Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/11/2024, 06:57
Static task
static1
General
-
Target
44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe
-
Size
1.8MB
-
MD5
9a612228c9f2ed059ed4d47809793b1d
-
SHA1
50bfcb257336d3251865f07f69f65591a2bd41bb
-
SHA256
44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896
-
SHA512
ed1381301bfa27e39a2c92f54462f75d96dfe3753254c1532d788f149ff9bd448fb0c75269d092b65df6003b400801aa86f8a3c3f534c54fe9b9a8ac810f9d53
-
SSDEEP
49152:hTJbkWiqmN/uVQe62Bx096bkOn108UIX:hTRVmNaQerBx096bplLX
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://powerful-avoids.sbs
https://motion-treesz.sbs
https://disobey-curly.sbs
https://leg-sate-boat.sbs
https://story-tense-faz.sbs
https://blade-govern.sbs
https://occupy-blushi.sbs
https://frogs-severz.sbs
https://push-hook.cyou
https://property-imper.sbs
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://push-hook.cyou/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 7da9e2c7cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7da9e2c7cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7da9e2c7cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7da9e2c7cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7da9e2c7cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7da9e2c7cb.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3528 created 1200 3528 AddInProcess32.exe 21 -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF bc4113c669.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bc4113c669.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 05f1bed00a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d9d72b2ebd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7da9e2c7cb.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2388 chrome.exe 2700 chrome.exe 852 chrome.exe 1736 chrome.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d9d72b2ebd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d9d72b2ebd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05f1bed00a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bc4113c669.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bc4113c669.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05f1bed00a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7da9e2c7cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7da9e2c7cb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Executes dropped EXE 12 IoCs
pid Process 2916 skotes.exe 2040 x4lburt.exe 556 computerlead.exe 1492 vg9qcBa.exe 2948 vg9qcBa.exe 1672 VBVEd6f.exe 2084 Mesa.com 1316 bc4113c669.exe 1952 05f1bed00a.exe 884 d9d72b2ebd.exe 1552 a608ee9925.exe 3212 7da9e2c7cb.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine bc4113c669.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 05f1bed00a.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine d9d72b2ebd.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 7da9e2c7cb.exe -
Loads dropped DLL 13 IoCs
pid Process 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 2916 skotes.exe 2916 skotes.exe 2916 skotes.exe 1492 vg9qcBa.exe 2916 skotes.exe 2436 cmd.exe 2916 skotes.exe 2916 skotes.exe 2916 skotes.exe 2916 skotes.exe 2916 skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 7da9e2c7cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 7da9e2c7cb.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\05f1bed00a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009543001\\05f1bed00a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\d9d72b2ebd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009544001\\d9d72b2ebd.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\a608ee9925.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009545001\\a608ee9925.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\7da9e2c7cb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009546001\\7da9e2c7cb.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" x4lburt.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000700000001227c-855.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 932 tasklist.exe 2196 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 2916 skotes.exe 1316 bc4113c669.exe 1952 05f1bed00a.exe 884 d9d72b2ebd.exe 3212 7da9e2c7cb.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1492 set thread context of 2948 1492 vg9qcBa.exe 37 PID 556 set thread context of 3528 556 computerlead.exe 89 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\CoCurious VBVEd6f.exe File opened for modification C:\Windows\RipeHaiti VBVEd6f.exe File created C:\Windows\Tasks\skotes.job 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe -
pid Process 2784 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7da9e2c7cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc4113c669.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a608ee9925.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vg9qcBa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mesa.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9d72b2ebd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language computerlead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VBVEd6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05f1bed00a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vg9qcBa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Mesa.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Mesa.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3368 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 1400 taskkill.exe 2840 taskkill.exe 2396 taskkill.exe 3032 taskkill.exe 2400 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Mesa.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Mesa.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 vg9qcBa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vg9qcBa.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vg9qcBa.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 2916 skotes.exe 556 computerlead.exe 556 computerlead.exe 556 computerlead.exe 2084 Mesa.com 2084 Mesa.com 2084 Mesa.com 2784 powershell.exe 2084 Mesa.com 1316 bc4113c669.exe 1316 bc4113c669.exe 1316 bc4113c669.exe 1316 bc4113c669.exe 1316 bc4113c669.exe 1316 bc4113c669.exe 2084 Mesa.com 2388 chrome.exe 2388 chrome.exe 1952 05f1bed00a.exe 884 d9d72b2ebd.exe 2084 Mesa.com 1552 a608ee9925.exe 3212 7da9e2c7cb.exe 3212 7da9e2c7cb.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 3212 7da9e2c7cb.exe 3212 7da9e2c7cb.exe 3528 AddInProcess32.exe 3528 AddInProcess32.exe 3528 AddInProcess32.exe 3528 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 556 computerlead.exe Token: SeDebugPrivilege 932 tasklist.exe Token: SeDebugPrivilege 2196 tasklist.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeShutdownPrivilege 2388 chrome.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 2840 taskkill.exe Token: SeDebugPrivilege 2396 taskkill.exe Token: SeDebugPrivilege 3032 taskkill.exe Token: SeDebugPrivilege 2400 taskkill.exe Token: SeDebugPrivilege 2532 firefox.exe Token: SeDebugPrivilege 2532 firefox.exe Token: SeDebugPrivilege 3212 7da9e2c7cb.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 2084 Mesa.com 2084 Mesa.com 2084 Mesa.com 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 2388 chrome.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2084 Mesa.com 2084 Mesa.com 2084 Mesa.com 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 2532 firefox.exe 2532 firefox.exe 2532 firefox.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe 1552 a608ee9925.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2916 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 30 PID 1644 wrote to memory of 2916 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 30 PID 1644 wrote to memory of 2916 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 30 PID 1644 wrote to memory of 2916 1644 44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe 30 PID 2916 wrote to memory of 2040 2916 skotes.exe 32 PID 2916 wrote to memory of 2040 2916 skotes.exe 32 PID 2916 wrote to memory of 2040 2916 skotes.exe 32 PID 2916 wrote to memory of 2040 2916 skotes.exe 32 PID 2040 wrote to memory of 556 2040 x4lburt.exe 33 PID 2040 wrote to memory of 556 2040 x4lburt.exe 33 PID 2040 wrote to memory of 556 2040 x4lburt.exe 33 PID 2040 wrote to memory of 556 2040 x4lburt.exe 33 PID 2916 wrote to memory of 1492 2916 skotes.exe 35 PID 2916 wrote to memory of 1492 2916 skotes.exe 35 PID 2916 wrote to memory of 1492 2916 skotes.exe 35 PID 2916 wrote to memory of 1492 2916 skotes.exe 35 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 1492 wrote to memory of 2948 1492 vg9qcBa.exe 37 PID 2916 wrote to memory of 1672 2916 skotes.exe 38 PID 2916 wrote to memory of 1672 2916 skotes.exe 38 PID 2916 wrote to memory of 1672 2916 skotes.exe 38 PID 2916 wrote to memory of 1672 2916 skotes.exe 38 PID 1672 wrote to memory of 2436 1672 VBVEd6f.exe 39 PID 1672 wrote to memory of 2436 1672 VBVEd6f.exe 39 PID 1672 wrote to memory of 2436 1672 VBVEd6f.exe 39 PID 1672 wrote to memory of 2436 1672 VBVEd6f.exe 39 PID 2436 wrote to memory of 932 2436 cmd.exe 41 PID 2436 wrote to memory of 932 2436 cmd.exe 41 PID 2436 wrote to memory of 932 2436 cmd.exe 41 PID 2436 wrote to memory of 932 2436 cmd.exe 41 PID 2436 wrote to memory of 2220 2436 cmd.exe 42 PID 2436 wrote to memory of 2220 2436 cmd.exe 42 PID 2436 wrote to memory of 2220 2436 cmd.exe 42 PID 2436 wrote to memory of 2220 2436 cmd.exe 42 PID 2436 wrote to memory of 2196 2436 cmd.exe 44 PID 2436 wrote to memory of 2196 2436 cmd.exe 44 PID 2436 wrote to memory of 2196 2436 cmd.exe 44 PID 2436 wrote to memory of 2196 2436 cmd.exe 44 PID 2436 wrote to memory of 992 2436 cmd.exe 45 PID 2436 wrote to memory of 992 2436 cmd.exe 45 PID 2436 wrote to memory of 992 2436 cmd.exe 45 PID 2436 wrote to memory of 992 2436 cmd.exe 45 PID 2436 wrote to memory of 1720 2436 cmd.exe 46 PID 2436 wrote to memory of 1720 2436 cmd.exe 46 PID 2436 wrote to memory of 1720 2436 cmd.exe 46 PID 2436 wrote to memory of 1720 2436 cmd.exe 46 PID 2436 wrote to memory of 3008 2436 cmd.exe 47 PID 2436 wrote to memory of 3008 2436 cmd.exe 47 PID 2436 wrote to memory of 3008 2436 cmd.exe 47 PID 2436 wrote to memory of 3008 2436 cmd.exe 47 PID 2436 wrote to memory of 2084 2436 cmd.exe 48 PID 2436 wrote to memory of 2084 2436 cmd.exe 48 PID 2436 wrote to memory of 2084 2436 cmd.exe 48 PID 2436 wrote to memory of 2084 2436 cmd.exe 48 PID 2436 wrote to memory of 2820 2436 cmd.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe"C:\Users\Admin\AppData\Local\Temp\44e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3528
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"C:\Users\Admin\AppData\Local\Temp\1009238001\vg9qcBa.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Appreciate Appreciate.cmd && Appreciate.cmd5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"6⤵
- System Location Discovery: System Language Discovery
PID:2220
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"6⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3975066⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Concept + ..\Mix + ..\Trunk + ..\Answers + ..\Bufing + ..\Benefits + ..\Ram + ..\Guides k6⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\397506\Mesa.comMesa.com k6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2388 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a69758,0x7fef6a69768,0x7fef6a697788⤵PID:2400
-
-
C:\Windows\system32\ctfmon.exectfmon.exe8⤵PID:2720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1208,i,15436709602313204637,12700480220325278217,131072 /prefetch:28⤵PID:1604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1208,i,15436709602313204637,12700480220325278217,131072 /prefetch:88⤵PID:1716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1208,i,15436709602313204637,12700480220325278217,131072 /prefetch:88⤵PID:2868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1208,i,15436709602313204637,12700480220325278217,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:2700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1208,i,15436709602313204637,12700480220325278217,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1288 --field-trial-handle=1208,i,15436709602313204637,12700480220325278217,131072 /prefetch:28⤵PID:2704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1208,i,15436709602313204637,12700480220325278217,131072 /prefetch:18⤵
- Uses browser remote debugging
PID:1736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 --field-trial-handle=1208,i,15436709602313204637,12700480220325278217,131072 /prefetch:88⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\397506\Mesa.com" & rd /s /q "C:\ProgramData\GCGIDGCGIEGD" & exit7⤵
- System Location Discovery: System Language Discovery
PID:3224 -
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3368
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1009351041\PeRVAzl.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\1009542001\bc4113c669.exe"C:\Users\Admin\AppData\Local\Temp\1009542001\bc4113c669.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Users\Admin\AppData\Local\Temp\1009543001\05f1bed00a.exe"C:\Users\Admin\AppData\Local\Temp\1009543001\05f1bed00a.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\1009544001\d9d72b2ebd.exe"C:\Users\Admin\AppData\Local\Temp\1009544001\d9d72b2ebd.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\1009545001\a608ee9925.exe"C:\Users\Admin\AppData\Local\Temp\1009545001\a608ee9925.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:1616
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.0.74623523\1291408134" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1232 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58ddd030-9d9f-4b74-b274-a387f424363c} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 1336 109d6958 gpu7⤵PID:2592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.1.1496027160\505824847" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b3f32cd-8bd3-4c0e-ac4c-693d46477a66} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 1508 d73958 socket7⤵PID:2008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.2.1658583688\512587096" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2100 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7993f98d-a2fc-416c-9fd9-52f987f61073} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 2124 190a9358 tab7⤵PID:2688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.3.2021682622\1714480894" -childID 2 -isForBrowser -prefsHandle 2712 -prefMapHandle 2708 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {493a02bb-1b75-43fd-aa53-9da185aeed9d} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 2724 1af11d58 tab7⤵PID:3044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.4.936932437\147887087" -childID 3 -isForBrowser -prefsHandle 3820 -prefMapHandle 3816 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df9f06cb-c9bb-4093-ae21-c9657079f1e4} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 3832 2056e658 tab7⤵PID:2052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.5.394912209\1256421469" -childID 4 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c3c4922-f3f4-4bdd-80d7-7b1d87a92436} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 3836 205c0258 tab7⤵PID:1516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2532.6.1545624905\342563848" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb9fcaba-91bc-4b5d-bc1e-4c3a45ac83f0} 2532 "\\.\pipe\gecko-crash-server-pipe.2532" 4100 205c2658 tab7⤵PID:1112
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009546001\7da9e2c7cb.exe"C:\Users\Admin\AppData\Local\Temp\1009546001\7da9e2c7cb.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4000
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5f99ed23ff09cdec76cdbc0a5c048c5c1
SHA1a73d5943bdbdb02523c8adbe84f79fa8af6af819
SHA256abb21e884a9ffea437ba69994636baf16ce0d0b7f6d99c3a42591ba2ad043a9d
SHA5127e5922845a28cfc8468117a79faaf13e1aff5855e32289513bc809d97743aaa57484f4ec40ca55bcee19f57af1fe33ce4f2853a2bfa4cd37cefb84dd69a11d7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b0b1337126c4b130b9979874ce86270
SHA19b2212e04cd0fcb5cd57d3f10228108b9ebbf317
SHA256e5462e23e03020a35c975bbdd419b15f5a69fa062477057bbb70a49c59ed73b4
SHA512e7538eba0ae05063d6054e80477ae0e433c610e695f3065a91a726669284f03c3770f8ec087fe9f15fd5f5fe593c26676bf042e4c23ffc17b4d23d6c92f4c18b
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp
Filesize32KB
MD518db82633b69a6ec72a63b91c2c0164f
SHA1a92d10f41e487aa8897339b2a8ecd40707a5adf8
SHA256068053325f37ab79e7fa99af4c8039d7ffa9e2e0f5c754d078e94c849b550ee6
SHA5127c77202b6cdb2f6174d1384232bb042bab24e0ff20904c95fe3c86f4b428f2e92afa346d491c7659a4ef1656b890805cbb7f1b56b5aceb19f6c5ca9f784af564
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
932KB
MD596a7b754ca8e8f35ae9e2b88b9f25658
SHA1ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA25621d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
SHA512facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745
-
Filesize
460KB
MD520160349422aeb131ed9da71a82eb7ab
SHA1bb01e4225a1e1797c9b5858d0edf063d5f8bc44f
SHA256d8f6ce51eba058276c4722747655b68711682afc5654414e8c195ada38fdc0ea
SHA512907f3f61ac9ebeda534b3a330fd8673e8d09b243847b6a7a8d8d30f74ba8c699eafb8338a8d4f36824871609c1f226cb4db1e4a931fdf312f0e4331e7110c6b8
-
Filesize
30B
MD5aba880e8d68c1ddc29af3b2fdb32a896
SHA18611c3e60d702e34f17a00e15f0ba4253ef00179
SHA256a2ec5866c667c1261f906973133c39b1889db748852275ce9aa4a410e360fbd3
SHA51236727e71873a241207283576279f7bc14ec67c92c09a3661a4e248a32dfd7a3f3ac44d031906b0547ec67ab171470bd129a9b7623a0f708d9214bf12b399282c
-
Filesize
1.1MB
MD57f8c660bbf823d65807e4164a91dd058
SHA197ac83cbe12b04fbe1b4d98e812480e1f66d577d
SHA2565a45b35e922d52f1bc47530634465ed1f989d9916684bf9591006a6172542509
SHA51289872cc15ca3a91d43b0b4261b04c38b8ac545c9b4afdb47d2b0288167b512fbe709de04fd2d1809ca1afee67a5a799aa7943f5aff65a5aa3197f9e10545c919
-
Filesize
3.0MB
MD52b918bf4566595e88a664111ce48b161
SHA1e32fbdf64bb71dc870bfad9bbd571f11c6a723f4
SHA25648492827286d403668996ae3814b2216b3b616f2fb4af2022bf3d2fc3f979a26
SHA512e3d58adbe13befe91fb950cc52b16d6d2fcb8f6d65bab4020222713207b07ce78b76e2e2532cf3de23149e934ba1e1cb9046a95a18424a668bfa4a355af6f44a
-
Filesize
4.3MB
MD50473a8e8e6d92ece5fe21d23552391d2
SHA15f8b811f0df1a5c7c5de0d7d20965809b120e034
SHA25642c6787fac49fff1f3b622983357d0346048598dd8c7f790fcabd5ed5503a127
SHA5127672688ee9e1c7a204b03d611c110c2930b7a46559111379b34d5abac2d0ce6b38dcc52060fc855e6620cc5fff54ae5783358b0b7d2df24d4e5439427efaa0b7
-
Filesize
1.8MB
MD52beba791d39cfddddf945d36f85141dc
SHA124aef72a20886655340a60f36d076e56c240d983
SHA2563e02bdb0b14763d8bf75b22c8d2e17252761304cae329e4d69b9082dddaaf958
SHA5128e99ca3f90ebe567200f482f66fdec9eb9a695a32e6dbaf16768437e428059f2490a2a3138f26c83cfd84bf9216e5f399e675bd4faffddbf224329b405823cfe
-
Filesize
1.7MB
MD57201b45617fddde515846336e78d95b2
SHA1a00afe2646990b1ba446d282143f0b717a61663c
SHA256715feed9e8e28808cd140b740f3e456c17258fac1ad8c098cf68fe73b355d3bb
SHA5121978ecfb11a3564a7b3f215a833d7ca5d9459577be4cf894828c758feac931ffa3dfa1bc2c8eb4f7477445ca88bf598606e4f42ccb7c76cd5d597bcb8d92ea10
-
Filesize
900KB
MD5acdda6bed858e47c7154c1bf9440f92b
SHA1a043e28b26ef1446470e331abcf4917601c20348
SHA256f8b791be04ffc8d7b3ed60c9283bb7ac1afc1f1fc53ec30530cd779711201e23
SHA51246c8adf0434f049dc3d4efb51dc00081dc38650f9bc2526c8916aca7be979478036b739fd60380e2c312e4116418fd58f059dd1d052851a0952dfdc512874a4d
-
Filesize
2.6MB
MD5e61785a3a3d383435c9e19bf3b694811
SHA188d531034fcb42649a2e28be1e391450f090dbfc
SHA25629d54aefca55bfbdf08555b15e4361226b87e81dee3ee26b965e263bc8ddb48e
SHA512fc1bf899d3d4f079f45da99383d7175dfbbcbe5a3da21c504d80199420a9f2c2aea644188fbddfb148f5b78dcbb3d06878ca7bb0d4657ac1e8e88d91f83cdd6e
-
Filesize
540KB
MD5c3f398f77bbc21294aa17caf6b0e6994
SHA19753fe7ddb15ab965155838192ca6aed909ff56b
SHA256776d72e984f777c04609464a94576539908202dece7b8631feee29ab5b6ece50
SHA5126b43a9bc32725c3e25abae17f6a7accb83b13f446479f1253630b72ab3c4ccb3dd4e36be26cf65b910f36f3bf3b48138c3c2684782dd361477a7e4e2bb4ac463
-
Filesize
97KB
MD5287cadd3b072c264654b2e6e2566fb2b
SHA15e382082ef2dcfcb9b0312b9d8d76ac07625449e
SHA256c3bcb56ffda3326608d754fdae6fa5785161206d8c9f06abbfa6f0cf3a05e459
SHA5123c3988f6810772f112f2d05b8b4baf31c23ac1e0b441be93c9552fb2f64eec8d8779b3da2d08515cdbbf41140e8500a2982712fefbd6c8b03ad3168b1b21c734
-
Filesize
15KB
MD5cf4a755aa7bfb2afae9d7b0bae7a56cb
SHA1f6fe9d88779c3277c86c52918fc050c585007d93
SHA2562853c2f9d3db94ea67286c50a896f30c0eb4914763d8d74b450ac3faeea2c5d2
SHA512bc185b1886fe438418b282df25d234b92f80386697bdd743d568849de572776439d0336263b3b9ffc4d6994e79316747e4483067ead4c5b8ec5ed09f6f592967
-
Filesize
51KB
MD531772333ac1e8ac850ac86b9fda3ee23
SHA1153a8bf471248744befd0fff259d515c875b4b1f
SHA256a9101d5b78c38b72c53eed0ec896c4fbaa3bfdc9f72cd5c44688b48d66e31b6c
SHA5127ebfe1dab4d62a0174487b70ccb7befdab182d1bc6f2f0319a27a7bc7b398e87968bbc6b59e4bf3058a5ebfabb2efe96561535c6b01d44943ab82ea26e0a488b
-
Filesize
59KB
MD58d89a2fed5fe22eb7fd25f7f84feefc1
SHA17f9b5b806071b312b4d9e95391d6d96dbd66dde3
SHA2565c16191e8d38db8381d2e67a324d0dc481c97f2647010a1b343e26277ab2d689
SHA51288b04c9030d1ad1844f05134682c3a9b3adfabdfb22d1145d730a6508ff4ea0a81e21e46f493ff715acb9d3a4e6bb341c885d8b735cea601a86b8e54e9a52b12
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
74KB
MD5ba279e43bc3824f4dd387a5a6c15bd60
SHA1857ce7750d1bf83461965e5069f6734c483ceae4
SHA256fff37d64d11ab1cd68e00abf6774656e314388b6cca79fc19e01e33e7bd8c688
SHA512c91b53e8c4b674ab7219e0b41899f95828aecf32b86733174a20700f9d70e658063b1ee26368412c977dd1b3aa812b82073d8d2d3321c3504c4d68c3cb50b784
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
51KB
MD51214c7903301b6105f1751d35f8677a6
SHA143097cbab70e5007ed435eca7839cf693310a632
SHA2569021d861a44500218566588391a3a17f1b1f0b00ab781b27fad7f57a1aa46c52
SHA51293e1b42da3aa5bf7809ac8e4c51fe9bbffc53b54997b0e877c2adeb3d2459f8cde91ab3cd7913146491d5ded88a6b6815fc3b44f4d59844d7e4baa78e6ed37bc
-
Filesize
1.1MB
MD52354e800eefc681a7d60f3b6b28acfd9
SHA110b6a3d9d2283b5f98c9924fa1fca6da79edb720
SHA256d3c21f6c3892f0c444ffb4b06f962caddf68d2c3938bbd399a3056db255007e3
SHA5120395737b77891d8cf7761266c2b3d594deb8e742bd5f12f15f58b2c161c242356b953ebf8cd1f41924a917b2c1332bd2e05ef275efd2419a6134a60729195354
-
Filesize
92KB
MD5ebcaa458524017b6b69e50610fdcdfdc
SHA1dde54c9c52267d42df70d932182413757a524050
SHA25695365d774498df62fb358077e847f1dbad95ba6d09b1d6cc76c22d35b0bc9118
SHA512dd146de78e15a86184350ef355cf48b63abbdeda20c10d6bc7507a8699f55e1bc80250986a9cb091f621e9cc5b34cdac552f7ad95f6aed7b09c3988d89471e22
-
Filesize
66KB
MD5d6e907bcb5843d6825949565bb20cab4
SHA1722862a965ce62a21ee20b0b1fb80aa3ca1fdead
SHA2565339cbc5d3fc6aacdcf8a4ff313696b3c23af83a6823f779d769a647df85750b
SHA512f1563a7b3a2f102fc6eff61b35736c2cc3d0bde304532485afb88c434152d283096415905d5c7accf0ea6394fd3e8c1c5b34957688241f14befdba88a0d7bcea
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
50KB
MD563b9ae899f5a5c8bfe0ab9d6d583bd01
SHA1013d6416534001cb5be061efd020af56e47eea1f
SHA256e0cfff56e7141f31a568781504048ad5e0308b22227629d4e2885a58a0499b18
SHA512bcadf064b072a29a34ef4593161d8ee7bbe3e1079b1bf08dc7422249fe4181e881084a98b5ac3edbbacbe9de0c3d6804c7f4b2694a51f74840e89f6bca117e3d
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD511a6bab382e145f5d13ea6ae5983d7eb
SHA18f65a966b1423e2a75650929c514a09f25e2f0d4
SHA25651b873071e7638bead3a197be5007d7c9c181f7d8cdd818d539a0a9a3c35c343
SHA5121d55c65f61f4a7e0ebce80ee26bd359bbca1bbcaf4917a71e518f97c5c55f406de6828e08e90c61574f2d5a14079f953e195f54e7edb6c6b690f7f34d9fec723
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\1d6eabb8-5811-4874-b420-489276ca3b1f
Filesize745B
MD5061be7023c7eaabe74a0711a547f8cd9
SHA1fcc3dfc2951509de1e3da9236f56c3e12e545b77
SHA256accbfb14c9f62c185b37fbc11ce24c2cbe153c7d63049d3bf271c0c2769cc523
SHA512a5c0de7ff0a6582454bfa658dcbde29c3cda1d3d18c00f81827bfd990b1031984dff7e84d7c17be0e456848e6a7a79b8a369281408a8b32918b32ed922b79958
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\4d3aabee-d7f2-4297-8eb7-af8e435e46a4
Filesize11KB
MD5b740b191c2e716ea4c0ce77be8cc3c26
SHA1c491fead8d73b7154e3c134e73e4f25ddae3e1c8
SHA256b501876006f6b34e41a5762c36b389208cd04f9f19333130d5207d243fb3fc90
SHA5120d2b931934f3b3490a255cce7772263f1c3d323f13d51c1f82bc0545a4adee628793ee34bb5c0bf83cfa9b44300afc17fdfde51e188ecef8fa1971ac8826777b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5e3da86a5cbfb7c12a23d78ecc6f96608
SHA189deecac31ce730ac6ecd6187652a3e30bad6e3c
SHA256cc6ea43152d810cc7666003793a9a588b00b6727d75c0ee2de76be5fbb661647
SHA51260b726bf47f4e6e68401573fdb4e3c934371f1e670f1c36e7aeefc5db1bd36ff1fbbfb93ab8de9614c172192b749c3d29cd3840e24e3b910723f8258092fd511
-
Filesize
7KB
MD583712fee726bf8a3017a06ded251fcd0
SHA154926c6a0d4aba54b724858b10d3826d04536190
SHA256c8387e8a7e21e5bfe760fb591f9a90ce1bd9005ddb4b972e14447f45470442a1
SHA512af7b6b9e8e8e8bcc42c40927ec2acc1dd489168111b8738af49b1743e8f247f99905a5241a2234fab9703872404b9e7b3763d78934bc59a7275aa61c52428fca
-
Filesize
6KB
MD57a6749d5ccdb79f600f206e287ed65e0
SHA16d65005e6f2907676963ddea6690e48bee617563
SHA256eeb24ab1ae89d08af03afe6395e1a55db93d16cb3f07de310941b123e7a02e4e
SHA5123b7358c435dc39a3f5305a9cd5e4d42e8eae7590f2ecd46b4adda9c0831171c5b91da3becde17b1a8c111aa1c53bc9eab209e9663ea64b094579c33ca06313cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5b022b4b6f54d73ae54bb6ea590536657
SHA180139346d0ee2803f788ff8f8b2b55500c26e4ab
SHA2569a565e5040693051b26b652cf29c1d74d4c43a4a0f71910c9d81bb7fc95687b1
SHA512280474bde006901176a3113e49ca4c867b78790b8acf44c9f0423b3123d597c3de575ddd29fa3aff2349779f269f3e309955806b13b043cb15c1717f3bb81225
-
Filesize
1.8MB
MD59a612228c9f2ed059ed4d47809793b1d
SHA150bfcb257336d3251865f07f69f65591a2bd41bb
SHA25644e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896
SHA512ed1381301bfa27e39a2c92f54462f75d96dfe3753254c1532d788f149ff9bd448fb0c75269d092b65df6003b400801aa86f8a3c3f534c54fe9b9a8ac810f9d53