Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 05:04
Static task
static1
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
96c1a1b70f47f88edff0fc615aae0c6b
-
SHA1
d9676fea886264dae4c2164cf392da1a9ac38e3a
-
SHA256
c326252a4700a59f6250b3a8f090996a80a4912bdc5de66021c20091879c2cfb
-
SHA512
fb26db4bf804d8fedb40203c737afdfcf9f581c1e370195fb03ac36ff38643b3ca437396c6a1574759c86075ee41dbe2106a4e0f484123d6a902d454eff3666b
-
SSDEEP
49152:BU3M/NF3eOV8d94fGPrYFOa0GW8V34+M:4M/eY8kfGzYFOa0GW8V
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
http://encrypthub.net:8080
https://encrypthub.net/Main/antivm.ps1
Extracted
lumma
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 5b31e6a791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 5b31e6a791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 5b31e6a791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 5b31e6a791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 5b31e6a791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 5b31e6a791.exe -
Stealc family
-
Xmrig family
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 75d24969e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 2410e527be.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fe36a05b11.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 011ef6e291.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 75d24969e9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ XXM5y4g.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dfa42dbe56.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5b31e6a791.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2410e527be.exe -
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/3300-838-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig behavioral1/memory/3300-837-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig behavioral1/memory/3300-849-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig behavioral1/memory/3300-851-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig behavioral1/memory/3300-852-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig behavioral1/memory/3300-853-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig behavioral1/memory/3300-854-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig behavioral1/memory/3300-855-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig behavioral1/memory/3300-857-0x0000000140000000-0x00000001408F6000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2936 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion XXM5y4g.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fe36a05b11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5b31e6a791.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5b31e6a791.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2410e527be.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fe36a05b11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2410e527be.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 011ef6e291.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 75d24969e9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dfa42dbe56.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 011ef6e291.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 75d24969e9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion XXM5y4g.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dfa42dbe56.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 17 IoCs
pid Process 2676 skotes.exe 1756 TaskbarMonitorInstaller.exe 2916 uxN4wDZ.exe 1072 SKOblik.exe 2444 xZNk1YZ.exe 2620 Continuous.com 2860 XXM5y4g.exe 2104 XW5qFPl.exe 2824 gU8ND0g.exe 2628 dfa42dbe56.exe 2208 fe36a05b11.exe 980 3a8f4ca544.exe 1972 5b31e6a791.exe 3256 2410e527be.exe 3484 011ef6e291.exe 3860 75d24969e9.exe 2012 MicrosoftEdgeUpdateTaskMachineCoreSC.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 75d24969e9.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine XXM5y4g.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine dfa42dbe56.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine fe36a05b11.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 5b31e6a791.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 2410e527be.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 011ef6e291.exe -
Loads dropped DLL 32 IoCs
pid Process 3036 file.exe 3036 file.exe 2676 skotes.exe 1768 regasm.exe 1768 regasm.exe 1768 regasm.exe 1768 regasm.exe 1196 Process not Found 1196 Process not Found 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2444 xZNk1YZ.exe 1712 cmd.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 2676 skotes.exe 3644 taskeng.exe 3644 taskeng.exe 3484 011ef6e291.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 5b31e6a791.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 5b31e6a791.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfa42dbe56.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1010513001\\dfa42dbe56.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\fe36a05b11.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1010514001\\fe36a05b11.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\3a8f4ca544.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1010515001\\3a8f4ca544.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\5b31e6a791.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1010516001\\5b31e6a791.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000a0000000190e1-473.dat autoit_exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2256 tasklist.exe 2400 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 3036 file.exe 2676 skotes.exe 2860 XXM5y4g.exe 2628 dfa42dbe56.exe 2208 fe36a05b11.exe 1972 5b31e6a791.exe 3256 2410e527be.exe 3484 011ef6e291.exe 3860 75d24969e9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2012 set thread context of 3300 2012 MicrosoftEdgeUpdateTaskMachineCoreSC.exe 96 -
resource yara_rule behavioral1/memory/3300-833-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-832-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-834-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-835-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-836-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-838-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-837-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-849-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-851-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-852-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-853-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-854-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-855-0x0000000140000000-0x00000001408F6000-memory.dmp upx behavioral1/memory/3300-857-0x0000000140000000-0x00000001408F6000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll TaskbarMonitorInstaller.exe File created C:\Program Files\TaskbarMonitor\Newtonsoft.Json.dll TaskbarMonitorInstaller.exe File created C:\Program Files\TaskbarMonitor\TaskbarMonitorWindows11.exe TaskbarMonitorInstaller.exe File created C:\Program Files\TaskbarMonitor\TaskbarMonitorInstaller.exe TaskbarMonitorInstaller.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\WantedOffset xZNk1YZ.exe File created C:\Windows\Tasks\skotes.job file.exe File opened for modification C:\Windows\BeliefQuick xZNk1YZ.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral1/files/0x00060000000164db-82.dat embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 75d24969e9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XXM5y4g.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XW5qFPl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xZNk1YZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe36a05b11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b31e6a791.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2410e527be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 011ef6e291.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Continuous.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfa42dbe56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a8f4ca544.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3060 powershell.exe 2668 PING.EXE 3320 powershell.exe 2348 PING.EXE -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 2808 taskkill.exe 696 taskkill.exe 2308 taskkill.exe 1588 taskkill.exe 2692 taskkill.exe -
Modifies registry class 25 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\Implemented Categories\{00021492-0000-0000-c000-000000000046} regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TaskbarMonitor.Deskband regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TaskbarMonitor.Deskband\CLSID\ = "{13790826-15FA-46D0-9814-C2A5C6C11F32}" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\ThreadingModel = "Both" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\1.0.0.0 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\1.0.0.0\Class = "TaskbarMonitor.Deskband" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\Implemented Categories regasm.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\ProgId\ = "TaskbarMonitor.Deskband" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\ = "taskbar-monitor" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TaskbarMonitor.Deskband\ = "TaskbarMonitor.Deskband" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32} regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\ = "mscoree.dll" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\Class = "TaskbarMonitor.Deskband" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\1.0.0.0\Assembly = "TaskbarMonitor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TaskbarMonitor.Deskband\CLSID regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\ = "TaskbarMonitor.Deskband" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\CodeBase = "file:///C:/Program Files/TaskbarMonitor/TaskbarMonitor.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32 regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\Assembly = "TaskbarMonitor, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\RuntimeVersion = "v4.0.30319" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Program Files/TaskbarMonitor/TaskbarMonitor.DLL" regasm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{13790826-15FA-46D0-9814-C2A5C6C11F32}\ProgId regasm.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 dfa42dbe56.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a dfa42dbe56.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a dfa42dbe56.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2668 PING.EXE 2348 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 3036 file.exe 2676 skotes.exe 2620 Continuous.com 2620 Continuous.com 2620 Continuous.com 2860 XXM5y4g.exe 2936 powershell.exe 3060 powershell.exe 2628 dfa42dbe56.exe 2208 fe36a05b11.exe 980 3a8f4ca544.exe 1972 5b31e6a791.exe 1972 5b31e6a791.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 1972 5b31e6a791.exe 1972 5b31e6a791.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3256 2410e527be.exe 3484 011ef6e291.exe 3484 011ef6e291.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 3860 75d24969e9.exe 2012 MicrosoftEdgeUpdateTaskMachineCoreSC.exe 3320 powershell.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe 3300 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2256 tasklist.exe Token: SeDebugPrivilege 2400 tasklist.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 2808 taskkill.exe Token: SeDebugPrivilege 696 taskkill.exe Token: SeDebugPrivilege 2308 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 2692 taskkill.exe Token: SeDebugPrivilege 2868 firefox.exe Token: SeDebugPrivilege 2868 firefox.exe Token: SeDebugPrivilege 1972 5b31e6a791.exe Token: SeDebugPrivilege 3320 powershell.exe Token: SeLockMemoryPrivilege 3300 explorer.exe Token: SeLockMemoryPrivilege 3300 explorer.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 3036 file.exe 2620 Continuous.com 2620 Continuous.com 2620 Continuous.com 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 3300 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2620 Continuous.com 2620 Continuous.com 2620 Continuous.com 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 2868 firefox.exe 2868 firefox.exe 2868 firefox.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe 980 3a8f4ca544.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2860 XXM5y4g.exe 2860 XXM5y4g.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2676 3036 file.exe 30 PID 3036 wrote to memory of 2676 3036 file.exe 30 PID 3036 wrote to memory of 2676 3036 file.exe 30 PID 3036 wrote to memory of 2676 3036 file.exe 30 PID 2676 wrote to memory of 1756 2676 skotes.exe 32 PID 2676 wrote to memory of 1756 2676 skotes.exe 32 PID 2676 wrote to memory of 1756 2676 skotes.exe 32 PID 2676 wrote to memory of 1756 2676 skotes.exe 32 PID 1756 wrote to memory of 1768 1756 TaskbarMonitorInstaller.exe 34 PID 1756 wrote to memory of 1768 1756 TaskbarMonitorInstaller.exe 34 PID 1756 wrote to memory of 1768 1756 TaskbarMonitorInstaller.exe 34 PID 2676 wrote to memory of 2916 2676 skotes.exe 38 PID 2676 wrote to memory of 2916 2676 skotes.exe 38 PID 2676 wrote to memory of 2916 2676 skotes.exe 38 PID 2676 wrote to memory of 2916 2676 skotes.exe 38 PID 2676 wrote to memory of 1072 2676 skotes.exe 41 PID 2676 wrote to memory of 1072 2676 skotes.exe 41 PID 2676 wrote to memory of 1072 2676 skotes.exe 41 PID 2676 wrote to memory of 1072 2676 skotes.exe 41 PID 2676 wrote to memory of 2444 2676 skotes.exe 42 PID 2676 wrote to memory of 2444 2676 skotes.exe 42 PID 2676 wrote to memory of 2444 2676 skotes.exe 42 PID 2676 wrote to memory of 2444 2676 skotes.exe 42 PID 2444 wrote to memory of 1712 2444 xZNk1YZ.exe 43 PID 2444 wrote to memory of 1712 2444 xZNk1YZ.exe 43 PID 2444 wrote to memory of 1712 2444 xZNk1YZ.exe 43 PID 2444 wrote to memory of 1712 2444 xZNk1YZ.exe 43 PID 1712 wrote to memory of 2256 1712 cmd.exe 45 PID 1712 wrote to memory of 2256 1712 cmd.exe 45 PID 1712 wrote to memory of 2256 1712 cmd.exe 45 PID 1712 wrote to memory of 2256 1712 cmd.exe 45 PID 1712 wrote to memory of 2832 1712 cmd.exe 46 PID 1712 wrote to memory of 2832 1712 cmd.exe 46 PID 1712 wrote to memory of 2832 1712 cmd.exe 46 PID 1712 wrote to memory of 2832 1712 cmd.exe 46 PID 1712 wrote to memory of 2400 1712 cmd.exe 47 PID 1712 wrote to memory of 2400 1712 cmd.exe 47 PID 1712 wrote to memory of 2400 1712 cmd.exe 47 PID 1712 wrote to memory of 2400 1712 cmd.exe 47 PID 1712 wrote to memory of 2464 1712 cmd.exe 48 PID 1712 wrote to memory of 2464 1712 cmd.exe 48 PID 1712 wrote to memory of 2464 1712 cmd.exe 48 PID 1712 wrote to memory of 2464 1712 cmd.exe 48 PID 1712 wrote to memory of 2032 1712 cmd.exe 49 PID 1712 wrote to memory of 2032 1712 cmd.exe 49 PID 1712 wrote to memory of 2032 1712 cmd.exe 49 PID 1712 wrote to memory of 2032 1712 cmd.exe 49 PID 1712 wrote to memory of 2848 1712 cmd.exe 50 PID 1712 wrote to memory of 2848 1712 cmd.exe 50 PID 1712 wrote to memory of 2848 1712 cmd.exe 50 PID 1712 wrote to memory of 2848 1712 cmd.exe 50 PID 1712 wrote to memory of 2620 1712 cmd.exe 51 PID 1712 wrote to memory of 2620 1712 cmd.exe 51 PID 1712 wrote to memory of 2620 1712 cmd.exe 51 PID 1712 wrote to memory of 2620 1712 cmd.exe 51 PID 1712 wrote to memory of 2284 1712 cmd.exe 52 PID 1712 wrote to memory of 2284 1712 cmd.exe 52 PID 1712 wrote to memory of 2284 1712 cmd.exe 52 PID 1712 wrote to memory of 2284 1712 cmd.exe 52 PID 2676 wrote to memory of 2860 2676 skotes.exe 53 PID 2676 wrote to memory of 2860 2676 skotes.exe 53 PID 2676 wrote to memory of 2860 2676 skotes.exe 53 PID 2676 wrote to memory of 2860 2676 skotes.exe 53 PID 2676 wrote to memory of 2104 2676 skotes.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2872 attrib.exe 2432 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe"C:\Users\Admin\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /nologo /codebase "C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll"4⤵
- Loads dropped DLL
- Modifies registry class
PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009923001\uxN4wDZ.exe"C:\Users\Admin\AppData\Local\Temp\1009923001\uxN4wDZ.exe"3⤵
- Executes dropped EXE
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\1010230001\SKOblik.exe"C:\Users\Admin\AppData\Local\Temp\1010230001\SKOblik.exe"3⤵
- Executes dropped EXE
PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\1010264001\xZNk1YZ.exe"C:\Users\Admin\AppData\Local\Temp\1010264001\xZNk1YZ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Scout Scout.cmd && Scout.cmd4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 5500465⤵
- System Location Discovery: System Language Discovery
PID:2032
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Diagnosis R5⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\550046\Continuous.comContinuous.com R5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:2284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010306001\XXM5y4g.exe"C:\Users\Admin\AppData\Local\Temp\1010306001\XXM5y4g.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\1010425001\XW5qFPl.exe"C:\Users\Admin\AppData\Local\Temp\1010425001\XW5qFPl.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Temp\ps5476.tmp.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010433001\gU8ND0g.exe"C:\Users\Admin\AppData\Local\Temp\1010433001\gU8ND0g.exe"3⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe4⤵
- Views/modifies file attributes
PID:2872
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe4⤵
- Views/modifies file attributes
PID:2432
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE4⤵
- Scheduled Task/Job: Scheduled Task
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del gU8ND0g.exe4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010513001\dfa42dbe56.exe"C:\Users\Admin\AppData\Local\Temp\1010513001\dfa42dbe56.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\1010514001\fe36a05b11.exe"C:\Users\Admin\AppData\Local\Temp\1010514001\fe36a05b11.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\1010515001\3a8f4ca544.exe"C:\Users\Admin\AppData\Local\Temp\1010515001\3a8f4ca544.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:980 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:2280
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.0.1972785044\1824774332" -parentBuildID 20221007134813 -prefsHandle 1188 -prefMapHandle 1128 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c2e1f09-2240-4329-91c8-889d0a349c33} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 1284 10fdbd58 gpu6⤵PID:2764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.1.1899481622\403325786" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1875633-87ce-463b-8b57-58f6acf630b1} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 1496 10f0cc58 socket6⤵PID:2168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.2.932376218\1806655706" -childID 1 -isForBrowser -prefsHandle 1984 -prefMapHandle 1980 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b256524b-1509-4c6c-a3aa-af0e64f747b6} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 1996 18f99d58 tab6⤵PID:1964
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.3.736785248\446282312" -childID 2 -isForBrowser -prefsHandle 2708 -prefMapHandle 2704 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7136afa8-5e5d-4792-bcf6-64390ec8f30f} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 2720 1cf48b58 tab6⤵PID:1716
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.4.1186992909\959506577" -childID 3 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e447c2f1-845c-4893-9ff0-bd7735e02569} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 3788 1febd558 tab6⤵PID:656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.5.1924831676\294222770" -childID 4 -isForBrowser -prefsHandle 3908 -prefMapHandle 3912 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16436463-8402-4708-9dd0-7d36fb99a9ef} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 3840 1fe96558 tab6⤵PID:944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2868.6.1680149601\635003047" -childID 5 -isForBrowser -prefsHandle 3992 -prefMapHandle 3996 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 824 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8e47f3d-dc38-419a-8787-0f2b7af81ef7} 2868 "\\.\pipe\gecko-crash-server-pipe.2868" 4116 2026a258 tab6⤵PID:2160
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1010516001\5b31e6a791.exe"C:\Users\Admin\AppData\Local\Temp\1010516001\5b31e6a791.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\1010517001\2410e527be.exe"C:\Users\Admin\AppData\Local\Temp\1010517001\2410e527be.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3256
-
-
C:\Users\Admin\AppData\Local\Temp\1010518001\011ef6e291.exe"C:\Users\Admin\AppData\Local\Temp\1010518001\011ef6e291.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\1010519001\75d24969e9.exe"C:\Users\Admin\AppData\Local\Temp\1010519001\75d24969e9.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3860
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1744
-
C:\Windows\system32\taskeng.exetaskeng.exe {125C7FE5-CD88-4657-92A6-3CD3E98E1325} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:3644 -
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2012 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2348
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Discovery
Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD55dd45593985c6b40d1d2dea0ce9a2fcf
SHA1700fb24d4f4e302ed94f755fa6f7caf9d6fb594e
SHA256237e715b292e3ebfdf7038d42290f9a6457f0375ee965e1236bd763bce413391
SHA512ca4e7df463b3d5643decfda936e4d7db1e3247c8f27a25ace150886a0c3ec2e79f1d82d2c4cbd5b89f42deaf4cd5709a7ca47d24a18ed1e1804b0c1e016966a3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
Filesize29KB
MD55758880535e1f7a46eb4344307e786bb
SHA17059663ccce58c745ac44a56a91fa70adf1dfbb9
SHA256f919971ae00756bb0aa4658610e198ba5b8bf24050493264b9d8048acaf8faad
SHA512e8dccc97f8dee3b38be41bf45da9fce78e311d4d4dab97579f35b473a2ce0ff95e9f0e13724a1cf7dacafe6bcded0886748fe2bb1e35e04f8b033b25427fdf66
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
2.9MB
MD5efd35e14043220e2ec5e545be98a442c
SHA1a868cf35dcd96d7e5350a881c0334c77dc5ccb3d
SHA256226e462db2af7de92709a62fd69daf887c48d3d166616c8ede3c56ac16de3cce
SHA51292894619a9ebadef30365054c4deec0d229e3acfe7ad142a65686b24416d4080e2064be073ab6cd7a001741a8a3d1b0729444fcf8e3b11633d190578cfa8970a
-
Filesize
984KB
MD5a55d149ef6d095d1499d0668459c236f
SHA1f29aae537412267b0ad08a727ccf3a3010eea72b
SHA256c4a5fdd606768f6f69aa9e6cad874296c8e1e85f88b17f12b4ecab2c247c54ce
SHA5122c89c0b92afaf69e7c1a63e44ebbe41c7919ad74abd2b70a6077faa6a4ca24bc6103ddf584633cd177a858550c667b430668095c3dc9abb27fefa38940d4370b
-
Filesize
21.2MB
MD5c3968e6090d03e52679657e1715ea39a
SHA12332b4bfd13b271c250a6b71f3c2a502e24d0b76
SHA2564ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4
SHA512f4908cce3e77a19bcbdc54487e025868cbd2c470b796edbf4a28aebc56cb9212019496f32eb531787de2ca9e8af0aedab2fde3d7aecee9e6a3fe3f5e4ce7670a
-
Filesize
658KB
MD50139b5f2565b3c046f2785ef43b48cfe
SHA1b31aab8bbc6548abe2b17e1d8e9a787bc15e1ae8
SHA25674c70a9e45a5dba1040fa34981286f2927b1fbb6b8f5d9740dd51752516eff33
SHA512ce671c3b48c8c553696652648dffc118dad234ed628be3ac6cb27e2b2992e8a5694fa268c57534dc3f0825e4006a68546c05729030832023455e8145c142c7ca
-
Filesize
4.0MB
MD514f4f9bee0a9b56c8993f1a65b520391
SHA1ba5a2f0cb27a753dbc33cd0b4eaa4f042aa01949
SHA256151c86eb2ad872cee3ccddc569c1ae99d93df55d2cf601070fb682da65894f93
SHA5128a73a00816a101fdaca29d57a2b76da46c3cbcdbc995d1f44b8f02bc0949b72a707b5dd92b96396e0b3c1de7ba65b22cf62eda24c8bc157fda4c6d938fee749c
-
Filesize
5.2MB
MD5f9d439154b882444a73ebece7b6dff73
SHA17f824a2f7c485c1445d7c1d249217b0c01c3acda
SHA2569c022e0b33b29cde3ad608628c8928939e543be3fcc62397c4a7951cbc552488
SHA5124f1474de49831a62a33656a0107f430b80d5a08658d888ba6bc0990ba610068d4dab59216ea956ad059ca084f6c51325b79e28199ced66adc806d95843d59c05
-
Filesize
224KB
MD5dd15cf2bfc32f80e24ca203869cdf7a0
SHA1d65e41d3e892c26d31d64bd129d0de29b4729df2
SHA2563373ad6983c5f596d6c022403fabc1642b957de64b3d5ea7360a11d2c862c040
SHA51228f2ced84d162d86aea6dd508869292c484cd0907f338b9185500a1301144191e32eeb596833d4333c3ef819102887044007952ed93ba04dddbd8b23fd3b650b
-
Filesize
2.2MB
MD54c64aec6c5d6a5c50d80decb119b3c78
SHA1bc97a13e661537be68863667480829e12187a1d7
SHA25675c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA5129054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76
-
Filesize
1.8MB
MD53d834c7d2af18d01157fd54cb394567a
SHA1f74649292365953e787be057e615f20d2cf6349f
SHA256d17d5943bce6e643f8c75fa9d7ce4dfb0869ef8c701b9122eaed7251aa5626ab
SHA5129c1830acbc896b013e0629f719b452b51a340ea36c8c1be005c0254f42ebd13c88b8ef7bc8e983d9280d4f699508bc8ddfcf1325843f0b705d38a40b715f5b9f
-
Filesize
1.7MB
MD53a8e4485dffff1de900b30449b33e56a
SHA1b932de6fd713fcdc1f97c8b5f5144ef654f77ac3
SHA256624a02ea536c673b4939e19f0509d585afebc7a8d73177d466f1b2b58aa5a901
SHA512b16b4dba6b82c5982731dfa44989e14910363c619baa39bcb70b2b64d52adeb8ddb23fc0fc367ef48b0c1f19db365ea8998c199744950d5c81aada5345ebc00b
-
Filesize
900KB
MD5a9e989ef5eb79aeeb328a104849f4a85
SHA12350a9ecc6c9012f34a1206487d96f9912b6b2a9
SHA256b5c318e6f3e8af90f8d3bcd87bfd270195d238dba7ab2fe277c0bf9d57e6fdd0
SHA512f8b7685846b3efdb253b1c3ef5e45b308a240f9ee56f2f30b07777628b573247291b654b43d8029bada68896b456aeba3c98865914d9f96b3eb8db3cdb1e8ba3
-
Filesize
2.7MB
MD5dbe102896da778132a021cda8f323df0
SHA1f7903a9d367df15fa3cc30b3025ec432df23169b
SHA2560199fbd0e92c15d3300bea2d557e553da953ea8bd7554be3f495861b8b88ffc9
SHA5124737832a09cc765ca5aef70a4c55e0f766ffd1222fc4d0e2f0bab2118c0ae6f9db236068747d7e33e7e1d013d7f057028cfdd7455b58f24b6d22ce96458a6236
-
Filesize
4.3MB
MD508f54694fcdf9433d8f3aa581903c4ca
SHA108d738cc1c80c55c2835b23e24e8e211b4fb437c
SHA2563c87e8c4b46af6850934553b22a5bd2d0d1b648938fec52cd2f3b664b1dceb68
SHA512ff582e5e8a6e1f711a8b0f2a108acf49965cae3bcdbf68ecbfce0f90590673b961ad1325b5cdbfb4295db820a8093031279e841a9ebad67dea5585421a281ec5
-
Filesize
1.9MB
MD59d2eed099096486e2ae388b2b220497c
SHA1c84457bca7db83641fd56925c6496b4c9a8c6c5b
SHA2565d5a9d7c44e0dbd125b577319dcad5274121c38b6cde03658eb83c49e316d307
SHA512c289c2e38dc49ef5495baf8873f02866c53ce398f991a246148b29db81870e41dba5353691d9b73b071720ad98dfca438b5f5143eb65979e25220971c167dd35
-
Filesize
4.3MB
MD5245042b39f7fe432daf72c046d5000d3
SHA1f3ae48a9bd52536b83b76ed988558e5681009e96
SHA2561c4b207bb8d58a6068ed2be0eb27653a7245dfe8fee548c4720d14510453c27c
SHA512fedb81cb96239c8e2456872914155d54d2cb9c5c98b2a59554113de6b8987df01d2e4dd7bdadc26c8749020cf59d74fd4d2229806882bcf62b5b4083bc98622c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
128KB
MD51ed187567d2753bb83ca63ce55c3f4a0
SHA186ded8a1077f793ace059334a35978d3617f7868
SHA25656595ef1a7047b970d9aa072ee402c0ec66319acec589f31f6b4b89648106743
SHA5124df0b61d22e9ae6cc6a80e7a8ef46d8b5ec97b61e05f89b43f311e2af0664aed9e8baecc96012081033e94d99a81c325c43b75a42f797948d199b85b661ad810
-
Filesize
872KB
MD5508dd472a89794e64ad5eeb315f9939d
SHA1fcc1c958d5624bc06aa741d7ddbbcb519521d2e3
SHA256ef279e2eef2f3f56ebac738d3eac31ca1ee46a201998bfe941ccb940b947c221
SHA512884019d1fa05c22f8056ba0cfce3505102dca9a3e97982aa1219070b3a900cdaa8c20805c42679c904bac5bd2994471af8c863a1c76597406c66f50cb569b48d
-
Filesize
7KB
MD5b03d9921e1d7aacaaf23e52c78c1b79e
SHA151a43670848242b683469b5ffd589fb743355828
SHA256337a38b724f6601c3c7b864316642c044a415acbe840ed13b2d62d220ff3fe29
SHA512dfa05516422fe8c2d686a4c3c87c714fabd6596064fb6f3fa739ae747420f7fd1adf464f40e1754bcddf8db67ec0bcb7830a6ef9ef73ac93f28c65ab53617ee7
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4KB
MD56a67d58617fb9923f8b51746dab46333
SHA151d6afa54aa92c82f755511d3c9029e73b17ac9e
SHA256679d28798cf9618b7be8f7d6bd669c2f4501cec6e780d9f59510021742162a47
SHA51231a9915591bcce34cb0a139e93d29d56b740295eb6e1a7d5254f591fbf77bb007d6a28737f79959d86c0392486aa4f84a6f6ff64bb151d8dcb36ed5e177d8dfe
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\57BX3720UHQX4CJ3HQYP.temp
Filesize7KB
MD5ab098c7dc04b18d207e573380b152ca7
SHA151b0d73e22689b35338a576ff2d07647e0a2668b
SHA2566e4f6964d9ea27e01f2dd60af4daa42a551e1bd8ff9992bbfb33c06e468991aa
SHA512a9197264549a39a298caefcbddb86b85649066ae3201eb92711ccddc20280a8fc8166b656531dbf4b8d9f258e84e0548693b0d664be731f45e9f9b786d5f0e70
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD50e7a64650fb5256e1911c5cc1bf9012d
SHA17ac452c45e725f654c28bb1ac0c513fefba389c2
SHA2568d950d599ca773296b8ad4710bb5fbc52daa366376743dfe8422a60d656ac8d7
SHA51262fc243e3e48d7503f7f8ac6f3f866e212024be317c85bdaae239242a30b609573ffde7613f9e9e044639859cd5265af25525c613fb0a43326e6008b80630927
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\49b088ed-40df-4bb3-93e7-db2b5fad3230
Filesize10KB
MD5b2d1ac52eb42a8f8a86cb5de31a3ae24
SHA19f9a49ca68a0620fef813b2514e3b42edc8ab9b8
SHA256a380005bbf951017670ffe17b3bd81baec244a65f812d8e0921d02c40ccc6bb9
SHA5124a23e417d391155d7864f038c72305b09863ec64de9cecc6e09693e48f397bdf08972e8f5fdf26672c5e9a0b63e303a53fa6c675b3a7955b27471762e9bf1c7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\fda8e923-dd75-440f-b4e9-49d5f33bb9c0
Filesize745B
MD52ab24eaa48719b43b3dbe70614b9b148
SHA1a5eacddd6f774b06a75bc57a434b5b1b23d46451
SHA2567bec0fcaff7fac66b4922eb09978ad755843638470a806aca99d76083b2b3aa0
SHA512ac60feadbd47d01f1568e9ded9fec49be8cc38390738460614e6a9baa63172ecbfcf8715436cb12dd4eb03d860081ef1f1037936532e3a5d0f383db36f4e5ee5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD54e274ba38c6bfc013e6879892194ca8d
SHA1430d8a216b549ee09e9809d78336e820d6a278ec
SHA2563f2e864a190e7ee44522a62bb949eed00db09488f5773a9e7cc1380818c94262
SHA512d34bfe5a7dc98248ce084ffb0273984b215fabd9e33a2cc7e2d0d86f1dd85f93319dc5ee346a608dd61474c0eb384b661a7cf1046a178b36377b61cb58e96302
-
Filesize
7KB
MD5b36579d9edb9584c930ada9ce138c7ab
SHA1c2fc5e9ab63855f92d6dc800cf253b643402dce9
SHA2567cf70371a8f5baeb315635c876337ffb070792a2b187d9164488c64840bb7367
SHA5125d3565326eabda2c1268ef25ac8e424377f1a73007b3e22dbe10a6b88e0ac05f1b68ada91a9e69f1cd2122a07e6b4515c5d02a2bca224d417646ccc47aec66dd
-
Filesize
6KB
MD5db4bbb4b906cec3cdc299039f5627635
SHA1b28cacf5e8b9daa166e3a9d4b6f080dfcb000557
SHA256c1f6b6e3e4e199761ee802f4f4fe66d5b160d2ab87cd6d5ad3088aeb402b5974
SHA5120bf055560c5692aad2f71dc90def02367fbd256c78eb7a4f0ecd0b4c31b37b6b0a42dc0205ae5d0b9cfbbff4466c710e0e0bcc04ab11ebb194495ba1a8269cc4
-
Filesize
6KB
MD539cb7c44addd04e474f417f8a1907e33
SHA1963aeb97f9e6dc20385a846faa891fe26b7c406e
SHA25624eb15bffe1512c76b67ab9bd4faa8ae833b938c4c36ffbbc247aa08c62ab83e
SHA5128f2b2db4fcc73b82b46fa71063011ca017fd80fed88fadea40b75bb07307c35fe72db7aa013c766d1a9868bf9ad0cd17ffd59fe83cafc381494e222a564121f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5095e9f32694d4419f9c22c9054d40187
SHA193989beff27b568926d43bee5769124b0b8648fc
SHA2562ca1b365a18d7f2682ccc062fb5e99f3c4e59365cefe01c96733b38c6ef6adb1
SHA51218f6eaf6a2e529c678540d860f504a27e76e3684fa1d7a64ebfa22d6dfdd2bf15139bf42dbcea622518facd61e5728be857b1b328dffd515bfdcbd051f7976fd
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
1.8MB
MD596c1a1b70f47f88edff0fc615aae0c6b
SHA1d9676fea886264dae4c2164cf392da1a9ac38e3a
SHA256c326252a4700a59f6250b3a8f090996a80a4912bdc5de66021c20091879c2cfb
SHA512fb26db4bf804d8fedb40203c737afdfcf9f581c1e370195fb03ac36ff38643b3ca437396c6a1574759c86075ee41dbe2106a4e0f484123d6a902d454eff3666b