amadey | 19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
Size

1.8MB
MD5

4bda10f72c2430d42325f6370b200503
SHA1

90dea37e11ef453277c70c0893cba71e4300c2f7
SHA256

19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae
SHA512

c8cfd93dc322c7d1e2fc6ecd1da797ed43b9c8bbc544d920d1f62e80b19b6ac45642e4d474001fab9c8144a5cf99cdce6752c1117828bbd3d1a0dab1b6a71807
SSDEEP

49152:nE/WgpUXWX6t2GXpNSlTPWUpdZZByL4ML7F0:YUXWWrXS1PFdZ+

Score

10^/10

amadey lumma stealc xmrig 9c9aa5 drum discovery evasion miner persistence stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

stealc

Botnet

drum

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Enumerates VirtualBox registry keys 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	b769c491da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	ac5f2c96f6.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b769c491da.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1c6b40716f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac5f2c96f6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d658512fe1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5adbff6d18.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac279c23eb.exe

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1100-161-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral1/memory/1100-162-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral1/memory/1100-165-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral1/memory/1100-174-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral1/memory/1100-175-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral1/memory/1100-177-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral1/memory/1100-178-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral1/memory/1100-176-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig
behavioral1/memory/1100-179-0x0000000140000000-0x00000001408F6000-memory.dmp	xmrig

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1c6b40716f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d658512fe1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac279c23eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5adbff6d18.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5adbff6d18.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac279c23eb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac5f2c96f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b769c491da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b769c491da.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1c6b40716f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac5f2c96f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d658512fe1.exe

Executes dropped EXE 12 IoCs

pid	Process
2852	skotes.exe
2520	XW5qFPl.exe
1440	gU8ND0g.exe
1548	b769c491da.exe
684	1c6b40716f.exe
1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
2796	ac5f2c96f6.exe
2172	d658512fe1.exe
1592	5adbff6d18.exe
1212	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
2724	044159d179.exe
1752	ac279c23eb.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	ac5f2c96f6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	d658512fe1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	5adbff6d18.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	ac279c23eb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	b769c491da.exe
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	1c6b40716f.exe

Loads dropped DLL 25 IoCs

pid	Process
2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
2852	skotes.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
2852	skotes.exe
2852	skotes.exe
2852	skotes.exe
2852	skotes.exe
2852	skotes.exe
1624	taskeng.exe
1624	taskeng.exe
684	1c6b40716f.exe
2852	skotes.exe
2852	skotes.exe
2852	skotes.exe
2852	skotes.exe
1624	taskeng.exe
2852	skotes.exe
2852	skotes.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\d658512fe1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1010469001\\d658512fe1.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\5adbff6d18.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1010470001\\5adbff6d18.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\044159d179.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1010471001\\044159d179.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ac279c23eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1010472001\\ac279c23eb.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001a4af-307.dat	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
2852	skotes.exe
1548	b769c491da.exe
684	1c6b40716f.exe
2796	ac5f2c96f6.exe
2172	d658512fe1.exe
1592	5adbff6d18.exe
1752	ac279c23eb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 1100	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	50
PID 1212 set thread context of 1692	1212	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	59

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1100-157-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-158-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-159-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-156-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-161-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-160-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-162-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-165-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-174-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-175-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-177-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-178-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-176-0x0000000140000000-0x00000001408F6000-memory.dmp	upx
behavioral1/memory/1100-179-0x0000000140000000-0x00000001408F6000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1496	2520	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d658512fe1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	044159d179.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac5f2c96f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac279c23eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b769c491da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XW5qFPl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c6b40716f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5adbff6d18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1844	PING.EXE
1880	powershell.exe
1228	PING.EXE
2244	powershell.exe
2708	PING.EXE
2156	powershell.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2996	taskkill.exe
1936	taskkill.exe
1904	taskkill.exe
2140	taskkill.exe
564	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1844	PING.EXE
1228	PING.EXE
2708	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
2852	skotes.exe
2156	powershell.exe
1548	b769c491da.exe
1548	b769c491da.exe
1548	b769c491da.exe
1548	b769c491da.exe
1548	b769c491da.exe
1548	b769c491da.exe
684	1c6b40716f.exe
1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
1100	explorer.exe
1880	powershell.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
2796	ac5f2c96f6.exe
2796	ac5f2c96f6.exe
2796	ac5f2c96f6.exe
2796	ac5f2c96f6.exe
2796	ac5f2c96f6.exe
2796	ac5f2c96f6.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
2172	d658512fe1.exe
1100	explorer.exe
1100	explorer.exe
1100	explorer.exe
1592	5adbff6d18.exe
1100	explorer.exe
1100	explorer.exe
1212	MicrosoftEdgeUpdateTaskMachineCoreSC.exe
2244	powershell.exe
1100	explorer.exe
2724	044159d179.exe
1100	explorer.exe
2724	044159d179.exe
1100	explorer.exe
1100	explorer.exe
1752	ac279c23eb.exe
1752	ac279c23eb.exe
1752	ac279c23eb.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeLockMemoryPrivilege	1100	explorer.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeLockMemoryPrivilege	1100	explorer.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	2176	firefox.exe
Token: SeDebugPrivilege	2176	firefox.exe
Token: SeDebugPrivilege	1752	ac279c23eb.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
1100	explorer.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2176	firefox.exe
2176	firefox.exe
2176	firefox.exe
2176	firefox.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2176	firefox.exe
2176	firefox.exe
2176	firefox.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe
2724	044159d179.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2852	2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe	30
PID 2384 wrote to memory of 2852	2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe	30
PID 2384 wrote to memory of 2852	2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe	30
PID 2384 wrote to memory of 2852	2384	19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe	30
PID 2852 wrote to memory of 2520	2852	skotes.exe	33
PID 2852 wrote to memory of 2520	2852	skotes.exe	33
PID 2852 wrote to memory of 2520	2852	skotes.exe	33
PID 2852 wrote to memory of 2520	2852	skotes.exe	33
PID 2520 wrote to memory of 1496	2520	XW5qFPl.exe	34
PID 2520 wrote to memory of 1496	2520	XW5qFPl.exe	34
PID 2520 wrote to memory of 1496	2520	XW5qFPl.exe	34
PID 2520 wrote to memory of 1496	2520	XW5qFPl.exe	34
PID 2852 wrote to memory of 1440	2852	skotes.exe	35
PID 2852 wrote to memory of 1440	2852	skotes.exe	35
PID 2852 wrote to memory of 1440	2852	skotes.exe	35
PID 2852 wrote to memory of 1440	2852	skotes.exe	35
PID 1440 wrote to memory of 1692	1440	gU8ND0g.exe	36
PID 1440 wrote to memory of 1692	1440	gU8ND0g.exe	36
PID 1440 wrote to memory of 1692	1440	gU8ND0g.exe	36
PID 1440 wrote to memory of 2980	1440	gU8ND0g.exe	37
PID 1440 wrote to memory of 2980	1440	gU8ND0g.exe	37
PID 1440 wrote to memory of 2980	1440	gU8ND0g.exe	37
PID 1440 wrote to memory of 2336	1440	gU8ND0g.exe	40
PID 1440 wrote to memory of 2336	1440	gU8ND0g.exe	40
PID 1440 wrote to memory of 2336	1440	gU8ND0g.exe	40
PID 1440 wrote to memory of 2156	1440	gU8ND0g.exe	41
PID 1440 wrote to memory of 2156	1440	gU8ND0g.exe	41
PID 1440 wrote to memory of 2156	1440	gU8ND0g.exe	41
PID 2156 wrote to memory of 1844	2156	powershell.exe	44
PID 2156 wrote to memory of 1844	2156	powershell.exe	44
PID 2156 wrote to memory of 1844	2156	powershell.exe	44
PID 2852 wrote to memory of 1548	2852	skotes.exe	45
PID 2852 wrote to memory of 1548	2852	skotes.exe	45
PID 2852 wrote to memory of 1548	2852	skotes.exe	45
PID 2852 wrote to memory of 1548	2852	skotes.exe	45
PID 2852 wrote to memory of 684	2852	skotes.exe	46
PID 2852 wrote to memory of 684	2852	skotes.exe	46
PID 2852 wrote to memory of 684	2852	skotes.exe	46
PID 2852 wrote to memory of 684	2852	skotes.exe	46
PID 1624 wrote to memory of 1404	1624	taskeng.exe	49
PID 1624 wrote to memory of 1404	1624	taskeng.exe	49
PID 1624 wrote to memory of 1404	1624	taskeng.exe	49
PID 1404 wrote to memory of 1100	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	50
PID 1404 wrote to memory of 1100	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	50
PID 1404 wrote to memory of 1100	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	50
PID 1404 wrote to memory of 1100	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	50
PID 1404 wrote to memory of 1100	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	50
PID 1404 wrote to memory of 1880	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	51
PID 1404 wrote to memory of 1880	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	51
PID 1404 wrote to memory of 1880	1404	MicrosoftEdgeUpdateTaskMachineCoreSC.exe	51
PID 1880 wrote to memory of 1228	1880	powershell.exe	53
PID 1880 wrote to memory of 1228	1880	powershell.exe	53
PID 1880 wrote to memory of 1228	1880	powershell.exe	53
PID 2852 wrote to memory of 2796	2852	skotes.exe	55
PID 2852 wrote to memory of 2796	2852	skotes.exe	55
PID 2852 wrote to memory of 2796	2852	skotes.exe	55
PID 2852 wrote to memory of 2796	2852	skotes.exe	55
PID 2852 wrote to memory of 2172	2852	skotes.exe	56
PID 2852 wrote to memory of 2172	2852	skotes.exe	56
PID 2852 wrote to memory of 2172	2852	skotes.exe	56
PID 2852 wrote to memory of 2172	2852	skotes.exe	56
PID 2852 wrote to memory of 1592	2852	skotes.exe	57
PID 2852 wrote to memory of 1592	2852	skotes.exe	57
PID 2852 wrote to memory of 1592	2852	skotes.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2980	attrib.exe
1692	attrib.exe

C:\Users\Admin\AppData\Local\Temp\19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe
"C:\Users\Admin\AppData\Local\Temp\19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\1010425001\XW5qFPl.exe
    "C:\Users\Admin\AppData\Local\Temp\1010425001\XW5qFPl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 92
      4⤵
      Loads dropped DLL
      Program crash
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\1010433001\gU8ND0g.exe
    "C:\Users\Admin\AppData\Local\Temp\1010433001\gU8ND0g.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\system32\attrib.exe
      attrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
      4⤵
      Views/modifies file attributes
      PID:1692
  - - C:\Windows\system32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
      4⤵
      Views/modifies file attributes
      PID:2980
  - - C:\Windows\system32\schtasks.exe
      schtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell ping 127.0.0.1; del gU8ND0g.exe
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1844
- - C:\Users\Admin\AppData\Local\Temp\1010466001\b769c491da.exe
    "C:\Users\Admin\AppData\Local\Temp\1010466001\b769c491da.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\1010467001\1c6b40716f.exe
    "C:\Users\Admin\AppData\Local\Temp\1010467001\1c6b40716f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:684
- - C:\Users\Admin\AppData\Local\Temp\1010468001\ac5f2c96f6.exe
    "C:\Users\Admin\AppData\Local\Temp\1010468001\ac5f2c96f6.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\1010469001\d658512fe1.exe
    "C:\Users\Admin\AppData\Local\Temp\1010469001\d658512fe1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\1010470001\5adbff6d18.exe
    "C:\Users\Admin\AppData\Local\Temp\1010470001\5adbff6d18.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1592
- - C:\Users\Admin\AppData\Local\Temp\1010471001\044159d179.exe
    "C:\Users\Admin\AppData\Local\Temp\1010471001\044159d179.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:2016
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2176
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.0.1113628877\1007927531" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1204 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6583a6a1-0682-4d55-b5a4-838296ba23c0} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1352 10befa58 gpu
        6⤵
        
        PID:2408
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.1.911833626\191774611" -parentBuildID 20221007134813 -prefsHandle 1516 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cff7e13b-cbcf-4bac-a86d-1701e0997014} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 1528 10b06b58 socket
        6⤵
        
        PID:388
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.2.2075979935\1855301215" -childID 1 -isForBrowser -prefsHandle 2024 -prefMapHandle 2020 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45e7f0e0-b3c7-4df1-ad88-daadcf3d45db} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2036 10b60758 tab
        6⤵
        
        PID:1708
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.3.1450001322\13357273" -childID 2 -isForBrowser -prefsHandle 2888 -prefMapHandle 2884 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be09f7dd-f69d-43ea-95d6-244df0f90045} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 2892 1b88f058 tab
        6⤵
        
        PID:1712
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.4.1688805597\2115070449" -childID 3 -isForBrowser -prefsHandle 3756 -prefMapHandle 3752 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb65953c-03cd-4012-a577-174077c36d26} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3768 1ec36258 tab
        6⤵
        
        PID:884
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.5.1427503783\1765775392" -childID 4 -isForBrowser -prefsHandle 3884 -prefMapHandle 3888 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {331ac3fc-8926-462f-9418-0d9c7da1f26c} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3872 1ec36558 tab
        6⤵
        
        PID:3068
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2176.6.856872638\888023523" -childID 5 -isForBrowser -prefsHandle 3996 -prefMapHandle 4000 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 712 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {033acc79-dcc0-461b-bc4c-59f453bc37ae} 2176 "\\.\pipe\gecko-crash-server-pipe.2176" 3988 1ed58758 tab
        6⤵
        
        PID:1516
- - C:\Users\Admin\AppData\Local\Temp\1010472001\ac279c23eb.exe
    "C:\Users\Admin\AppData\Local\Temp\1010472001\ac279c23eb.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1752

C:\Windows\system32\taskeng.exe
taskeng.exe {4C38B835-A731-4591-A5B4-3D60624D789B} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
    3⤵
    - Drops file in System32 directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.1.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1228
- C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe
    3⤵
    - Drops file in System32 directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.1.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
a5a0abeaedcd12b358cea3e79581e519

SHA1
d4b958c2c1c11409ebc00ee37dc39c6ed7b5c33c

SHA256
42ba3b3d06d092d1cebae32d55a0f767bf7bb63ce74d0018ddefd0af88a91d1a

SHA512
f61d739c934f6d77fd99747d2e96b6967ddce4a392140e5fd8caffadf747fa7194bdea124517442c2bd25075c19a54ef1333e1f10c2b300afc70fd82aa05f03f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010410001\lnwtLq4.exe

Filesize
5.2MB

MD5
f9d439154b882444a73ebece7b6dff73

SHA1
7f824a2f7c485c1445d7c1d249217b0c01c3acda

SHA256
9c022e0b33b29cde3ad608628c8928939e543be3fcc62397c4a7951cbc552488

SHA512
4f1474de49831a62a33656a0107f430b80d5a08658d888ba6bc0990ba610068d4dab59216ea956ad059ca084f6c51325b79e28199ced66adc806d95843d59c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010425001\XW5qFPl.exe

Filesize
224KB

MD5
dd15cf2bfc32f80e24ca203869cdf7a0

SHA1
d65e41d3e892c26d31d64bd129d0de29b4729df2

SHA256
3373ad6983c5f596d6c022403fabc1642b957de64b3d5ea7360a11d2c862c040

SHA512
28f2ced84d162d86aea6dd508869292c484cd0907f338b9185500a1301144191e32eeb596833d4333c3ef819102887044007952ed93ba04dddbd8b23fd3b650b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010433001\gU8ND0g.exe

Filesize
2.2MB

MD5
4c64aec6c5d6a5c50d80decb119b3c78

SHA1
bc97a13e661537be68863667480829e12187a1d7

SHA256
75c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253

SHA512
9054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010466001\b769c491da.exe

Filesize
4.3MB

MD5
52fcb84b6a36a8e28a1b56f2603edf23

SHA1
7c57ca452f6cac2ac981a6d9a2f6dd6b3f1024cb

SHA256
a335b6dfadfcba436732f642a8051ecd6d92b5ed1f140a7204166318885d1977

SHA512
a716a7694be16901b89e8d2a5b811ae09b23f018c2745ec71c1a266311e2a83fcd4cc80b7669ab8f1bb76b960cfe1ab06beb69339173e8b7a50182c7e8ef1d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010467001\1c6b40716f.exe

Filesize
1.9MB

MD5
bfc42771a57c54c13eaf5c08d901d575

SHA1
3b56aaa66444eb79c8e6a9158a677652420162e8

SHA256
db977ee9f15c7de15daf23d0da221fc050dda8f26ee192f7052c1aaf97eff338

SHA512
bb18a33231f241c7503886da19a470e65b2c3cdc62b049fd3352f8b8e6180e4ed16939fd7f5d5b495389ac8d9de0917713e9bbda1a00a9c116e2d4ce0dda857e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010468001\ac5f2c96f6.exe

Filesize
4.2MB

MD5
ec8ed73e21b10c6b4e769c69ede7c092

SHA1
c0dc8df08ad331206be57370a03350a0c93b4c34

SHA256
aac5962d87db217c6af7fa8fcd430da59251e2d8d98ee371bcdba6c4f5c91067

SHA512
18d5939b63db842370227d3824fe45ab1032703e0b05879c505abcf4b3aeb7b9f095b454e7257fb1a08cde63e5affe0b8d8ff6b378808eea143186fe7d8528c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010469001\d658512fe1.exe

Filesize
1.8MB

MD5
8f22641c66c6456fcf2ede553588c7ac

SHA1
565a7aac9d7b143800249cc3d764bde0da8cb543

SHA256
e838b1da3cb25600d92250ff58f560547d33a872dedc01846efef9e8e9d0feea

SHA512
413785420304092eafd782f48e1aa44935eb373354d25075d1c454cf7ede2c5f179789f78adccb4f940c8c6309b246fde7cb964e5f696cc132e6a98f629fce68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010470001\5adbff6d18.exe

Filesize
1.7MB

MD5
4b1829d06a2bfaa44a8641352f72e9c7

SHA1
2fb0dc341ce2cd9821f706d3f008d1fd4d66f99f

SHA256
aba4c12ea3dae07d48556e2e9cdce2917f17a22297b8340940ce21552c06495c

SHA512
3d567b96c693ee74633cf3a82187e0087241c73f603d0a9c7b583b453633497c8e47fcf682cdd69b92f9ae3b21ad46f627054e14271d2640316af048d28469fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010471001\044159d179.exe

Filesize
901KB

MD5
d458150353e036de3d0ad086097981f5

SHA1
d6847190302c2dd027a9e81657070de7fc7f1ff2

SHA256
f45a44994e90602e0da5c528b9fa4bfea3af5919913d596b1106b6da56387618

SHA512
98cd2fae3c6cfa52c31e3a0637ea32967c8e470c362780fbaac19df88d8f12cc8a90ae5046a480bab157b496761c9304b219fd055f256d1c5ffd88e267a848c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1010472001\ac279c23eb.exe

Filesize
2.7MB

MD5
42145e1ebafce34187ad375e1f69e103

SHA1
1e0e36bf698c2e5e63ea73d9e92f932ceceb7b87

SHA256
c1bfb6a5d5542512a2bfe1b4837c4a3a7a1aec01311905fa9d949cf030a0f3d3

SHA512
8eed4ad9d304c5f9b55aac922835826380df646ac2bcc881a322ab39f078c67af56a5263c1c109b0088c95a78b018073ee84fa02d043c9ea254d845e83f023af

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA1CD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA1FF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b87a85d0c374390949957fba76c3416f

SHA1
d69eabc7c5365fac5de35afe2501384d9eae6027

SHA256
19c92c6602c83625e0df78026e64c0e9de6958fc07cc8232fa05b3e458bfe64c

SHA512
86fc4da32a350bcaeea4ad636799d29201072c61d6d16712b27280538fe74c1b8905f47eacda5360a3c096bba7de10bf6fc1f3e54e3d75ccdb47f038a71d8358

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JL0VZU4YHRGFDKQ42CXA.temp

Filesize
7KB

MD5
f1a76a7d812d3bf518c6639a3c29f318

SHA1
6ca28c1c8ca3ff221c65888c0bfb06ebb6daefbb

SHA256
46a6d8dc33342e5dfcdf1bc420cd29ec91b90fe87de0115a1c14c4f4b01afaa7

SHA512
fdb40b225b2e12e9333f11834e0d841fc12417f3f0e1830b2235cae6d4ffba6d138ea5737c2c4ca2bc7f1ed67f208fe4a8db669e5329af2f855e151e1183b675

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
620be09f2501b91e0a2989a05b51372b

SHA1
779f12f005435ddec778887af2f77eb89376e07c

SHA256
319f6f08f3c65962f4c7e04653c8e9d25a2adee4ed8de7809cc7ece3f4d90eb7

SHA512
44dd368e888ff98330502f4efdb483fb694c59da979ff7be0e13c89bc114784ffd89621d3c31e94cec07f453340f1459f5c059f9620fa2cd927e6d32718c819a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\6a9b4cab-0525-491c-9ef3-cf29bd9aed47

Filesize
733B

MD5
b4fa0ac57259717ecd21478204484d37

SHA1
b8840685aafacfe20fb0495cb40cdfd4ceb1f464

SHA256
77d27fd4fca004b1650f0669e6eefd40f994c4425d6e44f9dde667b5d358a0eb

SHA512
665482efaf021452cc0dd4c5dc7348f548e055444318e1baf4d6ba65c1a855e437f74c6977fd86a92c455076fb7eadf7fff4aeab32edaf152c6554e17a83f6e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
abd5417865d5767e3b43d53509dcc82d

SHA1
34802e233bbe940226f7651a9092b6285fe57c27

SHA256
347cfd61fff2ec783090867a5ed54050b3876d9bfa58b2bdac79af664f295d2e

SHA512
569846d665be25e69a1c0dff825f302b24645548c314dc5296954c315650ac40bfb8c84b3ecdd2b1ba478981a3e187bebb26cb7f4b9fa45d2976cc2c00b12a5f

Download Submit
\Users\Admin\AppData\Local\Temp\3B2wW8dvReBz\Y-Cleaner.exe

Filesize
1.4MB

MD5
a8cf5621811f7fac55cfe8cb3fa6b9f6

SHA1
121356839e8138a03141f5f5856936a85bd2a474

SHA256
614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c

SHA512
4479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
4bda10f72c2430d42325f6370b200503

SHA1
90dea37e11ef453277c70c0893cba71e4300c2f7

SHA256
19de0fd6ffb9e81c5d82212a4c90a84415849fed81b01c173cc90a4c422117ae

SHA512
c8cfd93dc322c7d1e2fc6ecd1da797ed43b9c8bbc544d920d1f62e80b19b6ac45642e4d474001fab9c8144a5cf99cdce6752c1117828bbd3d1a0dab1b6a71807

Download Submit
memory/684-194-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download
memory/684-152-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download
memory/684-145-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download
memory/684-140-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download
memory/684-138-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download
memory/684-127-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/684-184-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download
memory/684-186-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download
memory/684-123-0x0000000000400000-0x00000000008C8000-memory.dmp

Filesize
4.8MB

Download
memory/1100-176-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-165-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-162-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-160-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-174-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-161-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-163-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1100-156-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-159-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-175-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-158-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-177-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-178-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-157-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1100-179-0x0000000140000000-0x00000001408F6000-memory.dmp

Filesize
9.0MB

Download
memory/1548-102-0x0000000000AC0000-0x000000000176F000-memory.dmp

Filesize
12.7MB

Download
memory/1548-100-0x0000000000AC0000-0x000000000176F000-memory.dmp

Filesize
12.7MB

Download
memory/1548-135-0x0000000000AC0000-0x000000000176F000-memory.dmp

Filesize
12.7MB

Download
memory/1548-133-0x0000000000AC0000-0x000000000176F000-memory.dmp

Filesize
12.7MB

Download
memory/1548-104-0x0000000000AC0000-0x000000000176F000-memory.dmp

Filesize
12.7MB

Download
memory/1592-292-0x0000000000370000-0x00000000009FA000-memory.dmp

Filesize
6.5MB

Download
memory/1752-483-0x0000000000D70000-0x000000000102E000-memory.dmp

Filesize
2.7MB

Download
memory/1752-482-0x0000000000D70000-0x000000000102E000-memory.dmp

Filesize
2.7MB

Download
memory/1880-173-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1880-172-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2156-83-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2156-82-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2172-231-0x0000000001110000-0x00000000015A4000-memory.dmp

Filesize
4.6MB

Download
memory/2172-271-0x0000000001110000-0x00000000015A4000-memory.dmp

Filesize
4.6MB

Download
memory/2244-322-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2244-323-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2384-0-0x0000000001380000-0x0000000001830000-memory.dmp

Filesize
4.7MB

Download
memory/2384-19-0x0000000006D60000-0x0000000007210000-memory.dmp

Filesize
4.7MB

Download
memory/2384-6-0x0000000001380000-0x0000000001830000-memory.dmp

Filesize
4.7MB

Download
memory/2384-4-0x0000000001380000-0x0000000001830000-memory.dmp

Filesize
4.7MB

Download
memory/2384-3-0x0000000001380000-0x0000000001830000-memory.dmp

Filesize
4.7MB

Download
memory/2384-18-0x0000000001380000-0x0000000001830000-memory.dmp

Filesize
4.7MB

Download
memory/2384-2-0x0000000001381000-0x00000000013AF000-memory.dmp

Filesize
184KB

Download
memory/2384-1-0x0000000077620000-0x0000000077622000-memory.dmp

Filesize
8KB

Download
memory/2796-210-0x00000000001E0000-0x0000000000E46000-memory.dmp

Filesize
12.4MB

Download
memory/2796-235-0x00000000001E0000-0x0000000000E46000-memory.dmp

Filesize
12.4MB

Download
memory/2796-233-0x00000000001E0000-0x0000000000E46000-memory.dmp

Filesize
12.4MB

Download
memory/2796-215-0x00000000001E0000-0x0000000000E46000-memory.dmp

Filesize
12.4MB

Download
memory/2796-214-0x00000000001E0000-0x0000000000E46000-memory.dmp

Filesize
12.4MB

Download
memory/2852-212-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-59-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-149-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-213-0x0000000007210000-0x0000000007E76000-memory.dmp

Filesize
12.4MB

Download
memory/2852-27-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-195-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-216-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-26-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-228-0x0000000007210000-0x00000000076A4000-memory.dmp

Filesize
4.6MB

Download
memory/2852-24-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-28-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-29-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-23-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-22-0x00000000001E1000-0x000000000020F000-memory.dmp

Filesize
184KB

Download
memory/2852-185-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-272-0x0000000007210000-0x00000000076A4000-memory.dmp

Filesize
4.6MB

Download
memory/2852-273-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-208-0x0000000007210000-0x0000000007E76000-memory.dmp

Filesize
12.4MB

Download
memory/2852-290-0x0000000007210000-0x000000000789A000-memory.dmp

Filesize
6.5MB

Download
memory/2852-181-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-21-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-98-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-99-0x0000000007210000-0x0000000007EBF000-memory.dmp

Filesize
12.7MB

Download
memory/2852-324-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-339-0x0000000007210000-0x000000000789A000-memory.dmp

Filesize
6.5MB

Download
memory/2852-101-0x0000000007210000-0x0000000007EBF000-memory.dmp

Filesize
12.7MB

Download
memory/2852-103-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-122-0x0000000007210000-0x00000000076D8000-memory.dmp

Filesize
4.8MB

Download
memory/2852-121-0x0000000007210000-0x00000000076D8000-memory.dmp

Filesize
4.8MB

Download
memory/2852-132-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download
memory/2852-136-0x0000000007210000-0x00000000076D8000-memory.dmp

Filesize
4.8MB

Download
memory/2852-137-0x0000000007210000-0x00000000076D8000-memory.dmp

Filesize
4.8MB

Download
memory/2852-143-0x00000000001E0000-0x0000000000690000-memory.dmp

Filesize
4.7MB

Download