ff6008e4ab1f31422cb7024c8dca49944bcb963f3a4d7ea7fb8d9123a9d1dc44d9574f6be4c41dc0bf70d7d04de8f577c3f65255812a81c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage.sqlite

Filesize
4KB

MD5
059b2ff6f7d80594a2c3ddf610eeb76c

SHA1
8a7709265c0067ac4371ebeb62b93fd2407f8a1e

SHA256
1f15aa35b799dc7de17cb71291a4bc96a942048fa4f8ae43934ecfe5ff6c4a1b

SHA512
e717c5dedb0d456fea52b70c4f7def798612bc64e3541fd444d53ccc2b1078a8bb100f3563bef7201353c01c600f66e891883931edbfdc7a748aad347ea7c911

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
ba46e8cc0604ce9807f9798bb4b9b070

SHA1
84260bbe32122c7f654f0d800380aa133065c472

SHA256
28e52b0caaeb5aa88643826cc0fbd11cbdc1af828c0a8e9850354d96b66cb06b

SHA512
e78b51e90701fa39c065cfab85fce23e410e97d4533ca4e9f7f884c2bef12901ccdcfbb15d9f7e0e37e19247daa722f8cdbd7aa1458ec52e7fdb722980d6f087

Download Submit
C:\Users\Admin\AppData\Roaming\niGCLm7t7T.exe

Filesize
393KB

MD5
7d7366ab79d6d3d8d83d13a8b30de999

SHA1
75c6c49a6701d254c3ce184054a4a01329c1a6f3

SHA256
3d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465

SHA512
64f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
48c9fe1757ec5826b0b3b2675a59b0f8

SHA1
6a4670a34ed716d0264d93051de150365b97ed9e

SHA256
2577efea8c9909f139ef4d2c785b6463592bf5214c2b45ac7bf8c1a686947fa6

SHA512
314351a0f270291c9ae0ac41fa461e5190b8b8db1affa04c971cdc437cea5925dbfd4fc0124ee39225205fbc20dd3ec635e9761727fa765a85756f9ed95e7014

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
84db1929db1092130aef5b7034236856

SHA1
a2f4760cb706242d6f73de4024bfdaf440281960

SHA256
3f347f3b09871bf460102a9e5c612a47d3f2bac6d5a9512a0498781d833576ca

SHA512
84d410b3bb3002eca58704210e673a5c3087dd71f204fc8abd4fc7b22b686be9dccebcffabd84a258a0782b7aa8026aa5efdb25ae0dede7073551c19205a3e16

Download Submit
memory/1512-95-0x00000000002C0000-0x000000000035C000-memory.dmp

Filesize
624KB

Download
memory/1512-206-0x000000001D560000-0x000000001D57E000-memory.dmp

Filesize
120KB

Download
memory/1512-225-0x0000000020F40000-0x0000000021468000-memory.dmp

Filesize
5.2MB

Download
memory/1548-381-0x0000000000060000-0x0000000000068000-memory.dmp

Filesize
32KB

Download
memory/1552-43-0x0000000000537000-0x0000000000538000-memory.dmp

Filesize
4KB

Download
memory/1572-1163-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/1572-1199-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/1572-1904-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/1572-285-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/1572-1251-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/1572-785-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/1572-449-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/1780-3084-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/1780-3068-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/2260-20-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-160-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-120-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-19-0x0000000000591000-0x00000000005BF000-memory.dmp

Filesize
184KB

Download
memory/2260-229-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-16-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-172-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-1472-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-237-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-21-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-1181-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-22-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-390-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-111-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-1217-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2260-823-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/2276-168-0x00000000066F0000-0x00000000067FA000-memory.dmp

Filesize
1.0MB

Download
memory/2276-142-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/2276-139-0x0000000000490000-0x00000000004E2000-memory.dmp

Filesize
328KB

Download
memory/2276-140-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/2276-141-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/2276-159-0x0000000005B80000-0x0000000005BF6000-memory.dmp

Filesize
472KB

Download
memory/2276-164-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download
memory/2276-167-0x0000000006BA0000-0x00000000071B8000-memory.dmp

Filesize
6.1MB

Download
memory/2276-169-0x0000000006630000-0x0000000006642000-memory.dmp

Filesize
72KB

Download
memory/2276-170-0x0000000006690000-0x00000000066CC000-memory.dmp

Filesize
240KB

Download
memory/2276-171-0x0000000006800000-0x000000000684C000-memory.dmp

Filesize
304KB

Download
memory/2696-431-0x000000000B710000-0x000000000B794000-memory.dmp

Filesize
528KB

Download
memory/2696-428-0x0000000000BB0000-0x0000000000CC8000-memory.dmp

Filesize
1.1MB

Download
memory/2760-305-0x00000000000A0000-0x00000000000F4000-memory.dmp

Filesize
336KB

Download
memory/2848-90-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2848-69-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2848-68-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2848-70-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3152-236-0x00000000001A0000-0x000000000083C000-memory.dmp

Filesize
6.6MB

Download
memory/3152-380-0x00000000001A0000-0x000000000083C000-memory.dmp

Filesize
6.6MB

Download
memory/3152-451-0x00000000001A0000-0x000000000083C000-memory.dmp

Filesize
6.6MB

Download
memory/3152-204-0x00000000001A0000-0x000000000083C000-memory.dmp

Filesize
6.6MB

Download
memory/3272-286-0x0000000000210000-0x00000000006D2000-memory.dmp

Filesize
4.8MB

Download
memory/3272-255-0x0000000000210000-0x00000000006D2000-memory.dmp

Filesize
4.8MB

Download
memory/3992-450-0x0000000000D50000-0x0000000000FB1000-memory.dmp

Filesize
2.4MB

Download
memory/3992-821-0x0000000000D50000-0x0000000000FB1000-memory.dmp

Filesize
2.4MB

Download
memory/4152-389-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/4152-386-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/4320-3677-0x0000000007E10000-0x0000000007F3C000-memory.dmp

Filesize
1.2MB

Download
memory/4320-4755-0x0000000007FD0000-0x0000000008076000-memory.dmp

Filesize
664KB

Download
memory/4320-4756-0x00000000081E0000-0x000000000822C000-memory.dmp

Filesize
304KB

Download
memory/4320-3676-0x0000000000DF0000-0x0000000002256000-memory.dmp

Filesize
20.4MB

Download
memory/4336-46-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4336-44-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4336-47-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4372-430-0x0000000006630000-0x0000000006696000-memory.dmp

Filesize
408KB

Download
memory/4372-787-0x0000000009450000-0x00000000094A0000-memory.dmp

Filesize
320KB

Download
memory/4372-312-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4372-786-0x0000000009BA0000-0x000000000A0CC000-memory.dmp

Filesize
5.2MB

Download
memory/4372-784-0x00000000094A0000-0x0000000009662000-memory.dmp

Filesize
1.8MB

Download
memory/4504-387-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/4504-384-0x0000000000D40000-0x0000000001202000-memory.dmp

Filesize
4.8MB

Download
memory/4516-161-0x000000001DF30000-0x000000001E03A000-memory.dmp

Filesize
1.0MB

Download
memory/4516-162-0x000000001DE40000-0x000000001DE52000-memory.dmp

Filesize
72KB

Download
memory/4516-163-0x000000001DEA0000-0x000000001DEDC000-memory.dmp

Filesize
240KB

Download
memory/4516-224-0x0000000021010000-0x00000000211D2000-memory.dmp

Filesize
1.8MB

Download
memory/4516-94-0x0000000000F20000-0x0000000000F88000-memory.dmp

Filesize
416KB

Download
memory/4516-205-0x0000000020590000-0x0000000020606000-memory.dmp

Filesize
472KB

Download
memory/4684-4-0x0000000000FC0000-0x000000000147B000-memory.dmp

Filesize
4.7MB

Download
memory/4684-2-0x0000000000FC1000-0x0000000000FEF000-memory.dmp

Filesize
184KB

Download
memory/4684-3-0x0000000000FC0000-0x000000000147B000-memory.dmp

Filesize
4.7MB

Download
memory/4684-1-0x0000000077DD4000-0x0000000077DD6000-memory.dmp

Filesize
8KB

Download
memory/4684-0-0x0000000000FC0000-0x000000000147B000-memory.dmp

Filesize
4.7MB

Download
memory/4684-18-0x0000000000FC0000-0x000000000147B000-memory.dmp

Filesize
4.7MB

Download
memory/5056-112-0x0000000000480000-0x00000000006C3000-memory.dmp

Filesize
2.3MB

Download
memory/5056-350-0x0000000000480000-0x00000000006C3000-memory.dmp

Filesize
2.3MB

Download
memory/5056-181-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/5080-4760-0x0000000002BD0000-0x0000000002C06000-memory.dmp

Filesize
216KB

Download
memory/5152-3069-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/5152-3082-0x0000000000590000-0x0000000000A4B000-memory.dmp

Filesize
4.7MB

Download
memory/5268-1185-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5268-1184-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5268-1183-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5268-1192-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5464-803-0x0000000000D00000-0x00000000011CF000-memory.dmp

Filesize
4.8MB

Download
memory/5464-804-0x0000000000D00000-0x00000000011CF000-memory.dmp

Filesize
4.8MB

Download
memory/5692-1430-0x0000000000400000-0x0000000001067000-memory.dmp

Filesize
12.4MB

Download
memory/5800-1231-0x0000000069CC0000-0x000000006A377000-memory.dmp

Filesize
6.7MB

Download
memory/5800-1683-0x0000000000F10000-0x0000000001687000-memory.dmp

Filesize
7.5MB

Download
memory/5952-822-0x0000000000A50000-0x00000000010EC000-memory.dmp

Filesize
6.6MB

Download
memory/5952-820-0x0000000000A50000-0x00000000010EC000-memory.dmp

Filesize
6.6MB

Download
memory/6088-1260-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/6088-1258-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/6088-1307-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download