Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 08:33
Static task
static1
General
-
Target
06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe
-
Size
7.2MB
-
MD5
b4b92e8d99f3179f0848f170df459b5c
-
SHA1
388a2bf8ec543422f8aa5f14b9328a19fc0bdb01
-
SHA256
06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5
-
SHA512
ca68c799335472f4083a55156c7d26d92cad6c249ec54306986d8e3466cbc27406c46b29e47060148cbe55eafb57683be7dd4cf14d36613f3eecc9bd49dff97d
-
SSDEEP
196608:9R/cxWz6ZC/vCQcEirvGczcJvVnbYGgQa:kvZ2CQpSZcJNbYGgQa
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://powerful-avoids.sbs
https://motion-treesz.sbs
https://disobey-curly.sbs
https://leg-sate-boat.sbs
https://story-tense-faz.sbs
https://blade-govern.sbs
https://occupy-blushi.sbs
https://frogs-severz.sbs
https://property-imper.sbs
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
xworm
5.0
backto54.duckdns.org:8989
helldog24.duckdns.org:8989
7Fvn9wsSHJeXUB5q
-
install_file
USB.exe
Signatures
-
Amadey family
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1360-1778-0x0000000000600000-0x0000000000610000-memory.dmp family_xworm -
Lumma family
-
Processes:
4h342d.exe496a134eae.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4h342d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4h342d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 496a134eae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 496a134eae.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4h342d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4h342d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4h342d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4h342d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 496a134eae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 496a134eae.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 496a134eae.exe -
Stealc family
-
Xworm family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
Processes:
3bc4d70853.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 3bc4d70853.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
Processes:
d48622a43f.exe496a134eae.exeskotes.exe1t89w1.exe2H7465.exe3k65W.exe4h342d.exeskotes.exeskotes.exeskotes.exe3bc4d70853.exeafa742835c.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d48622a43f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 496a134eae.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1t89w1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2H7465.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3k65W.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4h342d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3bc4d70853.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ afa742835c.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid Process 6916 powershell.exe 4304 powershell.exe 2612 powershell.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 16 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
chrome.exefirefox.exemsedge.exechrome.exechrome.exechrome.exemsedge.exechrome.exechrome.exechrome.exemsedge.exemsedge.exefirefox.exechrome.exechrome.exemsedge.exepid Process 6116 chrome.exe 1176 firefox.exe 7376 msedge.exe 6780 chrome.exe 372 chrome.exe 7628 chrome.exe 4376 msedge.exe 1128 chrome.exe 5944 chrome.exe 1352 chrome.exe 5052 msedge.exe 1408 msedge.exe 3224 firefox.exe 5424 chrome.exe 6092 chrome.exe 5520 msedge.exe -
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3bc4d70853.exeskotes.exe2H7465.exe4h342d.exe3k65W.exeskotes.exe496a134eae.exeskotes.exeskotes.exeafa742835c.exed48622a43f.exe1t89w1.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3bc4d70853.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2H7465.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4h342d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3k65W.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3k65W.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4h342d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 496a134eae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 496a134eae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion afa742835c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2H7465.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3bc4d70853.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d48622a43f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d48622a43f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion afa742835c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1t89w1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1t89w1.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1t89w1.exeskotes.exeVBVEd6f.exeMesa.comdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 1t89w1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation VBVEd6f.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Mesa.com -
Executes dropped EXE 19 IoCs
Processes:
Q3Y96.exek6e22.exe1t89w1.exeskotes.exe2H7465.exe3k65W.exe4h342d.exeVBVEd6f.exeMesa.comknotc.exeknotc.exeskotes.exe3bc4d70853.exed48622a43f.exeafa742835c.exed0240187c5.exe496a134eae.exeskotes.exeskotes.exepid Process 2252 Q3Y96.exe 4040 k6e22.exe 3472 1t89w1.exe 2192 skotes.exe 2340 2H7465.exe 2488 3k65W.exe 1984 4h342d.exe 2524 VBVEd6f.exe 3472 Mesa.com 5752 knotc.exe 5892 knotc.exe 7908 skotes.exe 1140 3bc4d70853.exe 5608 d48622a43f.exe 7700 afa742835c.exe 6784 d0240187c5.exe 1840 496a134eae.exe 6848 skotes.exe 7524 skotes.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
4h342d.exeskotes.exed48622a43f.exe496a134eae.exeskotes.exeskotes.exe3k65W.exe3bc4d70853.exeafa742835c.exeskotes.exe1t89w1.exe2H7465.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 4h342d.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine d48622a43f.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 496a134eae.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 3k65W.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 3bc4d70853.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine afa742835c.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 1t89w1.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 2H7465.exe -
Loads dropped DLL 39 IoCs
Processes:
knotc.exepid Process 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe 5892 knotc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Processes:
4h342d.exe496a134eae.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4h342d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 496a134eae.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4h342d.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
skotes.exepowershell.exe06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exeQ3Y96.exek6e22.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d48622a43f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009562001\\d48622a43f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afa742835c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009563001\\afa742835c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0240187c5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009564001\\d0240187c5.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\496a134eae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1009565001\\496a134eae.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QEgztCdAfRPBWhv.ps1\"" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Q3Y96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" k6e22.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 245 api.ipify.org 246 api.ipify.org 253 api.ipify.org 263 api.ipify.org 288 api.ipify.org 300 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x000d000000023b59-3913.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 3 IoCs
Processes:
tasklist.exetasklist.exetasklist.exepid Process 1956 tasklist.exe 5052 tasklist.exe 5300 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
1t89w1.exeskotes.exe2H7465.exe3k65W.exe4h342d.exeknotc.exeskotes.exe3bc4d70853.exed48622a43f.exeafa742835c.exe496a134eae.exeskotes.exeskotes.exepid Process 3472 1t89w1.exe 2192 skotes.exe 2340 2H7465.exe 2488 3k65W.exe 1984 4h342d.exe 5892 knotc.exe 7908 skotes.exe 1140 3bc4d70853.exe 5608 d48622a43f.exe 7700 afa742835c.exe 1840 496a134eae.exe 6848 skotes.exe 7524 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid Process procid_target PID 4304 set thread context of 1360 4304 powershell.exe 109 -
Drops file in Windows directory 3 IoCs
Processes:
VBVEd6f.exe1t89w1.exedescription ioc Process File opened for modification C:\Windows\CoCurious VBVEd6f.exe File opened for modification C:\Windows\RipeHaiti VBVEd6f.exe File created C:\Windows\Tasks\skotes.job 1t89w1.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cc1-1793.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Mesa.comd0240187c5.exetaskkill.exe496a134eae.exe4h342d.exeVBVEd6f.exetasklist.execmd.exechoice.exetaskkill.exe3k65W.exefindstr.exeafa742835c.exetasklist.exefindstr.exed48622a43f.exetaskkill.exe1t89w1.exeRegAsm.exe2H7465.execmd.exeQ3Y96.exeskotes.execmd.exe3bc4d70853.exetaskkill.exetaskkill.exek6e22.execmd.exetimeout.exe06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mesa.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0240187c5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 496a134eae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4h342d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VBVEd6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3k65W.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa742835c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d48622a43f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1t89w1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2H7465.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Q3Y96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bc4d70853.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k6e22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exefirefox.exemsedge.exeMesa.comfirefox.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Mesa.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Mesa.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 6696 timeout.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
Processes:
chrome.exemsedge.exechrome.exemsedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Gathers network information 2 TTPs 11 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exepid Process 8180 ipconfig.exe 3108 ipconfig.exe 7868 ipconfig.exe 7832 ipconfig.exe 5308 ipconfig.exe 880 ipconfig.exe 7392 ipconfig.exe 632 ipconfig.exe 7724 ipconfig.exe 2680 ipconfig.exe 6196 ipconfig.exe -
Gathers system information 1 TTPs 10 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exesysteminfo.exepid Process 4856 systeminfo.exe 5328 systeminfo.exe 5012 systeminfo.exe 5192 systeminfo.exe 6152 systeminfo.exe 7944 systeminfo.exe 4280 systeminfo.exe 7368 systeminfo.exe 6552 systeminfo.exe 5392 systeminfo.exe -
Kills process with taskkill 36 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 3044 taskkill.exe 7052 taskkill.exe 6736 taskkill.exe 5312 taskkill.exe 7668 taskkill.exe 5260 taskkill.exe 4324 taskkill.exe 5948 taskkill.exe 5404 taskkill.exe 3288 taskkill.exe 5820 taskkill.exe 5740 taskkill.exe 3360 taskkill.exe 6740 taskkill.exe 8116 taskkill.exe 7816 taskkill.exe 7320 taskkill.exe 8056 taskkill.exe 6876 taskkill.exe 5524 taskkill.exe 2420 taskkill.exe 7188 taskkill.exe 3872 taskkill.exe 5928 taskkill.exe 7644 taskkill.exe 6988 taskkill.exe 4784 taskkill.exe 5164 taskkill.exe 6708 taskkill.exe 6164 taskkill.exe 6192 taskkill.exe 4164 taskkill.exe 6096 taskkill.exe 3432 taskkill.exe 7052 taskkill.exe 1868 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771700570898604" chrome.exe -
Modifies registry class 2 IoCs
Processes:
firefox.exefirefox.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1t89w1.exeskotes.exe2H7465.exe3k65W.exe4h342d.exeMesa.compowershell.exeRegAsm.exeskotes.exe3bc4d70853.exemsedge.exechrome.exed48622a43f.exechrome.exeafa742835c.exed0240187c5.exemsedge.exemsedge.exemsedge.exepowershell.exepid Process 3472 1t89w1.exe 3472 1t89w1.exe 2192 skotes.exe 2192 skotes.exe 2340 2H7465.exe 2340 2H7465.exe 2488 3k65W.exe 2488 3k65W.exe 1984 4h342d.exe 1984 4h342d.exe 1984 4h342d.exe 1984 4h342d.exe 3472 Mesa.com 3472 Mesa.com 3472 Mesa.com 3472 Mesa.com 3472 Mesa.com 3472 Mesa.com 4304 powershell.exe 4304 powershell.exe 1360 RegAsm.exe 7908 skotes.exe 7908 skotes.exe 1140 3bc4d70853.exe 1140 3bc4d70853.exe 3472 Mesa.com 3472 Mesa.com 4152 msedge.exe 4152 msedge.exe 1128 chrome.exe 1128 chrome.exe 1140 3bc4d70853.exe 1140 3bc4d70853.exe 1140 3bc4d70853.exe 1140 3bc4d70853.exe 1140 3bc4d70853.exe 1140 3bc4d70853.exe 1140 3bc4d70853.exe 1140 3bc4d70853.exe 3472 Mesa.com 3472 Mesa.com 5608 d48622a43f.exe 5608 d48622a43f.exe 1352 chrome.exe 1352 chrome.exe 7700 afa742835c.exe 7700 afa742835c.exe 3472 Mesa.com 3472 Mesa.com 6784 d0240187c5.exe 6784 d0240187c5.exe 3472 Mesa.com 3472 Mesa.com 6500 msedge.exe 6500 msedge.exe 5052 msedge.exe 5052 msedge.exe 6952 msedge.exe 6952 msedge.exe 6952 msedge.exe 6952 msedge.exe 2612 powershell.exe 2612 powershell.exe 2612 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
chrome.exechrome.exemsedge.exepid Process 1128 chrome.exe 1128 chrome.exe 1128 chrome.exe 1352 chrome.exe 1352 chrome.exe 1352 chrome.exe 5052 msedge.exe 5052 msedge.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
4h342d.exetasklist.exetasklist.exepowershell.exeRegAsm.exetaskkill.exetaskkill.exetaskkill.exechrome.exefirefox.exetaskkill.exetaskkill.exetaskkill.exechrome.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exepowershell.exetasklist.exe496a134eae.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1984 4h342d.exe Token: SeDebugPrivilege 1956 tasklist.exe Token: SeDebugPrivilege 5052 tasklist.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 1360 RegAsm.exe Token: SeDebugPrivilege 3044 taskkill.exe Token: SeDebugPrivilege 4164 taskkill.exe Token: SeDebugPrivilege 3288 taskkill.exe Token: SeShutdownPrivilege 1128 chrome.exe Token: SeCreatePagefilePrivilege 1128 chrome.exe Token: SeDebugPrivilege 3224 firefox.exe Token: SeDebugPrivilege 3224 firefox.exe Token: SeDebugPrivilege 6164 taskkill.exe Token: SeDebugPrivilege 5820 taskkill.exe Token: SeDebugPrivilege 5740 taskkill.exe Token: SeShutdownPrivilege 1352 chrome.exe Token: SeCreatePagefilePrivilege 1352 chrome.exe Token: SeShutdownPrivilege 1352 chrome.exe Token: SeCreatePagefilePrivilege 1352 chrome.exe Token: SeShutdownPrivilege 1352 chrome.exe Token: SeCreatePagefilePrivilege 1352 chrome.exe Token: SeShutdownPrivilege 1352 chrome.exe Token: SeCreatePagefilePrivilege 1352 chrome.exe Token: SeShutdownPrivilege 1352 chrome.exe Token: SeCreatePagefilePrivilege 1352 chrome.exe Token: SeDebugPrivilege 3360 taskkill.exe Token: SeShutdownPrivilege 1352 chrome.exe Token: SeCreatePagefilePrivilege 1352 chrome.exe Token: SeDebugPrivilege 7052 taskkill.exe Token: SeDebugPrivilege 6740 taskkill.exe Token: SeDebugPrivilege 6736 taskkill.exe Token: SeDebugPrivilege 3872 taskkill.exe Token: SeDebugPrivilege 7320 taskkill.exe Token: SeDebugPrivilege 5376 firefox.exe Token: SeDebugPrivilege 5376 firefox.exe Token: SeDebugPrivilege 2612 powershell.exe Token: SeDebugPrivilege 5300 tasklist.exe Token: SeDebugPrivilege 1840 496a134eae.exe Token: SeDebugPrivilege 6096 taskkill.exe Token: SeDebugPrivilege 4324 taskkill.exe Token: SeDebugPrivilege 5928 taskkill.exe Token: SeDebugPrivilege 5312 taskkill.exe Token: SeDebugPrivilege 7644 taskkill.exe Token: SeDebugPrivilege 7668 taskkill.exe Token: SeDebugPrivilege 8056 taskkill.exe Token: SeDebugPrivilege 3432 taskkill.exe Token: SeDebugPrivilege 6988 taskkill.exe Token: SeDebugPrivilege 4784 taskkill.exe Token: SeDebugPrivilege 5260 taskkill.exe Token: SeDebugPrivilege 8116 taskkill.exe Token: SeDebugPrivilege 6192 taskkill.exe Token: SeDebugPrivilege 5164 taskkill.exe Token: SeDebugPrivilege 6708 taskkill.exe Token: SeDebugPrivilege 6876 taskkill.exe Token: SeDebugPrivilege 7188 taskkill.exe Token: SeDebugPrivilege 5948 taskkill.exe Token: SeDebugPrivilege 7052 taskkill.exe Token: SeDebugPrivilege 5524 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 7816 taskkill.exe Token: SeDebugPrivilege 2420 taskkill.exe Token: SeDebugPrivilege 5404 taskkill.exe Token: SeDebugPrivilege 6916 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
1t89w1.exeMesa.comchrome.exefirefox.exechrome.exed0240187c5.exemsedge.exefirefox.exepid Process 3472 1t89w1.exe 3472 Mesa.com 3472 Mesa.com 3472 Mesa.com 1128 chrome.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 1352 chrome.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 6784 d0240187c5.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5052 msedge.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 6784 d0240187c5.exe 5376 firefox.exe -
Suspicious use of SendNotifyMessage 53 IoCs
Processes:
Mesa.comfirefox.exed0240187c5.exefirefox.exepid Process 3472 Mesa.com 3472 Mesa.com 3472 Mesa.com 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 3224 firefox.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 6784 d0240187c5.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 5376 firefox.exe 6784 d0240187c5.exe 6784 d0240187c5.exe 6784 d0240187c5.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
RegAsm.exefirefox.exefirefox.exepid Process 1360 RegAsm.exe 3224 firefox.exe 5376 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exeQ3Y96.exek6e22.exe1t89w1.exeskotes.exeVBVEd6f.execmd.exepowershell.exedescription pid Process procid_target PID 1432 wrote to memory of 2252 1432 06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe 82 PID 1432 wrote to memory of 2252 1432 06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe 82 PID 1432 wrote to memory of 2252 1432 06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe 82 PID 2252 wrote to memory of 4040 2252 Q3Y96.exe 83 PID 2252 wrote to memory of 4040 2252 Q3Y96.exe 83 PID 2252 wrote to memory of 4040 2252 Q3Y96.exe 83 PID 4040 wrote to memory of 3472 4040 k6e22.exe 84 PID 4040 wrote to memory of 3472 4040 k6e22.exe 84 PID 4040 wrote to memory of 3472 4040 k6e22.exe 84 PID 3472 wrote to memory of 2192 3472 1t89w1.exe 85 PID 3472 wrote to memory of 2192 3472 1t89w1.exe 85 PID 3472 wrote to memory of 2192 3472 1t89w1.exe 85 PID 4040 wrote to memory of 2340 4040 k6e22.exe 86 PID 4040 wrote to memory of 2340 4040 k6e22.exe 86 PID 4040 wrote to memory of 2340 4040 k6e22.exe 86 PID 2252 wrote to memory of 2488 2252 Q3Y96.exe 91 PID 2252 wrote to memory of 2488 2252 Q3Y96.exe 91 PID 2252 wrote to memory of 2488 2252 Q3Y96.exe 91 PID 1432 wrote to memory of 1984 1432 06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe 92 PID 1432 wrote to memory of 1984 1432 06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe 92 PID 1432 wrote to memory of 1984 1432 06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe 92 PID 2192 wrote to memory of 2524 2192 skotes.exe 94 PID 2192 wrote to memory of 2524 2192 skotes.exe 94 PID 2192 wrote to memory of 2524 2192 skotes.exe 94 PID 2524 wrote to memory of 2188 2524 VBVEd6f.exe 95 PID 2524 wrote to memory of 2188 2524 VBVEd6f.exe 95 PID 2524 wrote to memory of 2188 2524 VBVEd6f.exe 95 PID 2188 wrote to memory of 1956 2188 cmd.exe 97 PID 2188 wrote to memory of 1956 2188 cmd.exe 97 PID 2188 wrote to memory of 1956 2188 cmd.exe 97 PID 2188 wrote to memory of 544 2188 cmd.exe 98 PID 2188 wrote to memory of 544 2188 cmd.exe 98 PID 2188 wrote to memory of 544 2188 cmd.exe 98 PID 2188 wrote to memory of 5052 2188 cmd.exe 101 PID 2188 wrote to memory of 5052 2188 cmd.exe 101 PID 2188 wrote to memory of 5052 2188 cmd.exe 101 PID 2188 wrote to memory of 4572 2188 cmd.exe 102 PID 2188 wrote to memory of 4572 2188 cmd.exe 102 PID 2188 wrote to memory of 4572 2188 cmd.exe 102 PID 2188 wrote to memory of 4504 2188 cmd.exe 103 PID 2188 wrote to memory of 4504 2188 cmd.exe 103 PID 2188 wrote to memory of 4504 2188 cmd.exe 103 PID 2188 wrote to memory of 1176 2188 cmd.exe 104 PID 2188 wrote to memory of 1176 2188 cmd.exe 104 PID 2188 wrote to memory of 1176 2188 cmd.exe 104 PID 2188 wrote to memory of 3472 2188 cmd.exe 105 PID 2188 wrote to memory of 3472 2188 cmd.exe 105 PID 2188 wrote to memory of 3472 2188 cmd.exe 105 PID 2188 wrote to memory of 3056 2188 cmd.exe 106 PID 2188 wrote to memory of 3056 2188 cmd.exe 106 PID 2188 wrote to memory of 3056 2188 cmd.exe 106 PID 2192 wrote to memory of 4304 2192 skotes.exe 107 PID 2192 wrote to memory of 4304 2192 skotes.exe 107 PID 2192 wrote to memory of 4304 2192 skotes.exe 107 PID 4304 wrote to memory of 1360 4304 powershell.exe 109 PID 4304 wrote to memory of 1360 4304 powershell.exe 109 PID 4304 wrote to memory of 1360 4304 powershell.exe 109 PID 4304 wrote to memory of 1360 4304 powershell.exe 109 PID 4304 wrote to memory of 1360 4304 powershell.exe 109 PID 4304 wrote to memory of 1360 4304 powershell.exe 109 PID 4304 wrote to memory of 1360 4304 powershell.exe 109 PID 4304 wrote to memory of 1360 4304 powershell.exe 109 PID 2192 wrote to memory of 5752 2192 skotes.exe 110 PID 2192 wrote to memory of 5752 2192 skotes.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe"C:\Users\Admin\AppData\Local\Temp\06eb8edaf868647a8b5c0b2e620bc7b75e4faef6eee421f576f134eb3c65faf5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Q3Y96.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Q3Y96.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6e22.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6e22.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1t89w1.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1t89w1.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"C:\Users\Admin\AppData\Local\Temp\1009342001\VBVEd6f.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Appreciate Appreciate.cmd && Appreciate.cmd7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"8⤵
- System Location Discovery: System Language Discovery
PID:544
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"8⤵
- System Location Discovery: System Language Discovery
PID:4572
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3975068⤵
- System Location Discovery: System Language Discovery
PID:4504
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Concept + ..\Mix + ..\Trunk + ..\Answers + ..\Bufing + ..\Benefits + ..\Ram + ..\Guides k8⤵
- System Location Discovery: System Language Discovery
PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\397506\Mesa.comMesa.com k8⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3472 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"9⤵
- Uses browser remote debugging
PID:372 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa7ba3cc40,0x7ffa7ba3cc4c,0x7ffa7ba3cc5810⤵PID:5960
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"9⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa8b1e46f8,0x7ffa8b1e4708,0x7ffa8b1e471810⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:6952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:210⤵PID:6512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:310⤵
- Suspicious behavior: EnumeratesProcesses
PID:6500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:810⤵PID:6360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:110⤵
- Uses browser remote debugging
PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:110⤵
- Uses browser remote debugging
PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3640 /prefetch:210⤵PID:6912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3644 /prefetch:210⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2532 /prefetch:210⤵PID:7300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3324 /prefetch:210⤵PID:6928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2676 /prefetch:210⤵PID:6632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3728 /prefetch:210⤵PID:6616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2212 /prefetch:210⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,5065827102713173063,8739957909388552465,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4240 /prefetch:210⤵PID:5856
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\397506\Mesa.com" & rd /s /q "C:\ProgramData\IJKFHIIEHIEG" & exit9⤵
- System Location Discovery: System Language Discovery
PID:6460 -
C:\Windows\SysWOW64\timeout.exetimeout /t 1010⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:6696
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 58⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1009351041\PeRVAzl.ps1"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1360
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009551001\knotc.exe"C:\Users\Admin\AppData\Local\Temp\1009551001\knotc.exe"6⤵
- Executes dropped EXE
PID:5752 -
C:\Users\Admin\AppData\Local\Temp\1009551001\knotc.exe"C:\Users\Admin\AppData\Local\Temp\1009551001\knotc.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5892 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"8⤵PID:6140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls8⤵PID:8044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"8⤵PID:8112
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"8⤵PID:8128
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"8⤵PID:8136
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --restore-last-session --remote-debugging-port=8762 --remote-allow-origins=* --headless=new --user-data-dir=C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles8⤵
- Uses browser remote debugging
PID:1176 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --restore-last-session --remote-debugging-port=8762 --remote-allow-origins=* --headless=new --user-data-dir=C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles9⤵
- Uses browser remote debugging
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3224 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a871b3d-741f-4b3d-8fb4-50026a055185} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" gpu10⤵PID:4072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2528 -parentBuildID 20240401114208 -prefsHandle 2496 -prefMapHandle 2492 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dec308d7-5bfc-488e-9707-6cbc62eded9c} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" socket10⤵PID:7216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3284 -childID 1 -isForBrowser -prefsHandle 3276 -prefMapHandle 3268 -prefsLen 28292 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72d7c212-6755-43cd-b928-153ad67b1f57} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" tab10⤵PID:6968
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3208 -childID 2 -isForBrowser -prefsHandle 3216 -prefMapHandle 3212 -prefsLen 34809 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75eab4da-6c28-4ee6-8674-3e3eafda74ed} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" tab10⤵PID:6692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4392 -prefMapHandle 4368 -prefsLen 34809 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7649ef1c-1a18-4538-9d3f-0565040abeca} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" utility10⤵
- Checks processor information in registry
PID:6592
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5404 -prefsLen 32517 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d80256-1b31-40e9-97a5-357ebb6f753c} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" tab10⤵PID:6484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5648 -prefMapHandle 5644 -prefsLen 32517 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcd7f370-e7ce-4836-8008-49aeae111f95} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" tab10⤵PID:6464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5776 -childID 5 -isForBrowser -prefsHandle 5784 -prefMapHandle 5792 -prefsLen 32517 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c64e9c2e-2567-4691-b1be-39414b56124f} 3224 "\\.\pipe\gecko-crash-server-pipe.3224" tab10⤵PID:6452
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --restore-last-session --remote-debugging-port=8314 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data"8⤵
- Uses browser remote debugging
PID:1408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa8b1e46f8,0x7ffa8b1e4708,0x7ffa8b1e47189⤵PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,11864602703688139418,15286318087230653221,131072 --disable-features=PaintHolding --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1472 /prefetch:29⤵PID:5720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,11864602703688139418,15286318087230653221,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --mojo-platform-channel-handle=1884 /prefetch:39⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8314 --allow-pre-commit-input --field-trial-handle=1456,11864602703688139418,15286318087230653221,131072 --disable-features=PaintHolding --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2000 /prefetch:19⤵
- Uses browser remote debugging
PID:7376
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8373 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1128 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa7ba3cc40,0x7ffa7ba3cc4c,0x7ffa7ba3cc589⤵PID:3480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,4698103312708414115,2507795123523179798,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:29⤵PID:5252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2196,i,4698103312708414115,2507795123523179798,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:39⤵PID:5320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2264,i,4698103312708414115,2507795123523179798,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2636 /prefetch:89⤵PID:1748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8373 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3572,i,4698103312708414115,2507795123523179798,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3552 /prefetch:19⤵
- Uses browser remote debugging
PID:5944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8373 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3584,i,4698103312708414115,2507795123523179798,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3916 /prefetch:19⤵
- Uses browser remote debugging
PID:5424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8373 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,4698103312708414115,2507795123523179798,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:19⤵
- Uses browser remote debugging
PID:6780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM firefox.exe"8⤵PID:6216
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"8⤵PID:5680
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM msedge.exe"8⤵PID:5872
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5740
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --restore-last-session --remote-debugging-port=8957 --remote-allow-origins=* --headless=new "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1352 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x8c,0x164,0x168,0x158,0x16c,0x7ffa8b1dcc40,0x7ffa8b1dcc4c,0x7ffa8b1dcc589⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2084,i,6812264356097683111,12446900451838993622,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:29⤵PID:5368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=1972,i,6812264356097683111,12446900451838993622,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2652 /prefetch:39⤵PID:5476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=2200,i,6812264356097683111,12446900451838993622,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2660 /prefetch:89⤵PID:5504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8957 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3836,i,6812264356097683111,12446900451838993622,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3844 /prefetch:19⤵
- Uses browser remote debugging
PID:6116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8957 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3868,i,6812264356097683111,12446900451838993622,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3876 /prefetch:19⤵
- Uses browser remote debugging
PID:6092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --remote-debugging-port=8957 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4348,i,6812264356097683111,12446900451838993622,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:19⤵
- Uses browser remote debugging
PID:7628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4776,i,6812264356097683111,12446900451838993622,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:89⤵PID:8012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --field-trial-handle=4960,i,6812264356097683111,12446900451838993622,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:89⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"8⤵PID:5280
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7052
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command " Add-MpPreference -ExclusionExtension '.ps1', '.tmp', '.py' Add-MpPreference -ExclusionPath \"$env:TEMP\", \"$env:APPDATA\" "8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:6080
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:4856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig"8⤵PID:1724
-
C:\Windows\system32\ipconfig.exeipconfig9⤵
- Gathers network information
PID:7724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig /all"8⤵PID:7684
-
C:\Windows\system32\ipconfig.exeipconfig /all9⤵
- Gathers network information
PID:7868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:7880
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:7944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"8⤵PID:5348
-
C:\Windows\system32\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig /all"8⤵PID:2720
-
C:\Windows\system32\ipconfig.exeipconfig /all9⤵
- Gathers network information
PID:7832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:3332
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:4280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig"8⤵PID:1404
-
C:\Windows\system32\ipconfig.exeipconfig9⤵
- Gathers network information
PID:2680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig /all"8⤵PID:5264
-
C:\Windows\system32\ipconfig.exeipconfig /all9⤵
- Gathers network information
PID:5308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:3660
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:6680
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:5012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig"8⤵PID:7004
-
C:\Windows\system32\ipconfig.exeipconfig9⤵
- Gathers network information
PID:6196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig /all"8⤵PID:6932
-
C:\Windows\system32\ipconfig.exeipconfig /all9⤵
- Gathers network information
PID:8180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:4332
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:5192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:6384
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:6152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig"8⤵PID:6712
-
C:\Windows\system32\ipconfig.exeipconfig9⤵
- Gathers network information
PID:880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig /all"8⤵PID:552
-
C:\Windows\system32\ipconfig.exeipconfig /all9⤵
- Gathers network information
PID:7392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:7248
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:7368
-
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im brave.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6096
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im msedge.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5928
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im opera.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5312
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im vivaldi.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7644
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im yandex.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7668
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im chromium.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8056
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im epic.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im waterfox.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6988
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im palemoon.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im basilisk.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5260
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im iexplore.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8116
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im javaw.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6192
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im Minecraft.Windows.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5164
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im LeagueClient.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6708
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im VALORANT-Win64-Shipping.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6876
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7188
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im Steam.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5948
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im Growtopia.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7052
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im Battle.net.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5524
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im UbisoftConnect.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im SocialClubHelper.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7816
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im GalaxyClient.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f /im EADesktop.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:7008
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:6552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig"8⤵PID:1008
-
C:\Windows\system32\ipconfig.exeipconfig9⤵
- Gathers network information
PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ipconfig /all"8⤵PID:4792
-
C:\Windows\system32\ipconfig.exeipconfig /all9⤵
- Gathers network information
PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"8⤵PID:6468
-
C:\Windows\system32\systeminfo.exesysteminfo9⤵
- Gathers system information
PID:5392
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:ProgramData\edge\Updater\Get-Clipboard.ps18⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:6916 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rqudupki\rqudupki.cmdline"9⤵PID:7576
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDC8.tmp" "c:\Users\Admin\AppData\Local\Temp\rqudupki\CSCF8B8664E250442048D3F1FB0A67B8C19.TMP"10⤵PID:6856
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009561001\3bc4d70853.exe"C:\Users\Admin\AppData\Local\Temp\1009561001\3bc4d70853.exe"6⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\1009562001\d48622a43f.exe"C:\Users\Admin\AppData\Local\Temp\1009562001\d48622a43f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5608
-
-
C:\Users\Admin\AppData\Local\Temp\1009563001\afa742835c.exe"C:\Users\Admin\AppData\Local\Temp\1009563001\afa742835c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7700
-
-
C:\Users\Admin\AppData\Local\Temp\1009564001\d0240187c5.exe"C:\Users\Admin\AppData\Local\Temp\1009564001\d0240187c5.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6784 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6736
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7320
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:5192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5376 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1916 -prefsLen 24088 -prefMapSize 246093 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac5fda54-4e30-4088-92a1-c0ceafd3e72a} 5376 "\\.\pipe\gecko-crash-server-pipe.5376" gpu9⤵PID:5208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 25008 -prefMapSize 246093 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a532313c-3d82-46b8-b7c6-00f63bc97503} 5376 "\\.\pipe\gecko-crash-server-pipe.5376" socket9⤵PID:6660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3532 -childID 1 -isForBrowser -prefsHandle 3544 -prefMapHandle 3500 -prefsLen 22858 -prefMapSize 246093 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e95222d6-01b3-4ed7-8294-e9abd5930079} 5376 "\\.\pipe\gecko-crash-server-pipe.5376" tab9⤵PID:7256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4012 -childID 2 -isForBrowser -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 29442 -prefMapSize 246093 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1521cbde-1cda-480d-be73-5b1412a5d3b8} 5376 "\\.\pipe\gecko-crash-server-pipe.5376" tab9⤵PID:7488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4532 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4580 -prefMapHandle 4572 -prefsLen 29442 -prefMapSize 246093 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3314fe90-af2a-455b-b52f-8b13581b9390} 5376 "\\.\pipe\gecko-crash-server-pipe.5376" utility9⤵
- Checks processor information in registry
PID:4772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -childID 3 -isForBrowser -prefsHandle 5004 -prefMapHandle 5112 -prefsLen 27151 -prefMapSize 246093 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {227aca7d-679f-46c2-bc4e-cac41278e481} 5376 "\\.\pipe\gecko-crash-server-pipe.5376" tab9⤵PID:6188
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5112 -childID 4 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27151 -prefMapSize 246093 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3513db95-15a1-40a7-afc7-332439e4429e} 5376 "\\.\pipe\gecko-crash-server-pipe.5376" tab9⤵PID:1308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5404 -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5416 -prefsLen 27151 -prefMapSize 246093 -jsInitHandle 924 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b08070e0-4a41-4e97-a906-4ae7dbb7d89c} 5376 "\\.\pipe\gecko-crash-server-pipe.5376" tab9⤵PID:2212
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009565001\496a134eae.exe"C:\Users\Admin\AppData\Local\Temp\1009565001\496a134eae.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2H7465.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2H7465.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3k65W.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3k65W.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4h342d.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4h342d.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:7908
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7316
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:5256
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6848
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
40B
MD5b65d667045a646269e3eb65f457698f1
SHA1a263ce582c0157238655530107dbec05a3475c54
SHA25623848757826358c47263fa65d53bb5ec49286b717f7f2c9c8e83192a39e35bb6
SHA51287f10412feee145f16f790fbbcf0353db1b0097bda352c2cd147028db69a1e98779be880e133fed17af6ed73eb615a51e5616966c8a7b7de364ec75f37c67567
-
Filesize
649B
MD5ab1e17dbe1119581c3b58a9d54bd3ad3
SHA148443ebff4259d68a446e7c60f5842317dcc9aea
SHA256a206b4cf0e7226c6203dd07bbfc813922c9645c77aea97af0cfc3fbe455f45c1
SHA512487a76f87a2dd87e54b8b8390b1289fa7eb14f38489955636d2c73680f71cf49edafbedd73e08727191a98ee2bdd531edff49d9ffd98aee1bb353a8e73946b5f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\78c69290-f875-4f52-913a-d08b4caeee6d.dmp
Filesize10.4MB
MD51c7b8312822a7aeaa3a7a44795aeb87c
SHA10b6ef24a10450c607d60e80dd253a150b5b43fad
SHA25665f82f7595894e8976776a5de352e353fd7fa9ee64b5a5767e3a372cb9256194
SHA51280c9400afa387371946cd9480822be45c6fe754d57f9b4a3967af32bb680379dbe4be14f39f8e1755e6a4d05266305266fdf619082c3e91bb131e55e60dcf534
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\68754a8e-300d-426e-bd10-ed20d615bc0c.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
5KB
MD515741fcc29834f7a503200bf500fd57b
SHA1680d878dec7e3831c06860784fd470b7058b2064
SHA2564a903471102c21d6fce87472c52d308c451d2f997cdbd82fa25177e586102f59
SHA51224b301ba5ab46f7f6c45a0438f385be76f8e32ddf8264c4eb7e12bbbbf3a4abd54cfad74470fb9d6f38acdfd6e48e077dfd94cd96e089bc9abe9aa5885b97d4d
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5fd885b8de76f7494c7525108b4d8f2ee
SHA1794bade1b01f2baa5343fb28f0ed45421e6c844d
SHA256e59f1e04bf8f906d9a6f48dd608a66ce47cf735392fb902b88a5632802f4b4bb
SHA5121a9fca7ccbb146cb5212c147ba3c0c92494a4af5554a46c599a0b28b9ea26413066dc5df9245b37285ae936d23ebab017559e3ad8aaa09642c9662d5e2e63c67
-
Filesize
1.1MB
MD57f8c660bbf823d65807e4164a91dd058
SHA197ac83cbe12b04fbe1b4d98e812480e1f66d577d
SHA2565a45b35e922d52f1bc47530634465ed1f989d9916684bf9591006a6172542509
SHA51289872cc15ca3a91d43b0b4261b04c38b8ac545c9b4afdb47d2b0288167b512fbe709de04fd2d1809ca1afee67a5a799aa7943f5aff65a5aa3197f9e10545c919
-
Filesize
3.0MB
MD52b918bf4566595e88a664111ce48b161
SHA1e32fbdf64bb71dc870bfad9bbd571f11c6a723f4
SHA25648492827286d403668996ae3814b2216b3b616f2fb4af2022bf3d2fc3f979a26
SHA512e3d58adbe13befe91fb950cc52b16d6d2fcb8f6d65bab4020222713207b07ce78b76e2e2532cf3de23149e934ba1e1cb9046a95a18424a668bfa4a355af6f44a
-
Filesize
22.3MB
MD5719dcf184f232c140a40a69f05ae2ae7
SHA1ac1e40daf79114c78ca756f2cfe5619cd2804cc2
SHA2565b5856719e14b1dcf6297e51e69b147263a72203e2f7bc5d938ae41f01312270
SHA51236ec8a14ee9f579f221662f29f08882f6f9dc59637100a99bc782cddbdf3aa1c27925ca5ff94e7b3e52e092a789104713e781226050466841d01cc04960bf2a5
-
Filesize
4.3MB
MD50473a8e8e6d92ece5fe21d23552391d2
SHA15f8b811f0df1a5c7c5de0d7d20965809b120e034
SHA25642c6787fac49fff1f3b622983357d0346048598dd8c7f790fcabd5ed5503a127
SHA5127672688ee9e1c7a204b03d611c110c2930b7a46559111379b34d5abac2d0ce6b38dcc52060fc855e6620cc5fff54ae5783358b0b7d2df24d4e5439427efaa0b7
-
Filesize
1.8MB
MD52c82b5398fb301bc2a2b3a9716e214ef
SHA1540d9ac0bdba4130643627dbb578004a71b68302
SHA256ae0615aebbe333c96a367f391103f4079076aba81341abf0081247addbb5c208
SHA51204f8e6fa29b442642bbea31e8759472f6faabf61a038ec0579401599bc123cc3bbf3f8376df44045ad0a8b721a916723ee4d35e5d4701cdb49828e1ede57ef65
-
Filesize
1.8MB
MD540fbf66fe2c47dcd8d2de9191b48b355
SHA1eb7260a1cf345b9a225fa6250727db32e391ffd6
SHA256c5723c29a13feb389fd9e72e6e81d914c0693d9846c2810d1d0bad4e3307eb78
SHA5122d4328dea1251bd7694c4f1b42f7bf5efad6b8712364bd42db6f8ba612dffd430b6e4bc158756c5e68d9aa24b0904cdff7ac7fde06cdf2826f062077415d0690
-
Filesize
900KB
MD59c130f43a75b749916375fada08cf486
SHA1b0787ab9ce67d0954c9027d58c2fb7782a42a11e
SHA25695cdc1cb2dc25c23029e61e302deb9f5f1607d382a204f487e9b2eb4d52b3044
SHA5120f29a5634383206fbff2779a505e327e7468bf3c3d07825e615cb442513531cea2862a264d8b2cf47bb849e4978865902445b483172b635b1f4358587320bf3e
-
Filesize
2.7MB
MD59ec7150c51a4d30753fbab8a457121ee
SHA15a18ca834905608395d17b6ac0e3c90fd982a67c
SHA25627574e7abdb7c3ee82ac007aa592e907b1c101b58e16263a629750be72c978d2
SHA5120ee554a5a05536fc59ad14f339e374d324ee0b5ea2b17cc3621d9e83422aa0b745471eeac47409d8295fa46c30b866c3f5987f2e63d170e91998ae739e9a5197
-
Filesize
540KB
MD5c3f398f77bbc21294aa17caf6b0e6994
SHA19753fe7ddb15ab965155838192ca6aed909ff56b
SHA256776d72e984f777c04609464a94576539908202dece7b8631feee29ab5b6ece50
SHA5126b43a9bc32725c3e25abae17f6a7accb83b13f446479f1253630b72ab3c4ccb3dd4e36be26cf65b910f36f3bf3b48138c3c2684782dd361477a7e4e2bb4ac463
-
Filesize
97KB
MD5287cadd3b072c264654b2e6e2566fb2b
SHA15e382082ef2dcfcb9b0312b9d8d76ac07625449e
SHA256c3bcb56ffda3326608d754fdae6fa5785161206d8c9f06abbfa6f0cf3a05e459
SHA5123c3988f6810772f112f2d05b8b4baf31c23ac1e0b441be93c9552fb2f64eec8d8779b3da2d08515cdbbf41140e8500a2982712fefbd6c8b03ad3168b1b21c734
-
Filesize
15KB
MD5cf4a755aa7bfb2afae9d7b0bae7a56cb
SHA1f6fe9d88779c3277c86c52918fc050c585007d93
SHA2562853c2f9d3db94ea67286c50a896f30c0eb4914763d8d74b450ac3faeea2c5d2
SHA512bc185b1886fe438418b282df25d234b92f80386697bdd743d568849de572776439d0336263b3b9ffc4d6994e79316747e4483067ead4c5b8ec5ed09f6f592967
-
Filesize
51KB
MD531772333ac1e8ac850ac86b9fda3ee23
SHA1153a8bf471248744befd0fff259d515c875b4b1f
SHA256a9101d5b78c38b72c53eed0ec896c4fbaa3bfdc9f72cd5c44688b48d66e31b6c
SHA5127ebfe1dab4d62a0174487b70ccb7befdab182d1bc6f2f0319a27a7bc7b398e87968bbc6b59e4bf3058a5ebfabb2efe96561535c6b01d44943ab82ea26e0a488b
-
Filesize
59KB
MD58d89a2fed5fe22eb7fd25f7f84feefc1
SHA17f9b5b806071b312b4d9e95391d6d96dbd66dde3
SHA2565c16191e8d38db8381d2e67a324d0dc481c97f2647010a1b343e26277ab2d689
SHA51288b04c9030d1ad1844f05134682c3a9b3adfabdfb22d1145d730a6508ff4ea0a81e21e46f493ff715acb9d3a4e6bb341c885d8b735cea601a86b8e54e9a52b12
-
Filesize
74KB
MD5ba279e43bc3824f4dd387a5a6c15bd60
SHA1857ce7750d1bf83461965e5069f6734c483ceae4
SHA256fff37d64d11ab1cd68e00abf6774656e314388b6cca79fc19e01e33e7bd8c688
SHA512c91b53e8c4b674ab7219e0b41899f95828aecf32b86733174a20700f9d70e658063b1ee26368412c977dd1b3aa812b82073d8d2d3321c3504c4d68c3cb50b784
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
51KB
MD51214c7903301b6105f1751d35f8677a6
SHA143097cbab70e5007ed435eca7839cf693310a632
SHA2569021d861a44500218566588391a3a17f1b1f0b00ab781b27fad7f57a1aa46c52
SHA51293e1b42da3aa5bf7809ac8e4c51fe9bbffc53b54997b0e877c2adeb3d2459f8cde91ab3cd7913146491d5ded88a6b6815fc3b44f4d59844d7e4baa78e6ed37bc
-
Filesize
2.8MB
MD5ed6b0054b73fb3e29f843649546a2ea8
SHA1dd30a10631186a13e13f0ba51cd1e9c9bfec9881
SHA25687c56d8ffbb04f43d63e74af95e6c87c2a588e7bc9bcdb76d4140940e7e3951d
SHA5129f11200edccac2296b4f591059a916a5c4cd725a9720528cd2df27c8248f53df63124d27ab071fc557079dc41983e6926d596033559c4fdfabed7d6160154867
-
Filesize
5.5MB
MD5111eb750a29de28ff6a0a19756d47c87
SHA1fa120633d47ac96c59b77aeaf1c5af62c94f3407
SHA256c85add171691ee684fbeaf84d42977a97aa450541e02a1e80c61f253938a5710
SHA5125958157376bda3b987ced7a41c3db319f2191b63cd1e103aeaa1e9c77ca8fa63be08770ecc423aca56161140f4857db2db1296a7b0f93c8465bdbe1dba6bbecd
-
Filesize
1.7MB
MD57201b45617fddde515846336e78d95b2
SHA1a00afe2646990b1ba446d282143f0b717a61663c
SHA256715feed9e8e28808cd140b740f3e456c17258fac1ad8c098cf68fe73b355d3bb
SHA5121978ecfb11a3564a7b3f215a833d7ca5d9459577be4cf894828c758feac931ffa3dfa1bc2c8eb4f7477445ca88bf598606e4f42ccb7c76cd5d597bcb8d92ea10
-
Filesize
3.7MB
MD59a3e37ef73620d6e46a934061fd6c970
SHA1ac5991927e707d1b620a957a7b5a5d74002fa323
SHA256117bbbb23e6d35820035186949f6ad2f2ae8044fbfef9747b779a5c6e89965d6
SHA512f3117bfffe91e0d87f97c3f058b5be1ce389ec1ceb8b7393752994dcd264115d51fde920d91d712f2fd774d829b0bfec00ee5368c0f95ea69a0605c29eb3ca31
-
Filesize
1.8MB
MD59a612228c9f2ed059ed4d47809793b1d
SHA150bfcb257336d3251865f07f69f65591a2bd41bb
SHA25644e6b37ca76b0297d26d40de3f1c96fb04705cc236e24a93a564012a6f6be896
SHA512ed1381301bfa27e39a2c92f54462f75d96dfe3753254c1532d788f149ff9bd448fb0c75269d092b65df6003b400801aa86f8a3c3f534c54fe9b9a8ac810f9d53
-
Filesize
1.8MB
MD52beba791d39cfddddf945d36f85141dc
SHA124aef72a20886655340a60f36d076e56c240d983
SHA2563e02bdb0b14763d8bf75b22c8d2e17252761304cae329e4d69b9082dddaaf958
SHA5128e99ca3f90ebe567200f482f66fdec9eb9a695a32e6dbaf16768437e428059f2490a2a3138f26c83cfd84bf9216e5f399e675bd4faffddbf224329b405823cfe
-
Filesize
92KB
MD5ebcaa458524017b6b69e50610fdcdfdc
SHA1dde54c9c52267d42df70d932182413757a524050
SHA25695365d774498df62fb358077e847f1dbad95ba6d09b1d6cc76c22d35b0bc9118
SHA512dd146de78e15a86184350ef355cf48b63abbdeda20c10d6bc7507a8699f55e1bc80250986a9cb091f621e9cc5b34cdac552f7ad95f6aed7b09c3988d89471e22
-
Filesize
66KB
MD5d6e907bcb5843d6825949565bb20cab4
SHA1722862a965ce62a21ee20b0b1fb80aa3ca1fdead
SHA2565339cbc5d3fc6aacdcf8a4ff313696b3c23af83a6823f779d769a647df85750b
SHA512f1563a7b3a2f102fc6eff61b35736c2cc3d0bde304532485afb88c434152d283096415905d5c7accf0ea6394fd3e8c1c5b34957688241f14befdba88a0d7bcea
-
Filesize
50KB
MD563b9ae899f5a5c8bfe0ab9d6d583bd01
SHA1013d6416534001cb5be061efd020af56e47eea1f
SHA256e0cfff56e7141f31a568781504048ad5e0308b22227629d4e2885a58a0499b18
SHA512bcadf064b072a29a34ef4593161d8ee7bbe3e1079b1bf08dc7422249fe4181e881084a98b5ac3edbbacbe9de0c3d6804c7f4b2694a51f74840e89f6bca117e3d
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
81KB
MD5a4b636201605067b676cc43784ae5570
SHA1e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA51202096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488
-
Filesize
119KB
MD587596db63925dbfe4d5f0f36394d7ab0
SHA1ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA25692d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b
-
Filesize
60KB
MD549ce7a28e1c0eb65a9a583a6ba44fa3b
SHA1dcfbee380e7d6c88128a807f381a831b6a752f10
SHA2561be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430
SHA512cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9
-
Filesize
154KB
MD5b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA14efe3f21be36095673d949cceac928e11522b29c
SHA25680a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c
-
Filesize
1.1MB
MD5e4761848102a6902b8e38f3116a91a41
SHA1c262973e26bd9d8549d4a9abf4b7ae0ca4db75f0
SHA2569d03619721c887413315bd674dae694fbd70ef575eb0138f461a34e2dd98a5fd
SHA512a148640aa6f4b4ef3ae37922d8a11f4def9ecfd595438b9a36b1be0810bfb36abf0e01bee0aa79712af0d70cddce928c0df5057c0418c4ed0d733c6193761e82
-
Filesize
29KB
MD523f4becf6a1df36aee468bb0949ac2bc
SHA1a0e027d79a281981f97343f2d0e7322b9fe9b441
SHA25609c5faf270fd63bde6c45cc53b05160262c7ca47d4c37825ed3e15d479daee66
SHA5123ee5b3b7583be1408c0e1e1c885512445a7e47a69ff874508e8f0a00a66a40a0e828ce33e6f30ddc3ac518d69e4bb96c8b36011fb4ededf9a9630ef98a14893b
-
Filesize
75KB
MD5e137df498c120d6ac64ea1281bcab600
SHA1b515e09868e9023d43991a05c113b2b662183cfe
SHA2568046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a
SHA512cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90
-
Filesize
155KB
MD535f66ad429cd636bcad858238c596828
SHA1ad4534a266f77a9cdce7b97818531ce20364cb65
SHA25658b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc
SHA5121cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad
-
Filesize
812KB
MD56cff73092664831ca9277c6797993c47
SHA162d17f2bf5785149df53b5adbaecc3579a24cfbe
SHA256a8be7ce0f18a2e14dadb3fe6cc41ec2962dce172f4cb4df4535ff0ec47aee79d
SHA512457211a957656b845ae6e5a34e567c7e33dbb67f6aed9a9c15937f3b39922a2a4bdc70378269c1908fc141eb34adaa70a0b133ba42bf6498f9e41ce372f3f3ca
-
Filesize
1KB
MD54ce7501f6608f6ce4011d627979e1ae4
SHA178363672264d9cd3f72d5c1d3665e1657b1a5071
SHA25637fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24
-
Filesize
3.3MB
MD5ab01c808bed8164133e5279595437d3d
SHA10f512756a8db22576ec2e20cf0cafec7786fb12b
SHA2569c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA5124043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
682KB
MD5de72697933d7673279fb85fd48d1a4dd
SHA1085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA5120fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c
-
Filesize
193KB
MD56bc89ebc4014a8db39e468f54aaafa5e
SHA168d04e760365f18b20f50a78c60ccfde52f7fcd8
SHA256dbe6e7be3a7418811bd5987b0766d8d660190d867cd42f8ed79e70d868e8aa43
SHA512b7a6a383eb131deb83eee7cc134307f8545fb7d043130777a8a9a37311b64342e5a774898edd73d80230ab871c4d0aa0b776187fa4edec0ccde5b9486dbaa626
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
28KB
MD5adc412384b7e1254d11e62e451def8e9
SHA104e6dff4a65234406b9bc9d9f2dcfe8e30481829
SHA25668b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1
SHA512f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
114KB
MD5d0150bee5e917cfd7a7152d6c1988919
SHA1fbcb54efb2fc75f72eaea9605b1a2cae557a121b
SHA256ea86bc11680540f71d4740429e19804ad5c375e5ceee098981f6aebe691b71c1
SHA512a3c542917de3538c0a10445f3fd96395cac0f2c572fccc948ed755864d5800af16957d7deb5973a469cde52582d3e3ee6f4d3e87acd7b1084d64441268b2504d
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize8KB
MD5da336f8bc532d74f575ff1fdddf981b6
SHA105dedd78845aa54467feee86c790818d13e953e1
SHA256b9ae24d2cb1fe3dd63ee4dec8cf7fe3c039dc13b36b5c66492e3c2734821a0ac
SHA5126996257f0af149d927732c9a500b76e9c5b7752b97120df51b849efe86f2a0ab3c58d355454756b1345c1071b80203a261faa45f6c267924eb1a70e75b85e0d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD5b531a783234d1989d8b3a1dad4f6f5c1
SHA10804bb527f03abd8251a7750bc7079d68015da35
SHA256fc56e666a92d19cdce7499b49ac6dfa38e9ee5513684c32358040b1e2e9219a0
SHA512f9e6bf3937753ea5b75b088025985789f4186e31f3d600957d80cb585b4bab82bf1f230f0dc3002aa2f80e062275f361b9b860c9c2c27ba976dff4fd451438ab
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5f755ac951a5d794405400ef9b2769fee
SHA17c951bc2815e17d8befbf5703bbef35ced66187e
SHA256db389523d90e477ca7211a8f805320576fd6b075d1e42c4cca2d5adf328084cb
SHA512cfa26a78eefc850bf1fd2020d283f147972c698100a1f9bcc024a78df2d216402477df70f889fc695567b7279d98fbd27712fa3ceccd605068ed4a03315c668a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5bd6c54d806f10ee0413b70d7415b634b
SHA151870270e2338d7faf126fbf603208abf9e7420e
SHA25662c137f1ae7a6cc6612548c7bd1a2dbcca813d463ea3227831c4b3671795c76a
SHA512a9611da2d2c5a7c6a4e5e1b19d74ee95ab2e2a5fb514991cf82193990901c35f3eaef6803b19c55e23f8192079dc3fb55a5cff4cd993f9c396a3014bf229117d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5d6a0d3e2afb40c4c0ace074e9f8c8447
SHA1a469f04ef97681b8ec2f52dca7661b466f915eda
SHA2565a59840a89628c166a8eedafcd16c70042a527a5b4845dc115cea7da2f299ac0
SHA51271d134964337eda1a3f5800c23fba4f66e3ac569767c7c29ec2140c815711d16273ddfec8015195f483c576a26aac08c012d8641faadb079f4a8f1ee253bc5b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD55b233920dbaccecbd83763022af9a8b9
SHA1206c4bbb3ee146450d935dc67135eb5633821dd6
SHA256be54da4774d315eab4f61eb169cf8ef38cae1e7a30bb8626b9cd900ef01f1888
SHA5125c8d895329b6b97dd2fa84b417a163257e8719b8e007dd90635105ab46adce1de3929275d3a06a3628d6a821c38e61e743399b0060af59f3c7e523a34d649546
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5386b4d941241a00dfe38fb4c01b5936f
SHA17ffd02622aae04f1591f5f96e9c7ffe99f7a2b04
SHA2561d50d12d4c4b4f598e23bf79958d644c137ea840680ebcef6c8bf7c03accd37c
SHA512d9bca8484f4f24bf2a1031fa031af858078ad94faa4b102578b318b53aced211235ca0af7618582f7727294dafd4426edf0ae8094192eaa4c5f48d38c2658750
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD572ddf8821163fe20abd6b9a6f12d4a94
SHA1abf63a8620912fa8cf06e57642daeafd08d00297
SHA256a765b59b64a4c2dc737a8d9afd1bcade0375a07bf2df8f2dc91a305da66d9a3f
SHA5120ca4ceebef08f067392bb336fa7f9ad397c68295d0e3c02f0c639297c45746d619486eb3ee28c745852713f62af0784f2d5ac9a42a08cf0268ded988b35cf231
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD562101c17ba8d4c715ec6bd6b0227a456
SHA17cee62b61f0a282d8fe74fbfc57dadbc0ed482b2
SHA256bd82023ad210a53890ab62be4eae50b1429d5ef022fcd5d34409dae041e29085
SHA5126b7145d9d2b1a20d64bbff6df3ae086cabcf083688b68d659ad7a3afaec6f85d2cd43adc6d14c6544732367721a7c0ddd9d98316861342bc7d6e0679c47d944e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5db270adefcf341fe37327201374660ca
SHA19d02be0fb141b1c51d6f7d370133bcaea9fc7372
SHA2569b50cee5db012a66c569a53ed21dc9d6575ff0950717c59331647041c1f55a58
SHA512497c319be1a153faadfc2e922b97a7e5b3a67a99184861b60df2cbf0c2241c7780a6c2841535ee50029ee684d10de5740e818277cd47c5ec0b5dc9206b4a502b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD54e09eac3f39897782c75894837032b45
SHA1a0941af30d5dc871cc1d9cc6b74a36071919dbeb
SHA2564dd98fa3132d000db2dee2ab5074de9479320bfdd698eed61e290922fe861edc
SHA512c41a15ee2ab448e0dcc2bc8b1da3729e333d5db110f79a13d0dd8fc2461240231f202af567745fb781251409d6007571b62fdfb8632e7aa0ac526875a59094e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\426d59ac-f621-44e3-8f19-6f24629c1fc5
Filesize905B
MD5f9069fd7a9d6a40a9850571a6cd18878
SHA1ba582647b8f546748fbe51a2f22c86df49a1c57c
SHA2569024f985cf422efd5dea9510f4a3e18190c5a2cb908ddec323857f1b38831446
SHA5122ffb323cb7017788ed88294e36d651874106e82408c5add272df2c77fb97036f8e8c97b933b6f17b20a66e684d87cb51794eba4829b33f01deee202e86961fc7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\43e10002-4123-43f9-afd8-6676d1625dff
Filesize653B
MD57c2bd5095e6a6e12229b6946770ffac0
SHA14c58bc4bbcb231bc7eb2735c4d881f248c7cf0bb
SHA256cac7a6bed41319ffae1f8955ad0da9c4344e5b182f91e42e58d5ad9594ad39c5
SHA512b12c980f20fd2ec1827c0b5e4c830362defc986eec282ede47b918bc426bc063d1c77456a4b2dfb70db33e75e7fec36f714517bdc0419330821e5b51b9daaa52
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\61c5a75b-014e-4dfa-90c9-c23d2c6b56e2
Filesize982B
MD57d71dcf4c606f8b9cc21794064a2d558
SHA14f1a63539c9951794c2c6611cfa64572ebf2df81
SHA2569a8aff43c9f223bac2d4c64a557d7e35907928d250749deae88057ae5a08222f
SHA51231fb098f4ca254be549515541e443dd4d45ba8067d9dfe5203d692d39149fe377738a04d16acebe78047c43b63a805c10cd32731ce2c722a13e78d861f138f6a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\92d96dcd-88e4-4fb3-a7cf-7a2e6682a856
Filesize26KB
MD5338634b4cface1b55edf32398c0f0b43
SHA1c59339da7da4c75d89d69188a5ddbb20c2e7c29b
SHA2565ce4a3515bc4785c7839742fc6176e15c6775655c1c51ec24c9e223d2b941fac
SHA5124e8799746d5e58f011292cbd6f5d22f96aed9a2bee3787a528469730939ab1b61972477eda7b54529aef97ecbca75d6124e5594292c2fe379900df8ff5c47782
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\93d69fbd-82da-46f4-ae31-17c468479ba5
Filesize648B
MD5184da8aba302226ac2d80aae5f0ff8c8
SHA12d64174e799c10e6cd7233206ed0d7d094d2bf5f
SHA256dcf4e735997f6585e5d98dfe35acf058624deaa583819d36fcfe8fca32e68b00
SHA512494036fb8703f7fc37c3bbff132d237f43ca17294fa691e1e366a02111395c61bc31cabc6317f7a7ef5818fc4fa05c5a8666ec98df100f31b606ce4d5cb382a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\b6bc50d4-4e2f-4dd2-8540-ae2c10585971
Filesize671B
MD5ce6c54ae0fbd486163981b462017f526
SHA1d1886fab2fe1a530bbbe9fcadeacc156b037a1e9
SHA2569a06d629c6f020f7459b2f7351e66459e2123de44b974f7b410f8ea5f7399538
SHA5125c8c33bfd55721c04ddfa5be6300aa2d9b0017cf234397bfa40f2c067f9c48b7c4d8c621baeff7d13a2777d06f1f71d74a71a488875b9b53f89b4e4860567193
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD575c8374e7c685ac17379793142285111
SHA1e60ef8af2f00ad5324355ffc6eedf3b875ec299a
SHA2564089c5b68dad14e3498f62acd118cfe126c8abc7c5b0f2673b581c6ed5a0163b
SHA5129407fb7e20084f2d8e59807e396939cc8bc8f390e626a85d03b2e7dfeaf18e395f67e58b9149be8b6af66bf825ccfd0bbeb67fec3dbe8322c4d7429ca7f367e6
-
Filesize
15KB
MD555e2f9ad26e065ad37c063519f553e0f
SHA193f03e4835d7904ea973c4ac4b8be309fdd0a6ad
SHA256295aa0c3fcee54a9b722d6ff5ad3bf46437becec9b62067877a76109b4d4acbc
SHA512ebc4f7c623126d412284be95834b180860d21041998b4477921ff6aaad6998f211e7accf1b691b31cb8e1d2cb9f1923e4bc2cb59a578356e5cecc41b6aee7d5d
-
Filesize
16KB
MD5a93d0786b07d0112dfacff1155e9e9df
SHA1faa74824cdd1fb08981274a60ee96c373058975f
SHA25627f51f7049d82d41a894e575ed85c7627abd319db37da018d6a304e4ba6824c0
SHA5125d002f00f38294e08afd98395356ff329ced18938ad1ccf4f77a132e337af3b8dea05b76c5f3ef991b39c879a0933d3ea685e0581586f4053574329137fa0036
-
Filesize
16KB
MD5cae88b64758552a4fafc83b9fab79184
SHA1d5f767d7ce2d5096d34adf9a3eedd1e322ecac9f
SHA256d0b29cedb89f3adef468f5d496283507d515b72735a32abc4107ebe77f0ac682
SHA512aa1e8cb0f2bc6451422d7c3efeb1c5fbf8c01839a79c84c65b378b5e29f62a53753d074b3129dc1655b39ca6dfa7a70b91b51f897838d5d8e30170bf126f223b
-
Filesize
15KB
MD59bbe820a0b1a2f3be91d1f94242d2dfc
SHA109316300e3e2b2c48d26487b41199ac4f0d6c7d9
SHA256c71046e90ae4a90ff362c18f29cbd3bce722d18feafa04f329d688a17ad7c348
SHA512963b1e798b15f6c5a58b27d89bc0ac19fa40edd5786a00e7c3defd3ee3df20f88f50f53e719b5947792170996ea5105309776752ca826df2bf8a2136bf436b07
-
Filesize
10KB
MD588e7427002583d35328758b01c19976e
SHA1a8d7a29f7ec318508a70437bb42ac402645c519f
SHA2560dbb46d7348532f48b71c0bc4c02eea7354797c37d526256650f96b1b73e3ce0
SHA5124bb6938d04557d3a24a1ed22bb3675b09ea73cfdac954394a683bd2919ac046d2e086292d183fd34b46b514e7654c114ead9b9f2c948cad641ebf4157d17cd64
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionCheckpoints.json
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2