Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 00:17
Static task
static1
Behavioral task
behavioral1
Sample
458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe
Resource
win7-20240903-en
General
-
Target
458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe
-
Size
1.8MB
-
MD5
cd86e4c2fbaf81cb17606d69108fff47
-
SHA1
97117dadf1a95214ceaf1d1d9337dae317c6a358
-
SHA256
458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e
-
SHA512
42393ee97337b197a176032276b9da8bd3ba26d5e5a36751130271422a9cb0a91d50a22c9f75e4de77083b47d8b6c7f54c5f1ebccd09f97dbba8eb6591554748
-
SSDEEP
49152:1hYf1buEc90mDAkzorHA/GJKEmQVhiln:Mf1qEcvDTSNXmQVh6
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
xworm
185.196.8.239:7000
-
Install_directory
%Userprofile%
-
install_file
WindowsUpdaterConf.exe
-
telegram
https://api.telegram.org/bot8070077125:AAEdRIyp1anHye9Y0jcV8uNF6U4mmijN8Pk/sendMessage?chat_id=1818813749
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
gcleaner
92.63.197.221
45.91.200.135
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://dwell-exclaim.biz/api
https://formy-spill.biz/api
https://covery-mover.biz/api
https://dare-curbys.biz/api
https://print-vexer.biz/api
Signatures
-
Amadey family
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/5108-37268-0x0000000000400000-0x000000000041A000-memory.dmp family_xworm -
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f20db32785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f20db32785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f20db32785.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection f20db32785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f20db32785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f20db32785.exe -
Stealc family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 348e03bb82.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f20db32785.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ eec1130907.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a4f04596a1.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2760 powershell.exe 2600 powershell.exe 1632 powershell.exe 892 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 348e03bb82.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f20db32785.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f20db32785.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion eec1130907.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a4f04596a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a4f04596a1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 348e03bb82.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eec1130907.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdaterConf.lnk wL3EGdM.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdaterConf.lnk wL3EGdM.exe -
Executes dropped EXE 13 IoCs
pid Process 2868 skotes.exe 2848 i1A5m12.exe 1248 i1A5m12.tmp 2120 rafencoder.exe 632 wL3EGdM.exe 4932 a4f04596a1.exe 5108 wL3EGdM.exe 3452 348e03bb82.exe 4308 919e5e3042.exe 2844 f20db32785.exe 3388 eec1130907.exe 4632 WindowsUpdaterConf.exe 5088 WindowsUpdaterConf.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine a4f04596a1.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 348e03bb82.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine f20db32785.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine eec1130907.exe -
Loads dropped DLL 20 IoCs
pid Process 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 2868 skotes.exe 2848 i1A5m12.exe 1248 i1A5m12.tmp 1248 i1A5m12.tmp 1248 i1A5m12.tmp 1248 i1A5m12.tmp 2120 rafencoder.exe 2868 skotes.exe 2868 skotes.exe 632 wL3EGdM.exe 5108 wL3EGdM.exe 2868 skotes.exe 2868 skotes.exe 2868 skotes.exe 2868 skotes.exe 2868 skotes.exe 2868 skotes.exe 3388 eec1130907.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features f20db32785.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" f20db32785.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\348e03bb82.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012550001\\348e03bb82.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\919e5e3042.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012551001\\919e5e3042.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\f20db32785.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012552001\\f20db32785.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4f04596a1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1012549001\\a4f04596a1.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\666999666 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wL3EGdM.exe" wL3EGdM.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdaterConf = "C:\\Users\\Admin\\WindowsUpdaterConf.exe" wL3EGdM.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0009000000019642-37366.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 2868 skotes.exe 4932 a4f04596a1.exe 3452 348e03bb82.exe 2844 f20db32785.exe 3388 eec1130907.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 632 set thread context of 5108 632 wL3EGdM.exe 41 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i1A5m12.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wL3EGdM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsUpdaterConf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i1A5m12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 919e5e3042.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 919e5e3042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rafencoder.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wL3EGdM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f20db32785.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsUpdaterConf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 348e03bb82.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4f04596a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec1130907.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 919e5e3042.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 636 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 4388 taskkill.exe 4568 taskkill.exe 4656 taskkill.exe 1596 taskkill.exe 1520 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e rafencoder.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e rafencoder.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 a4f04596a1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a a4f04596a1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a a4f04596a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 rafencoder.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 2868 skotes.exe 1248 i1A5m12.tmp 1248 i1A5m12.tmp 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe 632 wL3EGdM.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 632 wL3EGdM.exe Token: SeDebugPrivilege 5108 wL3EGdM.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 5108 wL3EGdM.exe Token: SeDebugPrivilege 4388 taskkill.exe Token: SeDebugPrivilege 4568 taskkill.exe Token: SeDebugPrivilege 4656 taskkill.exe Token: SeDebugPrivilege 1596 taskkill.exe Token: SeDebugPrivilege 1520 taskkill.exe Token: SeDebugPrivilege 608 firefox.exe Token: SeDebugPrivilege 608 firefox.exe Token: SeDebugPrivilege 2844 f20db32785.exe Token: SeDebugPrivilege 4632 WindowsUpdaterConf.exe Token: SeDebugPrivilege 5088 WindowsUpdaterConf.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 1248 i1A5m12.tmp 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 608 firefox.exe 608 firefox.exe 608 firefox.exe 608 firefox.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 608 firefox.exe 608 firefox.exe 608 firefox.exe 4308 919e5e3042.exe 4308 919e5e3042.exe 4308 919e5e3042.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5108 wL3EGdM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2868 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 30 PID 1448 wrote to memory of 2868 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 30 PID 1448 wrote to memory of 2868 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 30 PID 1448 wrote to memory of 2868 1448 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 30 PID 2868 wrote to memory of 2848 2868 skotes.exe 32 PID 2868 wrote to memory of 2848 2868 skotes.exe 32 PID 2868 wrote to memory of 2848 2868 skotes.exe 32 PID 2868 wrote to memory of 2848 2868 skotes.exe 32 PID 2868 wrote to memory of 2848 2868 skotes.exe 32 PID 2868 wrote to memory of 2848 2868 skotes.exe 32 PID 2868 wrote to memory of 2848 2868 skotes.exe 32 PID 2848 wrote to memory of 1248 2848 i1A5m12.exe 33 PID 2848 wrote to memory of 1248 2848 i1A5m12.exe 33 PID 2848 wrote to memory of 1248 2848 i1A5m12.exe 33 PID 2848 wrote to memory of 1248 2848 i1A5m12.exe 33 PID 2848 wrote to memory of 1248 2848 i1A5m12.exe 33 PID 2848 wrote to memory of 1248 2848 i1A5m12.exe 33 PID 2848 wrote to memory of 1248 2848 i1A5m12.exe 33 PID 1248 wrote to memory of 1052 1248 i1A5m12.tmp 34 PID 1248 wrote to memory of 1052 1248 i1A5m12.tmp 34 PID 1248 wrote to memory of 1052 1248 i1A5m12.tmp 34 PID 1248 wrote to memory of 1052 1248 i1A5m12.tmp 34 PID 1248 wrote to memory of 2120 1248 i1A5m12.tmp 36 PID 1248 wrote to memory of 2120 1248 i1A5m12.tmp 36 PID 1248 wrote to memory of 2120 1248 i1A5m12.tmp 36 PID 1248 wrote to memory of 2120 1248 i1A5m12.tmp 36 PID 1052 wrote to memory of 2148 1052 net.exe 37 PID 1052 wrote to memory of 2148 1052 net.exe 37 PID 1052 wrote to memory of 2148 1052 net.exe 37 PID 1052 wrote to memory of 2148 1052 net.exe 37 PID 2868 wrote to memory of 632 2868 skotes.exe 38 PID 2868 wrote to memory of 632 2868 skotes.exe 38 PID 2868 wrote to memory of 632 2868 skotes.exe 38 PID 2868 wrote to memory of 632 2868 skotes.exe 38 PID 2868 wrote to memory of 4932 2868 skotes.exe 40 PID 2868 wrote to memory of 4932 2868 skotes.exe 40 PID 2868 wrote to memory of 4932 2868 skotes.exe 40 PID 2868 wrote to memory of 4932 2868 skotes.exe 40 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 5108 632 wL3EGdM.exe 41 PID 632 wrote to memory of 1180 632 wL3EGdM.exe 42 PID 632 wrote to memory of 1180 632 wL3EGdM.exe 42 PID 632 wrote to memory of 1180 632 wL3EGdM.exe 42 PID 632 wrote to memory of 1180 632 wL3EGdM.exe 42 PID 1180 wrote to memory of 636 1180 cmd.exe 44 PID 1180 wrote to memory of 636 1180 cmd.exe 44 PID 1180 wrote to memory of 636 1180 cmd.exe 44 PID 1180 wrote to memory of 636 1180 cmd.exe 44 PID 5108 wrote to memory of 2760 5108 wL3EGdM.exe 45 PID 5108 wrote to memory of 2760 5108 wL3EGdM.exe 45 PID 5108 wrote to memory of 2760 5108 wL3EGdM.exe 45 PID 5108 wrote to memory of 2760 5108 wL3EGdM.exe 45 PID 5108 wrote to memory of 2600 5108 wL3EGdM.exe 47 PID 5108 wrote to memory of 2600 5108 wL3EGdM.exe 47 PID 5108 wrote to memory of 2600 5108 wL3EGdM.exe 47 PID 5108 wrote to memory of 2600 5108 wL3EGdM.exe 47 PID 5108 wrote to memory of 1632 5108 wL3EGdM.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe"C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\is-HMOUS.tmp\i1A5m12.tmp"C:\Users\Admin\AppData\Local\Temp\is-HMOUS.tmp\i1A5m12.tmp" /SL5="$80216,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause raf_encoder_12525⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause raf_encoder_12526⤵
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe"C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2120
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wL3EGdM.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsUpdaterConf.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsUpdaterConf.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsUpdaterConf" /tr "C:\Users\Admin\WindowsUpdaterConf.exe"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3160
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c timeout /t 1 && DEL /f wL3EGdM.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\timeout.exetimeout /t 15⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:636
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012549001\a4f04596a1.exe"C:\Users\Admin\AppData\Local\Temp\1012549001\a4f04596a1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:4932
-
-
C:\Users\Admin\AppData\Local\Temp\1012550001\348e03bb82.exe"C:\Users\Admin\AppData\Local\Temp\1012550001\348e03bb82.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Users\Admin\AppData\Local\Temp\1012551001\919e5e3042.exe"C:\Users\Admin\AppData\Local\Temp\1012551001\919e5e3042.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4308 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:1884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:608 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.0.958296279\1822373202" -parentBuildID 20221007134813 -prefsHandle 1228 -prefMapHandle 1220 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97f4b98d-5084-460d-b90a-edab2b0c8960} 608 "\\.\pipe\gecko-crash-server-pipe.608" 1292 117f3858 gpu6⤵PID:1548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.1.1811131672\1158441175" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {283b4490-5d36-489c-9dbf-69f3dcb60e4e} 608 "\\.\pipe\gecko-crash-server-pipe.608" 1508 d71558 socket6⤵PID:2780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.2.1923937345\1959328136" -childID 1 -isForBrowser -prefsHandle 2096 -prefMapHandle 1916 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f49d344-f00f-45a3-b022-914b3d214ab4} 608 "\\.\pipe\gecko-crash-server-pipe.608" 2108 1a5ca858 tab6⤵PID:1308
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.3.2146878614\516570608" -childID 2 -isForBrowser -prefsHandle 2948 -prefMapHandle 2944 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53abb527-e46d-4a9d-821f-8edd7eb37459} 608 "\\.\pipe\gecko-crash-server-pipe.608" 2960 d5d258 tab6⤵PID:3464
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.4.180954198\864184680" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61aa08ab-c35d-4119-bb4f-289e512f7bc8} 608 "\\.\pipe\gecko-crash-server-pipe.608" 3744 1f78d058 tab6⤵PID:4748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.5.537799698\1120326077" -childID 4 -isForBrowser -prefsHandle 3852 -prefMapHandle 3856 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88112841-7c41-465f-a682-c68fb83099ab} 608 "\\.\pipe\gecko-crash-server-pipe.608" 3840 1f78df58 tab6⤵PID:3036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="608.6.1549473343\229366962" -childID 5 -isForBrowser -prefsHandle 4052 -prefMapHandle 4056 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 792 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba9b0375-272e-4088-911a-7b47b2d872db} 608 "\\.\pipe\gecko-crash-server-pipe.608" 4040 1feb2e58 tab6⤵PID:1844
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012552001\f20db32785.exe"C:\Users\Admin\AppData\Local\Temp\1012552001\f20db32785.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\1012553001\eec1130907.exe"C:\Users\Admin\AppData\Local\Temp\1012553001\eec1130907.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3388
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B14851AD-09F7-4F91-8325-78173D5D17CF} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵PID:4212
-
C:\Users\Admin\WindowsUpdaterConf.exeC:\Users\Admin\WindowsUpdaterConf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
-
C:\Users\Admin\WindowsUpdaterConf.exeC:\Users\Admin\WindowsUpdaterConf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50698bc248686cf560e7b8dfc83f5dac9
SHA1dd6488d5082d9c52ec3660b018062eb0802b7c33
SHA256bedfe9c5703ce2e5ef39ca2497e6b3b48c547dcf03163d8e7c5c14fb7d1cf87a
SHA51224b6785af1308991ba37f449f32cdbaeee5050b6b4bac3abb565374b8bc0dca35b452c8277173a8553c615467a26a48b657e900a73611e7f846e5f7c0060b896
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
Filesize30KB
MD5196b8690a68da78546177d7194f8a3b3
SHA159624f649ad63e487256c9d79be4838b63ddf4c4
SHA256561085325bbb0cda4373be858d301f2c891852ba5c431d6e99a9e7b4dfcaaa26
SHA512845c91d85f9b20d25e11aa71f2030d94250be5ebf726d4314d13df8ae58a5ece0d9deab52a518fd64a8007e02fbfde2e0c1803e326d66de1c0066a2c98ed2692
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
3.4MB
MD53a16d0e4e4522073da3c8a5a9f9e790b
SHA17a42a21a348d2e49c67b426d333a5c354ed2c83e
SHA256ccc4dd64df98c26da462a17a8df9f927d02e202d88ada8cfba92b7bbeb954c3e
SHA5121213c3e077b660afa65133f0b5943bd866f02d736284791dc99ae4d30c6ed7705eb55999cb4a3be1cc0a394111904154bc72a2d0f1fdc453893ecf9a4a25b99a
-
Filesize
3.3MB
MD57823e902900881094372948957825fe1
SHA1297a663f3b64fb9863164d10ac698bef03dd3a0f
SHA25692d36e5fb3fdbf10ad10c7880c40013c2e21b8a49e20720137d2b4851681233f
SHA51260d4ea35cfec5154cfa3cb767de7c839ca8b3987b27599ea218ec1c47f1d111a59f193cd3cfd1266ae384434ae653f1e0a297f7222a2592e529b2b4404dd6238
-
Filesize
612B
MD5e3eb0a1df437f3f97a64aca5952c8ea0
SHA17dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA25638ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA51243573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf
-
Filesize
1.8MB
MD514553b3e4f83021e14520e0f62f95a24
SHA135f37fc3ed8d53920b96b8485e741097cfcd05ba
SHA256d31671f91056db4b63277269b84841872b047643116fce88f5952393daa22691
SHA5129f1a23fa7632155407bdbe9eb2a21708b241906d817c9eaa8cfef2ca65acf67135d8b8e7249b580f67685ccec9b487b65ff1c48378af6418bc7976393dbfdc90
-
Filesize
4.9MB
MD5ebe3d112a464bca87d0600558998c287
SHA1e24f303f33d3d4bd2afc5bc0392de5f14e4bd72a
SHA25608c78546997ccfbffb833a115f8888ad128e5c4d43bddd9e01e2105132ef0824
SHA512fcfd10bd5c930ec50bfa011752db8a28526994712ecb3b905d2d892099df69dcc90ff881669f5b323b99ae9a19061cb5c8abb86b18fc31012d9b91b653c24bed
-
Filesize
948KB
MD59e7ce696dfdb127b028a0610a441047d
SHA179a7805f957617896fd16ec5d1db102d9809f667
SHA256bcb1df1e3ce692f4e284bf91f1873696933a5f2ffd87ac966b719e492b43d1eb
SHA512b226a736eee638e1ef2dc4dfdb6193b23756b525d665209efc6094ba119ddff3004844b8439034e67d79ded9ddff82369edf6d735f72a0e916763dedfa6d1c0a
-
Filesize
2.6MB
MD510f89bc59dd3ebb89c8437a590abbb97
SHA1cb65670a5597fe2bca2423648b7e8325eedbe112
SHA256252af078fcf7992ce1afa0449ffa8591725bf9c46219b19d85369fdc657c8b00
SHA51260d3cedf0b29d9dfdf0eb030ffa817fb102f72bbe6cc5e105d17cd9ddd355c3e9e4374f10bef70919d033f83b3eb1f311bf868bc922633ba8482a9776c84db5d
-
Filesize
1.9MB
MD589109257f23f068de9f04a3c59df2b15
SHA103ea7063a9d7b54bcdea8f11a990e668d9346121
SHA25674567ee5c75fd4a34c44dc8c75e9f4ea1dcf3c60d6d3fff4e8d8526460e49b10
SHA512b3203b1dbbb28a8f0e69e067c9b48e6a930e05046674f3b7f82a76b4b2ff0f8535150ed46dddbe8421fe4ced283f9edf76e2d15f54c454d43771f4e350655f48
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.8MB
MD5cd86e4c2fbaf81cb17606d69108fff47
SHA197117dadf1a95214ceaf1d1d9337dae317c6a358
SHA256458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e
SHA51242393ee97337b197a176032276b9da8bd3ba26d5e5a36751130271422a9cb0a91d50a22c9f75e4de77083b47d8b6c7f54c5f1ebccd09f97dbba8eb6591554748
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52662a9600ccd59babd54e97f51aa90ba
SHA1ee58912ec6d633df026a86b97dc1600226b5a8b6
SHA2561491d0a4c702b279cdadcff9b19c30765e0efad67e62cd7c3aa605e5eb080de5
SHA5128da4a0e94a6c5f82f5bd0ed6c8788051500cd5ff8985a027b91a015e204f881626eb365f860000e5521829c53d2c67520c3598132f036c5e0d0e63b189cfc24f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD5d2929e0f60418bc6fdf14ffbea108ba8
SHA119ba0cd29b7f7300db39e8f11bcfe3ba754940f2
SHA2564a488ba89536a3c8ea3d41f7f4ee745e8c322f28f3f7aef7135677f231c1b074
SHA512e378cafcb552b915fd8d01d41f48954e7d6db52c6e00b8fdf08cac7c272888c923a6a0aa2536dc352c738664b6206579aba34a48a67173be4a5968004cd8382d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\a95c4b6c-b031-404f-9822-b820a690332a
Filesize733B
MD56519958242077f4f8e3f1f56b4c146dc
SHA1478b320acaf5f62e2e77370419f98133eaef5b24
SHA256b751b482770c2e863f43cd275a7bb477820bf1c0f2c804e9c3862d32438c9891
SHA5123fce71636cb6634dc15fe87ecd4fbfb7e320bc8319d45b7a3472b6987c7e5dece683f63f6701e7bb6cd5961a44dfd6cc6bd408d2252d10defbe7f9dfd1a491a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD518b4b540e57b35bbba9f1c766c9d8f29
SHA1d19bab482f6bda68994c075a1fdf710e52eaa5ff
SHA256059429a7d3f71ed603dc37e25ed0bf9793558ae73a9f14e51917da03b431bd65
SHA512575fc671d32e7675c9f1aee365943696838d154aef65f91df9ed4a42965ca7ba407f1682611250710a0f75deaa04da8444e200b283d0010dfe93ab2fbe22edda
-
Filesize
7KB
MD5c86b3f084fbb7b89d0ac359d924fd45a
SHA1688e9d793790e07d0219638c7fcbb65535578580
SHA2561c8ce416332ef727f95b3a86b20922ebff35b290eb9952c4f1c8a759853a3fe9
SHA5127033ab834512d0ba885e3ce6b7ebd09c16bdd0172115dac36c698c29dd85934fea133ddf05526357100458f3954d083f8dd18e71dd1f3614c4f7c5b4a30f9ee4
-
Filesize
7KB
MD5fc8f911edd88aa04e7176e29a423d70b
SHA1fa529cda71a03355d3a79b9bc7e47a94e66b6f8d
SHA2560dc11c9d248d3f390815844eacf72a98a3a6aa9257aee08ce2070dd7fdeb351d
SHA51225ca6ab8930fe6a44cb7983b0a969d3387a3b569905ad1702655c9f81d64083a9b4a20f81555adf9e111bf6fbd228c64d5965308bc2505de4f9c07259f8a6a3a
-
Filesize
6KB
MD5fe79c287f7eaa45653547fab4635cbb5
SHA1034a07048ab5a1c5e5274df8a6ca2e732d4ff7a8
SHA2566eb9651a68c3dc6d1a1fdd47791485c21754aaa4f47a1d3ebdb67554be13d7af
SHA51282653c9b461ff8ecb485209717d4303dc0f269ef013ddcd62ce438f683d585a2db26069956da3990cefae6c1e7ceb0a44c51e50e2adec7b1e119206e7be3cfbe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD58bcdd220c60a0157d4519979b0513750
SHA1bbb59529a9fbf8adeacc9c8aeb6d259e5804bc4d
SHA25694075b140afe06d951dbe711d87c0564a7743600faaac40a2959899eeff0e938
SHA512f60978b0c7cbeb8a15b7baa85fd0143364202d68f8b3372b3484000676d7d94943e006bfb965137b063d5bb558329d18aed8eabd0010f9feb5f6103f5542e50f
-
Filesize
2.8MB
MD5b466bf1dc60388a22cb73be01ca6bf57
SHA121eb9665e42d6c4a8d9e764627049b2a6e3a69a4
SHA256e5f0f0c3383080fc2702779e3040c490ab022af69a4bc8c61bf9b1f6514ae7ad
SHA5126cb51dae17b3bcef6254ecf6538ecc49cdd53c40c979fd743f49987b28d05c033781b1047dbf25b203b02bf70ce4205dcc1cc5bbea46119cb0e2cd0ce140cbe2
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
Filesize
1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
689KB
MD5e672d5907f1ce471d9784df64d8a306b
SHA16d094cae150d72b587c5480c15127d7059e16932
SHA2569f9250be71bd6254790a9630990f4560d53995db3d8737b7f49986e3551283e5
SHA5129cf10e997d8d99e6eb2f6ccac00ab365f63e03d96c2e2354fdf67683b85553a60cd9542cfb21cbea468c6a2bda454cde71937c0d21c4b738451b5e2c30690c39