Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2024, 06:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
1.7MB
-
MD5
5e98730ed584c9ab8abe162b128a1262
-
SHA1
f6121854ec49fb7a1b1e53077f59e7215c9cae2d
-
SHA256
f4079f7d32ec84c49c50da91ca7da31556ae50f8fcc96c1df4bb4625f5497aaf
-
SHA512
599a2ece1381dab5070b838a07898be6646d32d61ac460852782c622c4aeeca1cf0c0f3ab79c3c302323239b40ccaf3cfd0220f998257b98d5c34df7752744c4
-
SSDEEP
24576:iS8AASycIS8i592SA8D7kl9BRA9qHR81ljiMpQkOCzPT817XkMhlyPiY:iS8pbcI+/2sD4VRAcx+jpffPY7jyqY
Malware Config
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
lumma
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 2bb539e70a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 2bb539e70a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 2bb539e70a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 2bb539e70a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 2bb539e70a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 2bb539e70a.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4084 created 2764 4084 rhnew.exe 45 -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 409fda7c10.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 17 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rhnew.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ea039fd3a3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 05ba0a455a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 409fda7c10.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 45dff8843f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2bb539e70a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9e8e298f2d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HCFIJKKKKK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd050829ea.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 045f057d2a.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 3620 msedge.exe 4680 chrome.exe 3692 chrome.exe 2668 chrome.exe 5044 msedge.exe 848 msedge.exe 1000 msedge.exe 4936 msedge.exe 1624 chrome.exe -
Checks BIOS information in registry 2 TTPs 34 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9e8e298f2d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cd050829ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05ba0a455a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rhnew.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 045f057d2a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 45dff8843f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9e8e298f2d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05ba0a455a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 409fda7c10.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2bb539e70a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 045f057d2a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HCFIJKKKKK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HCFIJKKKKK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cd050829ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 409fda7c10.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 45dff8843f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2bb539e70a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rhnew.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ea039fd3a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ea039fd3a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 9e8e298f2d.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation HCFIJKKKKK.exe -
Executes dropped EXE 17 IoCs
pid Process 2792 HCFIJKKKKK.exe 3920 skotes.exe 4084 rhnew.exe 1484 9e8e298f2d.exe 4992 axplong.exe 472 ea039fd3a3.exe 4852 cd050829ea.exe 4284 05ba0a455a.exe 1652 axplong.exe 3132 skotes.exe 1080 409fda7c10.exe 4132 045f057d2a.exe 1576 45dff8843f.exe 2792 21d50d7de0.exe 3008 2bb539e70a.exe 440 skotes.exe 4364 axplong.exe -
Identifies Wine through registry keys 2 TTPs 17 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 05ba0a455a.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 045f057d2a.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 45dff8843f.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine HCFIJKKKKK.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine ea039fd3a3.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 409fda7c10.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine rhnew.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 9e8e298f2d.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine cd050829ea.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine 2bb539e70a.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Wine axplong.exe -
Loads dropped DLL 2 IoCs
pid Process 1808 file.exe 1808 file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 2bb539e70a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2bb539e70a.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\21d50d7de0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011542001\\21d50d7de0.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2bb539e70a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011543001\\2bb539e70a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ea039fd3a3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005138001\\ea039fd3a3.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\05ba0a455a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005139001\\05ba0a455a.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\045f057d2a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011540001\\045f057d2a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45dff8843f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1011541001\\45dff8843f.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023c0a-351.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 1808 file.exe 2792 HCFIJKKKKK.exe 3920 skotes.exe 4084 rhnew.exe 1484 9e8e298f2d.exe 4992 axplong.exe 472 ea039fd3a3.exe 4852 cd050829ea.exe 4284 05ba0a455a.exe 1652 axplong.exe 3132 skotes.exe 1080 409fda7c10.exe 4132 045f057d2a.exe 1576 45dff8843f.exe 3008 2bb539e70a.exe 4364 axplong.exe 440 skotes.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job HCFIJKKKKK.exe File created C:\Windows\Tasks\axplong.job 9e8e298f2d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2944 4084 WerFault.exe 130 -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e8e298f2d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 045f057d2a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bb539e70a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rhnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 409fda7c10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 21d50d7de0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 21d50d7de0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd050829ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05ba0a455a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21d50d7de0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HCFIJKKKKK.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea039fd3a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45dff8843f.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 3908 taskkill.exe 3700 taskkill.exe 972 taskkill.exe 3516 taskkill.exe 2668 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776799349763812" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1808 file.exe 1808 file.exe 1808 file.exe 1808 file.exe 1808 file.exe 1808 file.exe 1624 chrome.exe 1624 chrome.exe 1808 file.exe 1808 file.exe 1808 file.exe 1808 file.exe 704 msedge.exe 704 msedge.exe 704 msedge.exe 704 msedge.exe 2992 msedge.exe 2992 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 1808 file.exe 1808 file.exe 1808 file.exe 1808 file.exe 2792 HCFIJKKKKK.exe 2792 HCFIJKKKKK.exe 3920 skotes.exe 3920 skotes.exe 4084 rhnew.exe 4084 rhnew.exe 4084 rhnew.exe 4084 rhnew.exe 4084 rhnew.exe 4084 rhnew.exe 2948 svchost.exe 2948 svchost.exe 2948 svchost.exe 2948 svchost.exe 1484 9e8e298f2d.exe 1484 9e8e298f2d.exe 4992 axplong.exe 4992 axplong.exe 472 ea039fd3a3.exe 472 ea039fd3a3.exe 4852 cd050829ea.exe 4852 cd050829ea.exe 4284 05ba0a455a.exe 4284 05ba0a455a.exe 1652 axplong.exe 1652 axplong.exe 3132 skotes.exe 3132 skotes.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 1080 409fda7c10.exe 4132 045f057d2a.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 1624 chrome.exe Token: SeCreatePagefilePrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeCreatePagefilePrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeCreatePagefilePrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeCreatePagefilePrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeCreatePagefilePrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeCreatePagefilePrivilege 1624 chrome.exe Token: SeShutdownPrivilege 1624 chrome.exe Token: SeCreatePagefilePrivilege 1624 chrome.exe Token: SeDebugPrivilege 2668 taskkill.exe Token: SeDebugPrivilege 3908 taskkill.exe Token: SeDebugPrivilege 3700 taskkill.exe Token: SeDebugPrivilege 972 taskkill.exe Token: SeDebugPrivilege 3516 taskkill.exe Token: SeDebugPrivilege 3496 firefox.exe Token: SeDebugPrivilege 3496 firefox.exe Token: SeDebugPrivilege 3008 2bb539e70a.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 1624 chrome.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 1484 9e8e298f2d.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 3496 firefox.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe 2792 21d50d7de0.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3496 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1808 wrote to memory of 1624 1808 file.exe 83 PID 1808 wrote to memory of 1624 1808 file.exe 83 PID 1624 wrote to memory of 3808 1624 chrome.exe 84 PID 1624 wrote to memory of 3808 1624 chrome.exe 84 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 4152 1624 chrome.exe 85 PID 1624 wrote to memory of 2980 1624 chrome.exe 86 PID 1624 wrote to memory of 2980 1624 chrome.exe 86 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 PID 1624 wrote to memory of 3140 1624 chrome.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2764
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2948
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbd38ccc40,0x7ffbd38ccc4c,0x7ffbd38ccc583⤵PID:3808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1720,i,16003196923175157838,9519313765173206576,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1708 /prefetch:23⤵PID:4152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,16003196923175157838,9519313765173206576,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:33⤵PID:2980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,16003196923175157838,9519313765173206576,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:83⤵PID:3140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,16003196923175157838,9519313765173206576,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:13⤵
- Uses browser remote debugging
PID:3692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,16003196923175157838,9519313765173206576,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:13⤵
- Uses browser remote debugging
PID:2668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,16003196923175157838,9519313765173206576,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:13⤵
- Uses browser remote debugging
PID:4680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4232,i,16003196923175157838,9519313765173206576,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:83⤵PID:472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,16003196923175157838,9519313765173206576,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:83⤵PID:1784
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd38d46f8,0x7ffbd38d4708,0x7ffbd38d47183⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,14270922090579119153,12036831255223571889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:23⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,14270922090579119153,12036831255223571889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,14270922090579119153,12036831255223571889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:83⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2004,14270922090579119153,12036831255223571889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵
- Uses browser remote debugging
PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2004,14270922090579119153,12036831255223571889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:13⤵
- Uses browser remote debugging
PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2004,14270922090579119153,12036831255223571889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:13⤵
- Uses browser remote debugging
PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2004,14270922090579119153,12036831255223571889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:13⤵
- Uses browser remote debugging
PID:4936
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\HCFIJKKKKK.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Users\Admin\Documents\HCFIJKKKKK.exe"C:\Users\Admin\Documents\HCFIJKKKKK.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe"C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 5446⤵
- Program crash
PID:2944
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011459001\9e8e298f2d.exe"C:\Users\Admin\AppData\Local\Temp\1011459001\9e8e298f2d.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\1005138001\ea039fd3a3.exe"C:\Users\Admin\AppData\Local\Temp\1005138001\ea039fd3a3.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:472
-
-
C:\Users\Admin\AppData\Local\Temp\1005139001\05ba0a455a.exe"C:\Users\Admin\AppData\Local\Temp\1005139001\05ba0a455a.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011534001\cd050829ea.exe"C:\Users\Admin\AppData\Local\Temp\1011534001\cd050829ea.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\1011539001\409fda7c10.exe"C:\Users\Admin\AppData\Local\Temp\1011539001\409fda7c10.exe"5⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\1011540001\045f057d2a.exe"C:\Users\Admin\AppData\Local\Temp\1011540001\045f057d2a.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\1011541001\45dff8843f.exe"C:\Users\Admin\AppData\Local\Temp\1011541001\45dff8843f.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1576
-
-
C:\Users\Admin\AppData\Local\Temp\1011542001\21d50d7de0.exe"C:\Users\Admin\AppData\Local\Temp\1011542001\21d50d7de0.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2792 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:5012
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3496 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1912 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db0f03b3-95c9-4b36-834c-de66f16fda55} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" gpu8⤵PID:3856
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2384 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7f3251b-64eb-48ba-810c-f14236ebfefa} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" socket8⤵PID:444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 1 -isForBrowser -prefsHandle 2940 -prefMapHandle 2732 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e0a512e-507a-43f1-b68d-f47df36d5490} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab8⤵PID:4816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3872 -childID 2 -isForBrowser -prefsHandle 3864 -prefMapHandle 3588 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cfc618e-ae4a-4841-ab54-abf654c5e313} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab8⤵PID:5116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4464 -prefMapHandle 4476 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbae2b3f-fca1-451c-a7e3-d49f5f32a41d} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" utility8⤵
- Checks processor information in registry
PID:5368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 3 -isForBrowser -prefsHandle 5580 -prefMapHandle 5588 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6125ceb6-2b90-4d57-99b1-bd9e6f990716} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab8⤵PID:5532
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 4 -isForBrowser -prefsHandle 5820 -prefMapHandle 5816 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d70d77e8-7012-4b12-94e2-81e8f1d31293} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab8⤵PID:5540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5996 -prefMapHandle 5940 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6f8f376-c145-43f2-9769-df8aef36d4a9} 3496 "\\.\pipe\gecko-crash-server-pipe.3496" tab8⤵PID:5580
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011543001\2bb539e70a.exe"C:\Users\Admin\AppData\Local\Temp\1011543001\2bb539e70a.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4084 -ip 40841⤵PID:4372
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1652
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:440
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4364
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
649B
MD5d0af58a70a1c0694e1cc7cd937f921c0
SHA179cbec8cb853a487814310696f2239a6e214c862
SHA2565503b380424c271aa5159326cf8d10e55d6972c6e5335b38117bc7ad1a9452da
SHA5127a9db85904c06cfdd3c35e100f14c2b8467d367b667866d95a21eba72a2c0a05fbf206b2b7fb313e8fb0a5214364c6985e11e1955fb829cda125052abc30c6de
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
5KB
MD565e48e3da2b8c8aa2498df8bf2b66631
SHA11e5d13b3b25ccbe29974814961e6dfc2f64d9881
SHA256ec66a52266a7519351b49d140d1deb46ae172244a273be924e266a7deeeac32a
SHA512fc001b50739a0da27bad384a63902d5ebd89e32ec8ad906f541a4ea05345e75969688fcf67004cdab7593c53b72a07774fbd368ff83a6261e612a10c75dd31f3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5dd2c0670143c6f941ebdacf4b4e610c8
SHA101f3c24d950eacc0510677441f0326f7affc4b25
SHA256eeed88ea3f78eaf66bda3b796cc8c401c1eb52f6d85ead3727c572d74817ee51
SHA512c5656a0d59a69a4b47dc419bc393841cfdd69c4f7640ac2cc8091de8bf08182adadbbaa28f0eb66609e3697feaec2edf960d1d2e0b76b70fd0d79cb7bad3f54e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD50fdc229409f0829525c58d202f855753
SHA1093ad5de9da9017310b3cbb913b38e1ade3fae68
SHA2563ab1a35e971553311b9f7c089e5d459093cf5fa5578beeb3371e0d277078063e
SHA512482c4d4c5e653c78fcbea150fd133c290a1831587f22e3f51d29312adadd20177e32ff82f023e06155326a04566198b7e16d3eca57d5cf657586088183f740ac
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5697215e27add1c515c2e3c1bea7b04c4
SHA1e653943e209bdce9375d0418baf265d943aa4ce0
SHA25649558a40f6b513d32f32a9bf84109bb685d249b19508416e9ad50d9e5523a6c5
SHA5127a309a9d999653e22e78b86e07906d68b6e5038662651436f7410abf473bc926ad5465ce55d9a2eacd57b1ed1ab92aae97999b35a5016279e94dd43566d0146e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.7MB
MD55e98730ed584c9ab8abe162b128a1262
SHA1f6121854ec49fb7a1b1e53077f59e7215c9cae2d
SHA256f4079f7d32ec84c49c50da91ca7da31556ae50f8fcc96c1df4bb4625f5497aaf
SHA512599a2ece1381dab5070b838a07898be6646d32d61ac460852782c622c4aeeca1cf0c0f3ab79c3c302323239b40ccaf3cfd0220f998257b98d5c34df7752744c4
-
Filesize
1.7MB
MD51e7d4aeeafc30f0333c5c1453ae3bee3
SHA16786c3280bc6fa38bb59cc76d860c2f52f105177
SHA256fc42b84c55a8f8ece66a44dbea821c730c285211ec2f625c0df678d094f1b6a7
SHA5128c0e957fb65deba94093f985e1f36396709dcfdd9f069a277800b66dd9c161df65d9bf82738c811cd4f11ff866759105ef7610e1e2e852269ad80ae37a8297d8
-
Filesize
1.9MB
MD5046233032238246b01f8db289d51c34c
SHA1814b41c50c238de914925bd2aa25b9c8455e0ad6
SHA2563ac545427f6607eed1dac90dcbd69cb41652210b046cd71f885c9a55ec30020e
SHA512d902a14b34bc5bd5b8e374fcb1293c6cd2156e635ee83a7b2d162b5be1ea10488540cb8dcdbffbf94c560576fd8ee94e7cdb68995203db07309b4ee6da66e63e
-
Filesize
1.8MB
MD5f24d9c6f7ecc9b62d4d17246b9e4d953
SHA143e197661899749fa09390f51835eb3ac51f622b
SHA256e3c9b63761649007133b28e3f198126b676d7ce85e54b7ebc864f8d006c27d52
SHA51212eff5ada75319de82730c64db624426baeb2ab36b4b94b37f583267dd6297574f5bb2000ceed63105a3cabd8ec68053b7567e41a129d1accc91468e64d0ff2f
-
Filesize
1.9MB
MD5c5c54e93bf4c446718cc50ccf3d4841c
SHA10fa2562ef4693da30513bde25068af0b491483e9
SHA256424bb16b1d8bcbfa9a58ed86931e903ac6a746e3713b7105499e9e15986dd673
SHA51215235130db08152afdc97e3ce67144aea3ba93b9f14e91c4041c009ed78249d95d253536cf1e21b64647fa7908dca41b283c43fcf44d77555dc176f1f64b93cc
-
Filesize
4.3MB
MD581e4dfac017a45be35f3495a953b7bca
SHA132b46eea67fca803ca09305ae35533dc38b7eade
SHA256f2733423350884a7bc10cbba1b6c786a007508b52d67bee81f1e87b83c5a8416
SHA512b82e66c7ef5267b48e64ebc26d9172ca7981f1767d1ab409dd8412f053910de4966e57486ced771b87a2de67ca5ee7a538ff875c5a1133167095a4f6503f0f13
-
Filesize
945KB
MD591a08f5ea0ef6b39830a63803268bebd
SHA1b9d85e7330d84d294fac244c03f27663006dbbf0
SHA256bd419c7f78d6bd9a4e38dede48fd861794dcf490c8a44f1201b1e3539bf33377
SHA5127068cd850d449be42300e78365499f2ea78b7214badf9e0807a8eb059cb62fa1559c235c579dce6ddf46a6077213fe0684a33a39678eae14e9185d3eb08366c4
-
Filesize
2.6MB
MD5531dde5b467753b4b705a3ce41df8840
SHA1e105d9ebb0f86042187102f363cb2edab42527d3
SHA25642306277990b0ed3648506013ad2067ca26e90a95afc476f6ae07c22924b16a7
SHA5121ef953d9c917cb101794ee6e281660f401ccc4361c312c609ddf9e0ecce677dc22563795e309f936911f6ead6dd72c10afb232ffeb08cf09325f160905e50f4b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize6KB
MD5665860f2bda5b37c78b3dd7bc6e3be1b
SHA1833dbaa9e8dedfd33e9f1c1920bda1b3ea2379e2
SHA2566e01ceef9c4bc89554fa0bac950abe1c8c3eec8915028d88fead9006b3a4bfdd
SHA51265f08d82d5947933d479a24561bc1974659bba682773db6e61906f1f344afa8fe5f6ebac4ef086f13225459ef91f7b6d7bbe2543875dbe0d3a812bae3a8345a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin
Filesize8KB
MD55e3e40b88028f1729d57b9891d15dc09
SHA1d070698bd3806f65d8299319d17d7509b6d83ab8
SHA2562740d6f5d692e2c11c31760dccf7550068bf356c6310cb56ef82b3916995f784
SHA512f1792754532aacaceb8ee2834d1bc6d628a22386e2220136af6a3f129f346122ae9c22dc3d8c8e4228f262857f6de06c4e9568a5e293eeaa09f19d6d10464b85
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5621a11f534b730e7fd3a28894de240f7
SHA18cd54def7ce269103db0639df165b1eb050b20ae
SHA256ff10e8ec079cdf19822345ae9205bd422bb9c3ac60fd840ac2a3a3e9d5050323
SHA512a4ba17540952e5534c2f47fefa6e802d84666866eff35ae670cc34f518264faff9772fcad9537b89e36f4a5f9b6ad1a80aa38c4818803c460d05ca78c101b4e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD58421d7cd936a6cd9fe069e65033188f8
SHA12dd412608b2fa62dd0ecabc5bc7d877cd7f1888f
SHA2563739e0c08e98e8f6dce4acbb62ed37e232360c1f5ffd5c2bc7f6517793d9d5d1
SHA512cc4d47cd9c8a5190063e58b1d512aa2dc844c156ae176c6f8c5f6ba0a19ae7b5fcbbd865c327f45b51531484a42c86d3e1ced925c95d35030e4081c2a8727164
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD57370213aef288cd354287fda4c2c51b6
SHA12943fc76fd706312eb0fa6621d3542649f84c7e7
SHA2563084ad1baabea24d899042e341b65915bebc4bb9765b057bd6c3e2c10898ac58
SHA5121014835596c8ba101a358bb2c75bcecbe835788b9864b0a0d8c0b684a110e2daa3db1b60709b6594b530d4d03de8844fc62dcdbd67d0673f43f3d83544d34860
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\47dfe843-8f48-4c91-a68e-ea9ae0d29957
Filesize671B
MD5b7c6348a52be144c5a10ba31c0a896f0
SHA17ff44b4c50c7edf3758ff2ed789a868254a37ccc
SHA25604d7a6418749caa66cda7bcbd6dfad2e09190b8f97e5e010e4d698920629c382
SHA5127106c3b481d2a4f4d0f012edd1cfbfc60bc12eaa83eedc50d9652d32e6ffc569b62e3bed9e59713c72d0186aaa71ab470ab4ab20476b2f21364ca320a2bdaa5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\be7f6895-23b4-4bcc-bd57-7268a841848f
Filesize24KB
MD5939ffe2ab5b9fae8ba243a8740988adb
SHA177a8af62b4347739ffbc075e197f5734d4f31ded
SHA25660d5f1b6065c882c720517ba100c15f29066809dfa2af200df53429813290d54
SHA512f42c2195cb239d71c1177abf23b548846e0c74e6091aebab4b96b4a62ed2296f64b6fadef23d529780df81a183226b1ca1f8d8accb75e0273d8f7bec63b8de6f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\cd23477f-8a77-4fb6-8986-29c8df37d0c9
Filesize982B
MD55f3be9000c795436aa61eefe09726b12
SHA1a9a3eddd424153d86aecee2ede3155a7100ee217
SHA256393f43216caf15d99d3a437520c2b16f58472f84593d8c31273376daa9d18e0b
SHA512127f2727e10dcc2b8be42c13a06618ffbe3ffc13363ab035fa97314ea06b446a1c79592d232cd1e029dc599029f45361ca2d870ff4e65d3b56d6117ae187bfae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD53892d5371e0ca0e1f095d951829d6435
SHA174eb0f95dde50d1c1e0f0a2330eba22daecd3b34
SHA256f906a87ccaa015f0136207a0d816b0fd47332b8fbbd5807fb092a2072df6e852
SHA5128a2bc8099358594a27868eafc679871b907b324e6aa6609e555b1dfad3021e6836f160f0858f9e0e9c070561f9e9dfb86b883db2c3106f848e1c7b4b3a9f3efe
-
Filesize
10KB
MD50895ee681ab0254f9ba7d84996ea78a2
SHA1ae0d3ae16fd1509bc6cbb3352d41821b500773f2
SHA256bf7743d3dd3a1a700c885f96a4eae99f8bc4fa4695e344d00594e7d6b13b1f48
SHA51297683f7df2145d9dfdc9710117740848701efdf858505f3da43c5298cc1c53ca57f0af017f219b9ca0e584d5cdbe853793415cdeebdba7ec24457ff30d66f799
-
Filesize
15KB
MD565f8fe27b903de588db4554754cd75b3
SHA1eb7c4d0cb2caee4268fab37beea4c0d65861024f
SHA2567f5077696b5380c0dd81fee42d346d758aa887a3a11276e414a08487253bb539
SHA512740451f0171ea1f3e7804afe033f8bc1c8899e4f4d43d8c7796142e75519a03b9a2cbd144d76416d3fb065f9594306bae2ce34694440c306fb3afc795a735a57
-
Filesize
10KB
MD5b6a49de2582f9018fae1995069e45d5e
SHA19ed5c96313ea5197e4b56c1b19e6af030c9fdb37
SHA25639046353b06da1e162887f6c613a264139ac5b7ae7d47cb88750c7d401b85e81
SHA512880d6dd391969b40ee09b266ecc73d04bf16e155bf662feae11f3df1a91bd32228010ed9b4193ab2e4f78f168fbf9a0430a67061cb0945e1f0a2e33697c13c87
-
Filesize
11KB
MD54be00c1600d428ea92364e9b524b65eb
SHA13d64d3611fe9670b67ff95c8c3475c9ae3ef65cf
SHA2565bafdd8257b378f9dd68d6dc863f2c4b41f7486d626be7d893d94ed1bb3a90e6
SHA51235b76150f871b026dd7f629e3795be6ae572266b8924bd0031b910c77822f544a8ff41b6b46619dfc10ba37e4061dd83764b2ad463c81606d5224bb730a07a45
-
Filesize
1.8MB
MD501edd88c5a27e57bbed15b7fdf09505c
SHA1ea25b20b3926af6fdee456365ef896e611756de0
SHA2565ce81cdbdf1bb2bea6968044904c1786598b4bb203fda18cbb12c01cd6ec165f
SHA512099e1a9733f9419629238bbde4512cb7b1d23cdc1c242f35dd4821f3dbb8142ea284b4498e4ac2e7651cc2268c15fbe14ba91e729db67fc4f525a17ef536ac73