Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 22:33
Static task
static1
General
-
Target
38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe
-
Size
3.0MB
-
MD5
5a092b8d63ea7739340befc06c399e8a
-
SHA1
c2fd010bac59febb5704c0c8cc41f08fe9beadbf
-
SHA256
38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6
-
SHA512
0b2a096f1cf4ceb673ea3598db7cbb0f5810dab76df5e5735a5d11144de2ea254c2e46b83deffc72776b6b03068dcb1f9fb02cb8bfa740f8313f7c4cb286f74b
-
SSDEEP
49152:xk86k8R7HD8Xwx98A3iXrzl52cZMZgxbqud+keg1YdkZb:xkxk8RMI98A3iXrzlP6ZabqUYdE
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
xworm
5.0
127.0.0.1:8080
101.99.92.189:8080
d5gQ6Zf7Tzih1Pi1
-
install_file
USB.exe
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://immureprech.biz/api
https://deafeninggeh.biz/api
https://drive-connect.cyou/api
https://effecterectz.xyz/api
https://diffuculttan.xyz/api
https://debonairnukk.xyz/api
https://wrathful-jammy.cyou/api
https://awake-weaves.cyou/api
https://sordid-snaked.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2856-608-0x00000000007C0000-0x00000000007CE000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/memory/2856-43-0x0000000000820000-0x0000000000C96000-memory.dmp family_xworm behavioral1/memory/2856-44-0x0000000000820000-0x0000000000C96000-memory.dmp family_xworm -
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 284cf25c5c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 284cf25c5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 284cf25c5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 284cf25c5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 284cf25c5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 284cf25c5c.exe -
Stealc family
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 284cf25c5c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4158305d71.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9feskIx.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 116a75d363.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9feskIx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9feskIx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 284cf25c5c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 284cf25c5c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4158305d71.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 116a75d363.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 116a75d363.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4158305d71.exe -
Executes dropped EXE 23 IoCs
pid Process 2792 skotes.exe 2856 9feskIx.exe 2872 jd5fvXs.exe 1004 IGEaNGi.exe 2344 IGEaNGi.exe 1700 294caa6a68.exe 2124 294caa6a68.exe 2916 M5iFR20.exe 1952 IGEaNGi.exe 1644 IGEaNGi.exe 2404 80454ff6ad.exe 2044 b2d485e49a.exe 1096 116a75d363.exe 296 284cf25c5c.exe 3248 TdDkUco.exe 4084 4158305d71.exe 3444 pcrndBC.exe 3740 eff37d33b5.exe 3876 eff37d33b5.exe 3892 eff37d33b5.exe 3092 tmetlc.exe 3768 tmetlc.exe 4048 wxwqwu.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 9feskIx.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 116a75d363.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 284cf25c5c.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 4158305d71.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe -
Loads dropped DLL 38 IoCs
pid Process 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 1004 IGEaNGi.exe 2792 skotes.exe 2792 skotes.exe 1700 294caa6a68.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 1952 IGEaNGi.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 2792 skotes.exe 3740 eff37d33b5.exe 3740 eff37d33b5.exe 4084 4158305d71.exe 2856 9feskIx.exe 3092 tmetlc.exe 3768 tmetlc.exe 2856 9feskIx.exe 1216 Process not Found 1216 Process not Found -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 284cf25c5c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 284cf25c5c.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\284cf25c5c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014320001\\284cf25c5c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\b2d485e49a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014318001\\b2d485e49a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\116a75d363.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014319001\\116a75d363.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b000000019319-324.dat autoit_exe behavioral1/files/0x0005000000019433-394.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 2792 skotes.exe 2856 9feskIx.exe 1096 116a75d363.exe 296 284cf25c5c.exe 4084 4158305d71.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1004 set thread context of 2344 1004 IGEaNGi.exe 38 PID 1700 set thread context of 2124 1700 294caa6a68.exe 44 PID 1952 set thread context of 1644 1952 IGEaNGi.exe 48 PID 3740 set thread context of 3892 3740 eff37d33b5.exe 82 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage b2d485e49a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 116a75d363.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IGEaNGi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IGEaNGi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language M5iFR20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eff37d33b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 294caa6a68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80454ff6ad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eff37d33b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jd5fvXs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2d485e49a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language b2d485e49a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TdDkUco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4158305d71.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9feskIx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pcrndBC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IGEaNGi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 294caa6a68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IGEaNGi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284cf25c5c.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString jd5fvXs.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pcrndBC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pcrndBC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 jd5fvXs.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TdDkUco.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TdDkUco.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 1820 timeout.exe 2548 timeout.exe 2212 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 2504 taskkill.exe 2732 taskkill.exe 2536 taskkill.exe 1716 taskkill.exe 2820 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 jd5fvXs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a jd5fvXs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a jd5fvXs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 IGEaNGi.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a IGEaNGi.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2856 9feskIx.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 2792 skotes.exe 2856 9feskIx.exe 2872 jd5fvXs.exe 2856 9feskIx.exe 2044 b2d485e49a.exe 1096 116a75d363.exe 2044 b2d485e49a.exe 296 284cf25c5c.exe 296 284cf25c5c.exe 296 284cf25c5c.exe 3248 TdDkUco.exe 3248 TdDkUco.exe 4084 4158305d71.exe 4084 4158305d71.exe 3444 pcrndBC.exe 3444 pcrndBC.exe 2856 9feskIx.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2856 9feskIx.exe Token: SeDebugPrivilege 2504 taskkill.exe Token: SeDebugPrivilege 2732 taskkill.exe Token: SeDebugPrivilege 2536 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 2820 taskkill.exe Token: SeDebugPrivilege 1560 firefox.exe Token: SeDebugPrivilege 1560 firefox.exe Token: SeDebugPrivilege 296 284cf25c5c.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 2916 M5iFR20.exe 2916 M5iFR20.exe 2916 M5iFR20.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 1560 firefox.exe 1560 firefox.exe 1560 firefox.exe 1560 firefox.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2916 M5iFR20.exe 2916 M5iFR20.exe 2916 M5iFR20.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe 1560 firefox.exe 1560 firefox.exe 1560 firefox.exe 2044 b2d485e49a.exe 2044 b2d485e49a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2856 9feskIx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2792 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 31 PID 2488 wrote to memory of 2792 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 31 PID 2488 wrote to memory of 2792 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 31 PID 2488 wrote to memory of 2792 2488 38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe 31 PID 2792 wrote to memory of 2856 2792 skotes.exe 33 PID 2792 wrote to memory of 2856 2792 skotes.exe 33 PID 2792 wrote to memory of 2856 2792 skotes.exe 33 PID 2792 wrote to memory of 2856 2792 skotes.exe 33 PID 2792 wrote to memory of 2872 2792 skotes.exe 34 PID 2792 wrote to memory of 2872 2792 skotes.exe 34 PID 2792 wrote to memory of 2872 2792 skotes.exe 34 PID 2792 wrote to memory of 2872 2792 skotes.exe 34 PID 2792 wrote to memory of 1004 2792 skotes.exe 35 PID 2792 wrote to memory of 1004 2792 skotes.exe 35 PID 2792 wrote to memory of 1004 2792 skotes.exe 35 PID 2792 wrote to memory of 1004 2792 skotes.exe 35 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 1004 wrote to memory of 2344 1004 IGEaNGi.exe 38 PID 2792 wrote to memory of 1700 2792 skotes.exe 39 PID 2792 wrote to memory of 1700 2792 skotes.exe 39 PID 2792 wrote to memory of 1700 2792 skotes.exe 39 PID 2792 wrote to memory of 1700 2792 skotes.exe 39 PID 2872 wrote to memory of 2024 2872 jd5fvXs.exe 41 PID 2872 wrote to memory of 2024 2872 jd5fvXs.exe 41 PID 2872 wrote to memory of 2024 2872 jd5fvXs.exe 41 PID 2872 wrote to memory of 2024 2872 jd5fvXs.exe 41 PID 2024 wrote to memory of 1820 2024 cmd.exe 43 PID 2024 wrote to memory of 1820 2024 cmd.exe 43 PID 2024 wrote to memory of 1820 2024 cmd.exe 43 PID 2024 wrote to memory of 1820 2024 cmd.exe 43 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 1700 wrote to memory of 2124 1700 294caa6a68.exe 44 PID 2792 wrote to memory of 2916 2792 skotes.exe 45 PID 2792 wrote to memory of 2916 2792 skotes.exe 45 PID 2792 wrote to memory of 2916 2792 skotes.exe 45 PID 2792 wrote to memory of 2916 2792 skotes.exe 45 PID 2792 wrote to memory of 1952 2792 skotes.exe 46 PID 2792 wrote to memory of 1952 2792 skotes.exe 46 PID 2792 wrote to memory of 1952 2792 skotes.exe 46 PID 2792 wrote to memory of 1952 2792 skotes.exe 46 PID 1952 wrote to memory of 1644 1952 IGEaNGi.exe 48 PID 1952 wrote to memory of 1644 1952 IGEaNGi.exe 48 PID 1952 wrote to memory of 1644 1952 IGEaNGi.exe 48 PID 1952 wrote to memory of 1644 1952 IGEaNGi.exe 48 PID 1952 wrote to memory of 1644 1952 IGEaNGi.exe 48 PID 1952 wrote to memory of 1644 1952 IGEaNGi.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe"C:\Users\Admin\AppData\Local\Temp\38cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe"C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\tmetlc.exe"C:\Users\Admin\AppData\Local\Temp\tmetlc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\tmetlc.exe"C:\Users\Admin\AppData\Local\Temp\tmetlc.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3768
-
-
-
C:\Users\Admin\AppData\Local\Temp\wxwqwu.exe"C:\Users\Admin\AppData\Local\Temp\wxwqwu.exe"4⤵
- Executes dropped EXE
PID:4048
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013967001\jd5fvXs.exe"C:\Users\Admin\AppData\Local\Temp\1013967001\jd5fvXs.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1013967001\jd5fvXs.exe" & rd /s /q "C:\ProgramData\EKXT2N7YCBIM" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1820
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"C:\Users\Admin\AppData\Local\Temp\1014031001\IGEaNGi.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2344
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014060001\294caa6a68.exe"C:\Users\Admin\AppData\Local\Temp\1014060001\294caa6a68.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\1014060001\294caa6a68.exe"C:\Users\Admin\AppData\Local\Temp\1014060001\294caa6a68.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014081001\M5iFR20.exe"C:\Users\Admin\AppData\Local\Temp\1014081001\M5iFR20.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\1014305001\IGEaNGi.exe"C:\Users\Admin\AppData\Local\Temp\1014305001\IGEaNGi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\1014305001\IGEaNGi.exe"C:\Users\Admin\AppData\Local\Temp\1014305001\IGEaNGi.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1644
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014317001\80454ff6ad.exe"C:\Users\Admin\AppData\Local\Temp\1014317001\80454ff6ad.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\1014318001\b2d485e49a.exe"C:\Users\Admin\AppData\Local\Temp\1014318001\b2d485e49a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2044 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:1032
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.0.844704299\1718503753" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1080 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {272548e9-453e-4e41-9133-947965ac1de7} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 1320 f5d7d58 gpu6⤵PID:3000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.1.493332762\952183418" -parentBuildID 20221007134813 -prefsHandle 1540 -prefMapHandle 1536 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7347702-16ae-440a-869b-8a2563d903e4} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 1552 f3f4258 socket6⤵PID:112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.2.91669516\443777518" -childID 1 -isForBrowser -prefsHandle 2020 -prefMapHandle 2016 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 756 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8e7cef1-3c93-41ea-b31e-db6804a3dfdb} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 2072 1997fb58 tab6⤵PID:1296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.3.1680255940\1435254114" -childID 2 -isForBrowser -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 21787 -prefMapSize 233444 -jsInitHandle 756 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2dc05c5-48ca-48e1-95f4-92ec1ab771be} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 2328 1b2f3758 tab6⤵PID:2684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1560.4.1153609274\1988824320" -childID 3 -isForBrowser -prefsHandle 700 -prefMapHandle 520 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 756 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2171197d-0fdd-43bd-b229-ad35f5cef491} 1560 "\\.\pipe\gecko-crash-server-pipe.1560" 2716 1c909258 tab6⤵PID:2748
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014319001\116a75d363.exe"C:\Users\Admin\AppData\Local\Temp\1014319001\116a75d363.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1096
-
-
C:\Users\Admin\AppData\Local\Temp\1014320001\284cf25c5c.exe"C:\Users\Admin\AppData\Local\Temp\1014320001\284cf25c5c.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296
-
-
C:\Users\Admin\AppData\Local\Temp\1014321001\TdDkUco.exe"C:\Users\Admin\AppData\Local\Temp\1014321001\TdDkUco.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3248 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014321001\TdDkUco.exe" & rd /s /q "C:\ProgramData\3WTR1VKF37QI" & exit4⤵
- System Location Discovery: System Language Discovery
PID:3260 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2548
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014322001\4158305d71.exe"C:\Users\Admin\AppData\Local\Temp\1014322001\4158305d71.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\1014323001\pcrndBC.exe"C:\Users\Admin\AppData\Local\Temp\1014323001\pcrndBC.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3444 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014323001\pcrndBC.exe" & rd /s /q "C:\ProgramData\QIMYUKNY5XBI" & exit4⤵
- System Location Discovery: System Language Discovery
PID:3396 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2212
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014324001\eff37d33b5.exe"C:\Users\Admin\AppData\Local\Temp\1014324001\eff37d33b5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\1014324001\eff37d33b5.exe"C:\Users\Admin\AppData\Local\Temp\1014324001\eff37d33b5.exe"4⤵
- Executes dropped EXE
PID:3876
-
-
C:\Users\Admin\AppData\Local\Temp\1014324001\eff37d33b5.exe"C:\Users\Admin\AppData\Local\Temp\1014324001\eff37d33b5.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3892
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e97317c24402b584e31b122dd0ab6c04
SHA1cf11a2a5d05570ce535cc9b4953e4f707811b886
SHA2567ea9bbae8be6cff073ac3742606407b1bbfa73f5a953d05e1f5122b6050d9bfe
SHA5120b89bd323ee99686ee7087fb7c6c4a672c9c3229192a1bede000435feaeaa9e7de21fa7a4be74a3d104701952a01738b6e5bfe81e7f223761a600b846c27bd6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dad600e55d517bab95b8d5fca313417b
SHA17a14f716d540d12509342777192f7433355e4242
SHA256c77efbb53c5c6c6c11796c8b60caa9bc39fccbdb2ee9cab522810cc93e5c0bf0
SHA512fdf4e8c62ae42b0c0eebe955c70cedc00bb920c9cf08baccd507f340ddd6bfb67330b082594930f8f95fd736c21dd90ac77eff574b379930c3437d4bc7047639
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD571dc4dd0079bbd422428a912560e64c0
SHA1e942528a094a968988681354e8586e6aef9fe883
SHA2569ddc5ad7778a1594f843072a57eb2bbee21c417f08f51ba87deeb64507969769
SHA512984cb5e5c74254909c4d351ec4278968e72ee87da41d72bc6ea9c3c7df4ead9a5b444336ca6fa88ccfe4c6961cc66dc96abe404b7f5363816c44e39cc9fe96d7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\76561199807592927[1].htm
Filesize34KB
MD541fc7e8f89cc8ff913ff23e78bae041f
SHA18830e5e8203f9457fd321c3dbe51d11e0d81f870
SHA2564c5358e6500f6b9926a35587a45f6aceff4d7e723a331bbd4af0aaf0f5f37af8
SHA512e7bb5e40b1f288d89805b1e7cbba9cb208b6a5291285413b37a950371465efd1b4836620239c8d2b17d5eb52b82b91061032395e0cbe80933d4c86e8c05c857d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\76561199807592927[1].htm
Filesize34KB
MD593832fcd96333009a4e65c3c598ee5c5
SHA1a63bae964f9e200e0c8ce6424e88ed013741b3d1
SHA2566c7b7016f06faf01a76fa3826617ebb78d84cc9e6d780e7dced17c67c8d56ef0
SHA51215dc2c438e4bc1fb1b8ecea805514f436ae7dd20b2895fd1047304bc338a3b97cf541591a885ebb6b82466c192c4965703b8560f4d53de92c4f7cf9972e6e72f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
Filesize28KB
MD51f960ec6b982abc37f31e19d6cbd2099
SHA16d61ea7137944d45795ffa4efb7fb57a13e6732c
SHA256017d47f0c5c60e73eddbb93a6783cd9fd437883b3bfe9d08c5d1d051871ef1b6
SHA5120e8e09807b4cfb7957edeb490bdda47c0c7fdf75a9a8086d572c62740bad07df233df9f22c0d5a215446b5c9517feee4287554ab617049e0cf0da1efd0f2db6c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD558f824a8f6a71da8e9a1acc97fc26d52
SHA1b0e199e6f85626edebbecd13609a011cf953df69
SHA2565e5b808ed64c4f40e07a4894e1da294e364383f0a51adb7ec8c7568afba3eb17
SHA5127d6c752369ea83bad34873d8603c413e9372ff66adcaad11e7f23d3ce85827e057444b30eadf927329191825aef4dc37a1e68c30b71fae4ce6f53708102fb461
-
Filesize
382KB
MD583b8507f0961cc5fd4a39d1def4dad1c
SHA17f97044ffbc10454d94fc6db868ae4071f7a5d46
SHA256d8405be5cc0b5273433b62e2af31c18fa688fd5f0d2e11f8ff41a064fa917a09
SHA512f5c65cd2590f971e2076b7687e60253ae333b85a882ad089fa3a097fdf9bbab9e359b4f2b6e0f18f36fd64dc905a89aca41a15b82752c8a4357f121f331e99f9
-
Filesize
419KB
MD5ec5e3bc0d1d207a45d0f7e27e8f111c7
SHA12de3cb791c7e3aa0826c59b2f85fdb4335d9b84f
SHA2564d0126ee20144c065da90de50807354877e8015c020a99a1d3f7cf3e051b5817
SHA512cb660188329b067b69dc0e7d291b9fe545688c79ce9b0f117a63d0596e6a27f8cd7a1b199abc6f07284077213ac2a42ce0ad18376824fabbdd4437a5e10b5a34
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
898KB
MD55950611ed70f90b758610609e2aee8e6
SHA1798588341c108850c79da309be33495faf2f3246
SHA2565270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA5127e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
950KB
MD55a30131ff609593aba81d808f59a4a11
SHA11217671bcfd98434f4beac6406e0ae7f1f13c890
SHA256f1b8f480e3d3b92a659b6c87a181a99b17e726c3e138af3f7d0717a8e285a892
SHA512eab7bdaaaa7ac911b3180f6e879eed913356a7675422685d6f1ac71828e8ef53299cbe71644e10a9151a330e1a6ba2c7ed236bada34c02470f801253d305caf3
-
Filesize
1.7MB
MD5fa8bc0aa526b9961adf9260dc7ec9399
SHA1044527ce83eb090a0c1ec2cdaddedc5f5405bf2d
SHA2561722fc2ecb85459ab3e76adc12f5c29d3e3ee2b4b18dd48c5ef0e5d79b77330e
SHA5122f0244f7f3cf90b0dd1e5d04db4e4d443a16e7779bf791dc68ed54f6d734e1d620193967e96ee881b03e5b6ef6a8609efdb890f5345db340d94fe70c2807c31b
-
Filesize
2.7MB
MD5f150e060b781896b4e6e1029ee1f5b74
SHA1ef52c884174df898a956d9a40304e586e2382e2d
SHA2560316ba41b0629155197d29677225f77581c470a5f91aea8dd6a38850cd510516
SHA51240dc0453b3feece1d0ad5ed8de9cfd45465347190c1031791c6a035dc0e74bd842fa21e56b86feebe89892dfbd8bcdbf8d44bc658c0afcfb6deb6d0b5e18c18f
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
1.8MB
MD5e72fd16086a8ecf58337b89509435373
SHA18352b01f92cdfa8e5c932513e2ef6363a6a5871c
SHA2561e76927aa56820767353dd841c3f309f91eb10decead250755a984791efad821
SHA5123cb26d20b5138ebcdef1adaea9b8fa0bfc7b56862c3ac5b7500a419a6836e3e2656aab697f6459131b0d8672123411dc60d1e15d7c745aa881580ec5c6d3c841
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4B
MD5365c9bfeb7d89244f2ce01c1de44cb85
SHA1d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5f832d9c7b07fa0744c5417575128e531
SHA166f2a89b8cb5b564611cca5d8d11c0fd5a3b73c7
SHA2562b8105259008d4633be4556cdff33188a9d3a200e342e6f7e0f88b7a4171bea2
SHA51289aaa15b838a6b21a51726aa04ac8a5302a2600c1f17fe335063588e4d80269c17d435481b6ef4528268af289ad764a428466bb46372301181854c1a5fa09efe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\acf050b8-72bf-40f2-a79d-4c3aafffc1ba
Filesize10KB
MD5efce581c815270b3ea391a062ab1655e
SHA19231296bcbd16606c0e4b7ce4fe15d0dcc4a35ce
SHA25661115dbbd90a9eb0fb907fb275d18517344a7266104f2419cbc5918754b884a9
SHA5120486e781767237e5d3c23011c909310081a75840e4784dc388ddedca463efecbc43e3aeb166da15eb69fd5b8ee8dbbdab00397f586edbb3ced6bae33a36e768d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\bb382d5e-9059-4819-82f2-97afab41ac19
Filesize745B
MD5c86d3080791b0161c3010e2ad3f680b7
SHA17f406e848251776042f14aef0ee05916dcff5644
SHA25655b2557bdd475aed7d872dc5ab4d7aa19d435e69b8cd45691e4f6cf1e8a95591
SHA51288cce668e81049bdc724f10391ef57cad7d255d54fd9e9f4541dc4e5db820257bac7ca7ad7a9aaad694a090e7fe2751fcb06c59a6739427099ba900ab34e5f0b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5cb9eab6a4da45c5f5e690c9e6c2cff98
SHA1b7e050583d7d8f6b6d50fa42afa984d23bb4df6d
SHA256217b2ec64f77be04db47ed6237156496e8b738c2a35208643d91123e3c0ed5d1
SHA51262b2686188ed68d4fa9791f4c57956f251ce846f5fa1d7bfe1ddb069a37274cd7a5aeb9026cb0c6216336ca6dbc5d241c289c6d8dea325d6b6dac1a07ebf9156
-
Filesize
7KB
MD50375788ceef6632fb6cf3c868a4be642
SHA117e34decb81b40a8e46da65c4823da7f95fcd63c
SHA256d2bf45570253394373452813107106fd19bb99dd49c0d67ba46359e2f8589b4c
SHA5122e7fbd087c28871cdfe9b549c666c37fd0baf3d441fb6734a52ed04c5eacc281d0a9b770f3e8945587e540767c1848289ec932af1c0ec478ea4c72716945c436
-
Filesize
6KB
MD5f64f470b2ccae44af83e03f8f6aac63a
SHA1b4308d2e2caeaed50d3f3e5341609e38a224b3d4
SHA256a81a2ce230ca4566593d947ce0a83e0fc1a9ae7470cb9d4fe04dc3b7185fbc5b
SHA512373b88ffb6482e14747e61db5761499b2d93d8f9a7d381d3724b07d4235d56d519b717cbb926f0b650b56aab8f0e01934d50754e1ffab20c891b47ba356876f4
-
Filesize
6KB
MD5565c0c4e701775fa9b593866200f2efb
SHA1f09685affc9fd3735f88f6248de9f90c4d22b8a1
SHA256a9164a1e2ea4a95c7ef6548da57b010f6d670e32b0887022626aa229c458d42a
SHA512e5a966c085b1027e2e46edeae2d8d68e62bd3be26576d2337b819a4d700e55e46c5bfe5a1b09f803b843b466f738605979bfc2562f1f4ab0595a9a563818e09d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5ef03a590bd85688edc5bce6168388d36
SHA1a43e5ac670406871f461ca45282731ce2bbc0edc
SHA256b984622c316ac8cdc89d8f0b8a4cd5041347216c61969768f1a74dd18ac855f4
SHA512ea651cccd2ca0d43adf64252b69e790325f70204bf085ccfd6eaa48ad771dd98108cbe097582514376ff7063d25105ce69c4287403de09ab4ec7f1ed6cc6837a
-
Filesize
3.0MB
MD55a092b8d63ea7739340befc06c399e8a
SHA1c2fd010bac59febb5704c0c8cc41f08fe9beadbf
SHA25638cd832a56d44f40b63de9d8638c87d03ba2640d5e3177a7b91a6270428ed4b6
SHA5120b2a096f1cf4ceb673ea3598db7cbb0f5810dab76df5e5735a5d11144de2ea254c2e46b83deffc72776b6b03068dcb1f9fb02cb8bfa740f8313f7c4cb286f74b