Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe
Resource
win7-20240708-en
General
-
Target
28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe
-
Size
3.1MB
-
MD5
886fd50dfb9b19d4a9bf5bf95d171d3a
-
SHA1
d9c9d0a9bef7cf2a5aaa12a9cda7eed6d1c27e0f
-
SHA256
28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68
-
SHA512
6eae44ba4c95880b4bff9ce9e3680b985904229901511902d962ca6b9813f50031a1945c332d5ac549a937b47b93cacb7786e007ae7b1b1b87b9f712127a00c9
-
SSDEEP
49152:N2WqCMdnSJQRENeT4Til6jEBELWaZbb7kLW3RpM+:NcCMRSJQWNeT4TiQQK3
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
https://infect-crackle.cyou/api
Extracted
amadey
5.04
397a17
http://89.110.69.103
http://94.156.177.33
-
install_dir
0efeaab28d
-
install_file
Gxtuum.exe
-
strings_key
6dea7a0890c1d404d1b67c90aea6ece4
-
url_paths
/Lv2D7fGdopb/index.php
/b9kdj3s3C0/index.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://infect-crackle.cyou/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" f1dd0a3a67.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection f1dd0a3a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" f1dd0a3a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" f1dd0a3a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" f1dd0a3a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" f1dd0a3a67.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7qg0CPF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d5504f224d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1cf9a78e39.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f1dd0a3a67.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d5504f224d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1cf9a78e39.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1cf9a78e39.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f1dd0a3a67.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7qg0CPF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7qg0CPF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d5504f224d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1dd0a3a67.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 7qg0CPF.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation word.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation word.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe -
Executes dropped EXE 14 IoCs
pid Process 4928 skotes.exe 1184 qtmPs7h.exe 2684 7qg0CPF.exe 4780 d5504f224d.exe 1552 1cf9a78e39.exe 1612 5544bd5252.exe 740 word.exe 1836 f1dd0a3a67.exe 396 skotes.exe 6088 word.exe 2000 word.exe 3996 vector.exe 5744 vector.exe 632 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 7qg0CPF.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine d5504f224d.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine 1cf9a78e39.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine f1dd0a3a67.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine skotes.exe -
Loads dropped DLL 1 IoCs
pid Process 2684 7qg0CPF.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features f1dd0a3a67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" f1dd0a3a67.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1cf9a78e39.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013027001\\1cf9a78e39.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5544bd5252.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013028001\\5544bd5252.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f1dd0a3a67.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013029001\\f1dd0a3a67.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\word.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5504f224d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013026001\\d5504f224d.exe" skotes.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 raw.githubusercontent.com 21 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023ccb-195.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 4568 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe 4928 skotes.exe 2684 7qg0CPF.exe 4780 d5504f224d.exe 1552 1cf9a78e39.exe 1836 f1dd0a3a67.exe 396 skotes.exe 632 skotes.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 740 set thread context of 2044 740 word.exe 120 PID 3996 set thread context of 5744 3996 vector.exe 140 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 2508 4780 WerFault.exe 97 4812 4780 WerFault.exe 97 3060 5744 WerFault.exe 140 1204 5744 WerFault.exe 140 -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 5544bd5252.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5544bd5252.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language word.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language word.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cf9a78e39.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language word.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qtmPs7h.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f1dd0a3a67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7qg0CPF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5504f224d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 5544bd5252.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4184 cmd.exe 64 PING.EXE 4924 cmd.exe 4772 PING.EXE 4048 PING.EXE -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 7qg0CPF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 7qg0CPF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 3664 taskkill.exe 4616 taskkill.exe 1016 taskkill.exe 3308 taskkill.exe 4412 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings firefox.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 4048 PING.EXE 64 PING.EXE 4772 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4568 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe 4568 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe 4928 skotes.exe 4928 skotes.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 1184 qtmPs7h.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 4780 d5504f224d.exe 4780 d5504f224d.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe 2684 7qg0CPF.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1184 qtmPs7h.exe Token: SeDebugPrivilege 2684 7qg0CPF.exe Token: SeDebugPrivilege 3664 taskkill.exe Token: SeDebugPrivilege 740 word.exe Token: SeDebugPrivilege 4616 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 3308 taskkill.exe Token: SeDebugPrivilege 4412 taskkill.exe Token: SeDebugPrivilege 208 firefox.exe Token: SeDebugPrivilege 208 firefox.exe Token: SeDebugPrivilege 1836 f1dd0a3a67.exe Token: SeDebugPrivilege 6088 word.exe Token: SeDebugPrivilege 2000 word.exe Token: SeDebugPrivilege 3996 vector.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 4568 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 208 firefox.exe 1612 5544bd5252.exe 1612 5544bd5252.exe 1612 5544bd5252.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 208 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4568 wrote to memory of 4928 4568 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe 82 PID 4568 wrote to memory of 4928 4568 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe 82 PID 4568 wrote to memory of 4928 4568 28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe 82 PID 4928 wrote to memory of 1184 4928 skotes.exe 83 PID 4928 wrote to memory of 1184 4928 skotes.exe 83 PID 4928 wrote to memory of 1184 4928 skotes.exe 83 PID 1184 wrote to memory of 4184 1184 qtmPs7h.exe 84 PID 1184 wrote to memory of 4184 1184 qtmPs7h.exe 84 PID 1184 wrote to memory of 4184 1184 qtmPs7h.exe 84 PID 4184 wrote to memory of 64 4184 cmd.exe 86 PID 4184 wrote to memory of 64 4184 cmd.exe 86 PID 4184 wrote to memory of 64 4184 cmd.exe 86 PID 1184 wrote to memory of 4924 1184 qtmPs7h.exe 87 PID 1184 wrote to memory of 4924 1184 qtmPs7h.exe 87 PID 1184 wrote to memory of 4924 1184 qtmPs7h.exe 87 PID 4924 wrote to memory of 4772 4924 cmd.exe 89 PID 4924 wrote to memory of 4772 4924 cmd.exe 89 PID 4924 wrote to memory of 4772 4924 cmd.exe 89 PID 4928 wrote to memory of 2684 4928 skotes.exe 94 PID 4928 wrote to memory of 2684 4928 skotes.exe 94 PID 4928 wrote to memory of 2684 4928 skotes.exe 94 PID 4184 wrote to memory of 4448 4184 cmd.exe 96 PID 4184 wrote to memory of 4448 4184 cmd.exe 96 PID 4184 wrote to memory of 4448 4184 cmd.exe 96 PID 4928 wrote to memory of 4780 4928 skotes.exe 97 PID 4928 wrote to memory of 4780 4928 skotes.exe 97 PID 4928 wrote to memory of 4780 4928 skotes.exe 97 PID 4924 wrote to memory of 4048 4924 cmd.exe 98 PID 4924 wrote to memory of 4048 4924 cmd.exe 98 PID 4924 wrote to memory of 4048 4924 cmd.exe 98 PID 4928 wrote to memory of 1552 4928 skotes.exe 101 PID 4928 wrote to memory of 1552 4928 skotes.exe 101 PID 4928 wrote to memory of 1552 4928 skotes.exe 101 PID 2684 wrote to memory of 4960 2684 7qg0CPF.exe 102 PID 2684 wrote to memory of 4960 2684 7qg0CPF.exe 102 PID 2684 wrote to memory of 4960 2684 7qg0CPF.exe 102 PID 4928 wrote to memory of 1612 4928 skotes.exe 104 PID 4928 wrote to memory of 1612 4928 skotes.exe 104 PID 4928 wrote to memory of 1612 4928 skotes.exe 104 PID 1612 wrote to memory of 3664 1612 5544bd5252.exe 105 PID 1612 wrote to memory of 3664 1612 5544bd5252.exe 105 PID 1612 wrote to memory of 3664 1612 5544bd5252.exe 105 PID 4924 wrote to memory of 740 4924 cmd.exe 113 PID 4924 wrote to memory of 740 4924 cmd.exe 113 PID 4924 wrote to memory of 740 4924 cmd.exe 113 PID 1612 wrote to memory of 4616 1612 5544bd5252.exe 114 PID 1612 wrote to memory of 4616 1612 5544bd5252.exe 114 PID 1612 wrote to memory of 4616 1612 5544bd5252.exe 114 PID 1612 wrote to memory of 1016 1612 5544bd5252.exe 116 PID 1612 wrote to memory of 1016 1612 5544bd5252.exe 116 PID 1612 wrote to memory of 1016 1612 5544bd5252.exe 116 PID 1612 wrote to memory of 3308 1612 5544bd5252.exe 118 PID 1612 wrote to memory of 3308 1612 5544bd5252.exe 118 PID 1612 wrote to memory of 3308 1612 5544bd5252.exe 118 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 PID 740 wrote to memory of 2044 740 word.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe"C:\Users\Admin\AppData\Local\Temp\28a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe"C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 75⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:64
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4448
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 9 > nul && copy "C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe" && ping 127.0.0.1 -n 9 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 95⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4772
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 95⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4048
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"C:\Users\Admin\AppData\Local\Temp\10000760101\vector.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 12529⤵
- Program crash
PID:3060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 12729⤵
- Program crash
PID:1204
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6088 -
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1012992001\7qg0CPF.exe"C:\Users\Admin\AppData\Local\Temp\1012992001\7qg0CPF.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpF983.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpF983.tmp.bat4⤵
- System Location Discovery: System Language Discovery
PID:4960
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013026001\d5504f224d.exe"C:\Users\Admin\AppData\Local\Temp\1013026001\d5504f224d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 14924⤵
- Program crash
PID:2508
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 14924⤵
- Program crash
PID:4812
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013027001\1cf9a78e39.exe"C:\Users\Admin\AppData\Local\Temp\1013027001\1cf9a78e39.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\1013028001\5544bd5252.exe"C:\Users\Admin\AppData\Local\Temp\1013028001\5544bd5252.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:4552
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:208 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75235222-2a56-4ab3-9e30-5c8153b5d0bf} 208 "\\.\pipe\gecko-crash-server-pipe.208" gpu6⤵PID:2576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c43955f9-4888-4279-99d0-acd2353b303f} 208 "\\.\pipe\gecko-crash-server-pipe.208" socket6⤵PID:4772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 1 -isForBrowser -prefsHandle 3276 -prefMapHandle 3180 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aeb9cdd-437f-4c20-a9fd-008e6990c2b3} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab6⤵PID:4228
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4196 -childID 2 -isForBrowser -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {188c883a-acb0-4673-85c2-496c837b2247} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab6⤵PID:2684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4764 -prefMapHandle 4760 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdc0c7b6-05b4-408c-b242-5e62e72cd0bc} 208 "\\.\pipe\gecko-crash-server-pipe.208" utility6⤵
- Checks processor information in registry
PID:5500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5224 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e5e1adf-75d6-4150-99db-bdcbe7022243} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab6⤵PID:856
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aac90015-04b2-407d-98e4-428eb6d4e677} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab6⤵PID:3484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5712 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e8ceec6-d644-4c98-9006-a6a7cea29e35} 208 "\\.\pipe\gecko-crash-server-pipe.208" tab6⤵PID:3160
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013029001\f1dd0a3a67.exe"C:\Users\Admin\AppData\Local\Temp\1013029001\f1dd0a3a67.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4780 -ip 47801⤵PID:2644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4780 -ip 47801⤵PID:1844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4780 -ip 47801⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:396
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5744 -ip 57441⤵PID:1428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5744 -ip 57441⤵PID:2276
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD595214479f46f5af44eddd46858e238fb
SHA12a07f8cd9ac4e20f4a1ad5a93afd9c932370a432
SHA256120bd485aad83d90fe90fe74799626a76e065144cebd77b6bc8ac709e8657f72
SHA51270e1f100ebccbda5f345baa844cd71222f901191c1de78542d0544506fc60ffaef3d2aac02fe0da90f3dd31e05c14e9050e5f124d83b1ecf95fb84b1863fb146
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5e0d7c376aafac4bce7ada9b3b3b4d4f7
SHA117138b270596f496481f72c456ff997deb67e00e
SHA256a426c3b95002f17d267da9e6f9a768486f7a4feb9b5bdd12eca53e944f3eaf8d
SHA5124ea06fc132c7021abade58f086483b33946731c8c2c72ac3783fb2e1f4d4d9b2b0873ea2e6513d7a7f449c88e45d098cd1d209703ea97f6def947056ad2cb0fa
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
5.0MB
MD5b183e5ff29a1532a84e5a38983ab9e4e
SHA1230c9cbd2e14598aaf73ae78c85c998a6b923a51
SHA25681a45f430c102365b46c663203ae5708b6befe2848f01efc7b702aff7170c901
SHA51231be2761821fb6bc81a010a3f68fa6901aa5e9768e9c57db53b52e0495c7340abccc9191500aa39540fef159578403e78d2af31ac364b89774d5f359b54c6c1e
-
Filesize
2.5MB
MD5d1e3f88d0caf949d5f1b4bf4efbb95a4
SHA161ffd2589a1965bf9cb874833c4c9b106b3e43e8
SHA256c505f3b2f40b8a68e7cacfe2a9925498ab0f7ef29aa7023bb472597021066b2e
SHA5125d4c43e858371f24ebafb56388a586c081d7b0289a3b039dbb2b011e9864e8e9f5dc7037fcb3e88f4bec4259a09ce5f3ccdae3161b43dff140e0e4ca7bff96c3
-
Filesize
799KB
MD589bd66e4285cb7295300a941964af529
SHA1232d9fee67a3c3652a80e1c1a258f0d789c6a6cf
SHA256a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047
SHA51272d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498
-
Filesize
5.9MB
MD53297554944a2e2892096a8fb14c86164
SHA14b700666815448a1e0f4f389135fddb3612893ec
SHA256e0a9fcd5805e66254aa20f8ddb3bdfca376a858b19222b178cc8893f914a6495
SHA512499aa1679f019e29b4d871a472d24b89adddc68978317f85f095c7278f25f926cbf532c8520c2f468b3942a3e37e9be20aea9f83c68e8b5e0c9adbf69640ad25
-
Filesize
1.8MB
MD54ac9141ca54abebc30ba2dbbd8202328
SHA10af8d99177f5a204341e92179e3df4fc7250f55b
SHA25626617312efc260714a32d2fb9f34581833a9437197f35a0ecfd091eb48518c36
SHA51211111f1dc8e17e935f138800ec358084a4ddc31475b2ea52af58c83539c48425f8831a7449e87bf9df2551930c4891db7a2f78fa0df1cf711f9268ef6922e720
-
Filesize
1.7MB
MD55d5cbdd1801035e2485e7353df38e0c3
SHA1569f6804a09e94d2413f0239c26a7e47734178a3
SHA256678b506795611f59eec55a7003e31a378679db301b5669cdf8d2c9b0826cfede
SHA51236d5081f994c44774548fcb8fa05d3461f1cc823b62fab79b949bafc3e26f457a58f278bce3fccaa79d43b92607ce61d38d687fcffa8863e273321cf493c75ea
-
Filesize
951KB
MD576c2c0bba853abfff5189ac4c5bbfa7b
SHA15e360faf571e5623ecc24bc075dd990038689fed
SHA256fdc3cce2d6bad9345ec450432e8456b645d73a5a9d1852da73444c5976f4488f
SHA512739c03ebe636c78aa7d2d4da6fe2066886dcdff63bcd644150c75e52a724ae7559dc3f1e0b5425e74f9abd3873295e6b1f3ae0b7b1777222bb0b702a0cfca6ff
-
Filesize
2.7MB
MD5fbb08fc5dee68a2eeaeb7c1d17493afd
SHA1d87a00662b3348fd21ace933f094e89ba64ad377
SHA25674d427ab9ed2d9e35230134138b929b7528054e7a1330ca4f50997746b0cd55c
SHA51239fa6630e5f50dee9ef6216c954fdf64507fe940ee3211e2a6eb0ba659036d655b14aae8f61d88049d83fe7c3eda9c629844d8a005ad96b08efbacdd7fed2176
-
Filesize
1.4MB
MD56f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA25670e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b
-
Filesize
3.1MB
MD5886fd50dfb9b19d4a9bf5bf95d171d3a
SHA1d9c9d0a9bef7cf2a5aaa12a9cda7eed6d1c27e0f
SHA25628a0cc64390601b982a6af8781fd8d186e8647c1ed32d6fe2c66261777128e68
SHA5126eae44ba4c95880b4bff9ce9e3680b985904229901511902d962ca6b9813f50031a1945c332d5ac549a937b47b93cacb7786e007ae7b1b1b87b9f712127a00c9
-
Filesize
186B
MD5790dd6f9aab53b59e358a126dc5d59fc
SHA1ec6bf3eb0fa5d2e37c694bf71254e0ce0be1a5fc
SHA2567ca8c160037742b7da30366775d7aae7882a98e1fbfdbbefb743c2a93d6b1c52
SHA512a9d819b8d771febfa027de6f201d4effaf7bdd3334255707dddceb57b2b322649698903ee5d72f0e431780d29b01abedd5250d372100e6c66c0639965f86c7ef
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
90B
MD5a6a3307168bde1f1cfb76938bbb1b767
SHA1f74022c6d369eadcc7d38930d529b9df567b711e
SHA2562bd6046d8a6f73c4a6992de56c3b15bcad1b42d816d82b58edb96c973b3a4bf7
SHA5128836539fe7ca7552990bc447da2afe0091b35861564b1f2243df4ec92d0f6218884ca0c6cf8db1a3f985abb5d2518e5f2106fb2db8603bb803d94b0bdbb7b946
-
Filesize
90B
MD5143b614965f028ced930cdeb55098ef4
SHA11e9a4e297a456f49867abce027a75f834c5123d3
SHA2568431a02b54429dde6da83a208b8cf731a50df7bd418b9257f7e713f8dd2e5620
SHA512c3623dd7821778f5fba4792c52ff37671cddb98a064e0ad7f8df72e87f95dfd56118187908be65daaea082a49eb705d1a2743b5060155ca5e8629038f0a433d9
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin
Filesize8KB
MD5198a30e6440f44dae1c8aa61695f20a6
SHA11caed27ea6b4f44941a0375f847c0c8c54c0a5b3
SHA2562e928bad2def25559bccd0048e4ab6a4788bc882c9a48e5911e7b44bee8fa3d4
SHA5128a5582784134579c9a66407c7e3d0fd485f32caec83fed25196e6ec6cc60440eff0f40e2933cb503ff3c281ae74b478ee076faf4b8fb8d081490e8d0006680cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize27KB
MD5b934da1852265b9ae693551ce91e4ef7
SHA1d6128ea75c3860b6415947c7e243e1213a6e932b
SHA2562e83d0c4a7ae15a201588d3748640c7d92ce0ea81ac7fac2e24823bcf263c0c2
SHA5129bdb14ea11e0e0bf2d538ecba8359640ae257441068b00b35dd560b185f4cee18763edde7b1e2c952fa272fbac7a79f8cbe30ae26410f906207ca4186e3719e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize27KB
MD55ffd488f9b1555a45e865fc6bb3bd625
SHA1a5b1fd7ca41d02cef7f95a21ff79be643e56b738
SHA256c3a5653c148c11c9a0251bf0c0c72136f9a167b76f2b66ffe261a05ffa02bb71
SHA512f08ede45ff95d6c1d9a739ee9c58ca63a54c7eb2506ab4dca5ac8c5c4df38efb77f39a96a67a809f57e68ed77c596897ab21dff3ae3b3504d30c0b9bb5222e95
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5219a0ed6e953ed65730846023f627947
SHA19d33e9a71639a6af9e1bd7aed497bfee1ceadbaa
SHA25623ec536ca691ae47a1a4c1daada2cec77dc0e218dfc9b88c8a6de3058b762591
SHA512b569164bf8f292817b331a095629d4f15466c428a37abafed1fba93062faa45b5165c67a6cd2f56e4918a1b0f5eb1c2e010c915f2e65dff1ef2852cc3d164f6f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53dfce1761fa8c063691d0ef686f5d26b
SHA10ea78c6298a503cf67cdeffb995931410576177b
SHA25675e43d5dbb9e3ab7690b151fb8ed88fe4ece739746b93637b8a0cc0c66ec5a60
SHA5123da0d04fc14ec2a3ef5700af807666bdba7ce57e5471fb802ce282597f318ddd0ed5b5a17f8d69ba39052308a5a88a859e747ee18e781a7b2d722d1663f8f359
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\03bd6afa-5861-4b6b-a353-46b91e917acd
Filesize671B
MD549cba6ad3ba8800faf879d8541a22249
SHA14154da901eb3e82365d16c9de155edca55ed07ea
SHA256354d2a26890458ceb02766cfb7e73a9b1ebe6cb80fc48d37e8486e3463d18eaa
SHA51216413bf4b8b35b73f23a4bf7e8e730971cf78be80f9597d05ff098f51ed572bef231bfc946febf61dd584f7af329993b5ef640adcb84905d549e23420dd73bb0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\86f0787e-433f-47ba-a1da-083fb01eaa0e
Filesize26KB
MD55158e8d457aa41ed54f23d31da9f8936
SHA1f0cb5937bc1e950eb047fa925571c792f99ecc05
SHA256c013b72308aa431fa01e10fd215b54ae66944dd9add251358176b3e20a0e2346
SHA512bc590bba1f285426a2d1cfcbd1b78ee1f216634bd36671688729ca94929feb607e68092f4ac56f50bd5540a5bac2d5bd307e085298c02f2e0adf2425c9059330
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\9bc09477-e124-4de2-b60a-b668100a65da
Filesize982B
MD54cffc3fb16c8551fd910bc0e8a64d29f
SHA1fc7ca5d09014b28be809f3ebfb1a2909793daa5a
SHA256bc9f9b32fdbdbb70cb6d0f02173271f1223625ed68abc44ab9dec5d1a3f1ff91
SHA51234cfb5000f5364a871105e4152e9fd1d1d971d6756cb93a508b0194e04b7a798b986ff532be97075b9ce2fca9caf5965e7bab4dbd42da904923bfbc5300457ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD53583bb705d099f99d5b9be20b9b327b9
SHA11ec3186061396684db64045efbe18b0a45003b45
SHA2565d30bf5ce08a92b15ec119ee8326550611df97ecc153040ba272839ce95c7099
SHA51283f86b7f4efbc4e47d1ea1a405189b234608a901b9ff5307d7f34324c39ee1ebfe5a11158ff9dd07fcfb7649a13298572639895533a164f7b9976b84f5d77bb2
-
Filesize
15KB
MD5f5b1011a158283c26985c1c26974eb75
SHA1ac49b337b925a0abc9460b3883a8187489e33397
SHA2562bf02654cd6f3650e2957301d0e05356065d29ddaa7fffbc56b1bbe18fcd2486
SHA51236ce44881d2ffe3ce6f3215bfc366f9978a43766004118c5bb7a60f9fc12ff42f0c0ac33be3ca4c8fdb3ccac674c8f6d4f33a131555d36bddfce15db8871b6d3
-
Filesize
10KB
MD5348bb60cfda6d09d295c9ba00fdcd54e
SHA1fd50e99e3d504f4fd8166f85f50d6d43afb8db4e
SHA256b44fa7ac1197697aa0e5973286d073c5b71dad8b3fbd427884d21cbb0fdfa0fc
SHA512aec3d190addf038f4aa9ada0bd53f7f010ef668de7b0d75b58e99b7c2d0ea1eb26ca5f4d16ee683a1ebd13a3a127410c3e67d94a385974311a2af755c01173fe
-
Filesize
10KB
MD54c17bb72d66c0ee4f00010fe95cb82f4
SHA170603dccc606a0bb997774e20e897220220509f9
SHA256dcd27dfb94396560b711a166b1d578a11fc5c3732a0bdeb6c532952383123f31
SHA512726c6e05892c25efeed9a8fb362ecdf43410053d421eecb7490ff914b5dccae8a8b60452fd04106a46ea38df4b092a05b5148e0971ad30671f80d9cc5588c52c