Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 21:54
Static task
static1
General
-
Target
3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe
-
Size
5.0MB
-
MD5
0a2e4134e9a5e9be273cbc3ef6806c1a
-
SHA1
0fd6a758672ced565061b287f491dc466e05648d
-
SHA256
3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1
-
SHA512
72bbdd438a1bff94210e2bf3201e4a73cfd174549d37f5b7282552d112575997ddba8dfeda375d911226a29bc5dd652233a5aa1d5995f91db4c477fc90b34b94
-
SSDEEP
98304:QzOlPV2s/MFdw+jEU+tuyfxzSk9s9K0BpZ6w3LSrMczs4W2+tT2X3hJtrn:QzOlPV2LwRtuyZz4BpZz3LSrMcLW2KyZ
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4M186F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cabc97113d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cabc97113d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4M186F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cabc97113d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cabc97113d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cabc97113d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4M186F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4M186F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4M186F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4M186F.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1912 created 3432 1912 CuKxXX0.exe 56 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4M186F.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 71244d7de4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1G19z8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3r02E.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 113e82a854.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cabc97113d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1G19z8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3r02E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4M186F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4M186F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 113e82a854.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 113e82a854.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1G19z8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 71244d7de4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cabc97113d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3r02E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 71244d7de4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cabc97113d.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation CuKxXX0.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 054f242f0b.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 1G19z8.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 4b3bfcc44e.exe -
Executes dropped EXE 28 IoCs
pid Process 464 t2h80.exe 1528 1G19z8.exe 3732 skotes.exe 2836 3r02E.exe 4544 4M186F.exe 1912 CuKxXX0.exe 4664 113e82a854.exe 2364 4b3bfcc44e.exe 3148 988f24bea5.exe 3740 7z.exe 4868 7z.exe 884 7z.exe 916 7z.exe 3640 988f24bea5.exe 2120 988f24bea5.exe 3608 7z.exe 2864 7z.exe 4464 7z.exe 2592 7z.exe 3128 in.exe 4316 054f242f0b.exe 3132 d06343412e.exe 1220 skotes.exe 3632 Intel_PTT_EK_Recertification.exe 220 71244d7de4.exe 5880 cabc97113d.exe 5388 skotes.exe 5612 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 1G19z8.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 3r02E.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 4M186F.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 113e82a854.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine cabc97113d.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine 71244d7de4.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine skotes.exe -
Loads dropped DLL 8 IoCs
pid Process 3740 7z.exe 4868 7z.exe 884 7z.exe 916 7z.exe 3608 7z.exe 2864 7z.exe 4464 7z.exe 2592 7z.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4M186F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4M186F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cabc97113d.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d06343412e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014540001\\d06343412e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71244d7de4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014541001\\71244d7de4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cabc97113d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014542001\\cabc97113d.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" t2h80.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000023cc5-1436.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 1528 1G19z8.exe 3732 skotes.exe 2836 3r02E.exe 4544 4M186F.exe 4664 113e82a854.exe 1220 skotes.exe 220 71244d7de4.exe 5880 cabc97113d.exe 5388 skotes.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3148 set thread context of 2120 3148 988f24bea5.exe 105 PID 1912 set thread context of 4528 1912 CuKxXX0.exe 128 PID 3632 set thread context of 2640 3632 Intel_PTT_EK_Recertification.exe 136 PID 4528 set thread context of 6208 4528 cvtres.exe 164 PID 5612 set thread context of 5680 5612 Intel_PTT_EK_Recertification.exe 170 -
resource yara_rule behavioral1/files/0x0007000000023ccd-1380.dat upx behavioral1/memory/3128-1401-0x00007FF6B70E0000-0x00007FF6B7570000-memory.dmp upx behavioral1/memory/3128-1411-0x00007FF6B70E0000-0x00007FF6B7570000-memory.dmp upx behavioral1/memory/3632-1469-0x00007FF7060B0000-0x00007FF706540000-memory.dmp upx behavioral1/memory/3632-1483-0x00007FF7060B0000-0x00007FF706540000-memory.dmp upx behavioral1/memory/5612-4634-0x00007FF740F00000-0x00007FF741390000-memory.dmp upx behavioral1/memory/5612-4648-0x00007FF740F00000-0x00007FF741390000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1G19z8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3396 4316 WerFault.exe 114 6572 4664 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language t2h80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language d06343412e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage d06343412e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cabc97113d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 113e82a854.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b3bfcc44e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71244d7de4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4M186F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 988f24bea5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d06343412e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1G19z8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3r02E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 988f24bea5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 054f242f0b.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1952 PING.EXE 5056 powershell.exe 4216 PING.EXE 5728 powershell.exe 1680 PING.EXE 1612 powershell.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 054f242f0b.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 054f242f0b.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1020 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 2720 taskkill.exe 764 taskkill.exe 4020 taskkill.exe 4740 taskkill.exe 1480 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings firefox.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 1680 PING.EXE 1952 PING.EXE 4216 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2396 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 1528 1G19z8.exe 1528 1G19z8.exe 3732 skotes.exe 3732 skotes.exe 2836 3r02E.exe 2836 3r02E.exe 4544 4M186F.exe 4544 4M186F.exe 4544 4M186F.exe 4544 4M186F.exe 4664 113e82a854.exe 4664 113e82a854.exe 1912 CuKxXX0.exe 1912 CuKxXX0.exe 1912 CuKxXX0.exe 3840 powershell.exe 3840 powershell.exe 1612 powershell.exe 1612 powershell.exe 1612 powershell.exe 4316 054f242f0b.exe 4316 054f242f0b.exe 1912 CuKxXX0.exe 1912 CuKxXX0.exe 1220 skotes.exe 1220 skotes.exe 3632 Intel_PTT_EK_Recertification.exe 3132 d06343412e.exe 3132 d06343412e.exe 220 71244d7de4.exe 220 71244d7de4.exe 3132 d06343412e.exe 3132 d06343412e.exe 5880 cabc97113d.exe 5880 cabc97113d.exe 5880 cabc97113d.exe 5880 cabc97113d.exe 5880 cabc97113d.exe 4528 cvtres.exe 5388 skotes.exe 5388 skotes.exe 5612 Intel_PTT_EK_Recertification.exe 5728 powershell.exe 5728 powershell.exe 5728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 4544 4M186F.exe Token: SeDebugPrivilege 1912 CuKxXX0.exe Token: SeRestorePrivilege 3740 7z.exe Token: 35 3740 7z.exe Token: SeSecurityPrivilege 3740 7z.exe Token: SeSecurityPrivilege 3740 7z.exe Token: SeRestorePrivilege 4868 7z.exe Token: 35 4868 7z.exe Token: SeSecurityPrivilege 4868 7z.exe Token: SeSecurityPrivilege 4868 7z.exe Token: SeRestorePrivilege 884 7z.exe Token: 35 884 7z.exe Token: SeSecurityPrivilege 884 7z.exe Token: SeSecurityPrivilege 884 7z.exe Token: SeRestorePrivilege 916 7z.exe Token: 35 916 7z.exe Token: SeSecurityPrivilege 916 7z.exe Token: SeSecurityPrivilege 916 7z.exe Token: SeRestorePrivilege 3608 7z.exe Token: 35 3608 7z.exe Token: SeSecurityPrivilege 3608 7z.exe Token: SeSecurityPrivilege 3608 7z.exe Token: SeRestorePrivilege 2864 7z.exe Token: 35 2864 7z.exe Token: SeSecurityPrivilege 2864 7z.exe Token: SeSecurityPrivilege 2864 7z.exe Token: SeRestorePrivilege 4464 7z.exe Token: 35 4464 7z.exe Token: SeSecurityPrivilege 4464 7z.exe Token: SeSecurityPrivilege 4464 7z.exe Token: SeRestorePrivilege 2592 7z.exe Token: 35 2592 7z.exe Token: SeSecurityPrivilege 2592 7z.exe Token: SeSecurityPrivilege 2592 7z.exe Token: SeDebugPrivilege 3840 powershell.exe Token: SeDebugPrivilege 1612 powershell.exe Token: SeDebugPrivilege 1912 CuKxXX0.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeLockMemoryPrivilege 2640 explorer.exe Token: SeDebugPrivilege 2720 taskkill.exe Token: SeDebugPrivilege 764 taskkill.exe Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 4740 taskkill.exe Token: SeDebugPrivilege 2008 firefox.exe Token: SeDebugPrivilege 2008 firefox.exe Token: SeDebugPrivilege 5880 cabc97113d.exe Token: SeLockMemoryPrivilege 6208 explorer.exe Token: SeLockMemoryPrivilege 6208 explorer.exe Token: SeLockMemoryPrivilege 5680 explorer.exe Token: SeDebugPrivilege 5728 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1528 1G19z8.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 2008 firefox.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 3132 d06343412e.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe 6208 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2008 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5060 wrote to memory of 464 5060 3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe 82 PID 5060 wrote to memory of 464 5060 3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe 82 PID 5060 wrote to memory of 464 5060 3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe 82 PID 464 wrote to memory of 1528 464 t2h80.exe 83 PID 464 wrote to memory of 1528 464 t2h80.exe 83 PID 464 wrote to memory of 1528 464 t2h80.exe 83 PID 1528 wrote to memory of 3732 1528 1G19z8.exe 84 PID 1528 wrote to memory of 3732 1528 1G19z8.exe 84 PID 1528 wrote to memory of 3732 1528 1G19z8.exe 84 PID 464 wrote to memory of 2836 464 t2h80.exe 85 PID 464 wrote to memory of 2836 464 t2h80.exe 85 PID 464 wrote to memory of 2836 464 t2h80.exe 85 PID 5060 wrote to memory of 4544 5060 3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe 86 PID 5060 wrote to memory of 4544 5060 3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe 86 PID 5060 wrote to memory of 4544 5060 3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe 86 PID 3732 wrote to memory of 1912 3732 skotes.exe 91 PID 3732 wrote to memory of 1912 3732 skotes.exe 91 PID 3732 wrote to memory of 4664 3732 skotes.exe 92 PID 3732 wrote to memory of 4664 3732 skotes.exe 92 PID 3732 wrote to memory of 4664 3732 skotes.exe 92 PID 3732 wrote to memory of 2364 3732 skotes.exe 93 PID 3732 wrote to memory of 2364 3732 skotes.exe 93 PID 3732 wrote to memory of 2364 3732 skotes.exe 93 PID 3732 wrote to memory of 3148 3732 skotes.exe 95 PID 3732 wrote to memory of 3148 3732 skotes.exe 95 PID 3732 wrote to memory of 3148 3732 skotes.exe 95 PID 2364 wrote to memory of 4972 2364 4b3bfcc44e.exe 97 PID 2364 wrote to memory of 4972 2364 4b3bfcc44e.exe 97 PID 4972 wrote to memory of 2836 4972 cmd.exe 99 PID 4972 wrote to memory of 2836 4972 cmd.exe 99 PID 4972 wrote to memory of 3740 4972 cmd.exe 100 PID 4972 wrote to memory of 3740 4972 cmd.exe 100 PID 4972 wrote to memory of 4868 4972 cmd.exe 101 PID 4972 wrote to memory of 4868 4972 cmd.exe 101 PID 4972 wrote to memory of 884 4972 cmd.exe 102 PID 4972 wrote to memory of 884 4972 cmd.exe 102 PID 4972 wrote to memory of 916 4972 cmd.exe 103 PID 4972 wrote to memory of 916 4972 cmd.exe 103 PID 3148 wrote to memory of 3640 3148 988f24bea5.exe 104 PID 3148 wrote to memory of 3640 3148 988f24bea5.exe 104 PID 3148 wrote to memory of 3640 3148 988f24bea5.exe 104 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 3148 wrote to memory of 2120 3148 988f24bea5.exe 105 PID 4972 wrote to memory of 3608 4972 cmd.exe 106 PID 4972 wrote to memory of 3608 4972 cmd.exe 106 PID 4972 wrote to memory of 2864 4972 cmd.exe 107 PID 4972 wrote to memory of 2864 4972 cmd.exe 107 PID 4972 wrote to memory of 4464 4972 cmd.exe 108 PID 4972 wrote to memory of 4464 4972 cmd.exe 108 PID 4972 wrote to memory of 2592 4972 cmd.exe 109 PID 4972 wrote to memory of 2592 4972 cmd.exe 109 PID 1912 wrote to memory of 3840 1912 CuKxXX0.exe 110 PID 1912 wrote to memory of 3840 1912 CuKxXX0.exe 110 PID 4972 wrote to memory of 1572 4972 cmd.exe 112 PID 4972 wrote to memory of 1572 4972 cmd.exe 112 PID 4972 wrote to memory of 3128 4972 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 1896 attrib.exe 4948 attrib.exe 1572 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe"C:\Users\Admin\AppData\Local\Temp\3c05907b4de77c7066eda575ce8070aa96792ccddd148e27468f4f835f1456f1.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2h80.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t2h80.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G19z8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1G19z8.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\1014535001\CuKxXX0.exe"C:\Users\Admin\AppData\Local\Temp\1014535001\CuKxXX0.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANAA1ADMANQAwADAAMQBcAEMAdQBLAHgAWABYADAALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANAA1ADMANQAwADAAMQBcAEMAdQBLAHgAWABYADAALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFcAaQBuAGQAbwBzAEMAUABVAHMAeQBzAHQAZQBtAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFcAaQBuAGQAbwBzAEMAUABVAHMAeQBzAHQAZQBtAC4AZQB4AGUA7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3840
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014536001\113e82a854.exe"C:\Users\Admin\AppData\Local\Temp\1014536001\113e82a854.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 7527⤵
- Program crash
PID:6572
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014537001\4b3bfcc44e.exe"C:\Users\Admin\AppData\Local\Temp\1014537001\4b3bfcc44e.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"7⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\mode.commode 65,108⤵PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"8⤵
- Views/modifies file attributes
PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"8⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe9⤵
- Views/modifies file attributes
PID:4948
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe9⤵
- Views/modifies file attributes
PID:1896
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE9⤵
- Scheduled Task/Job: Scheduled Task
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.110⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1952
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014538001\988f24bea5.exe"C:\Users\Admin\AppData\Local\Temp\1014538001\988f24bea5.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\1014538001\988f24bea5.exe"C:\Users\Admin\AppData\Local\Temp\1014538001\988f24bea5.exe"7⤵
- Executes dropped EXE
PID:3640
-
-
C:\Users\Admin\AppData\Local\Temp\1014538001\988f24bea5.exe"C:\Users\Admin\AppData\Local\Temp\1014538001\988f24bea5.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2120
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014539001\054f242f0b.exe"C:\Users\Admin\AppData\Local\Temp\1014539001\054f242f0b.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014539001\054f242f0b.exe" & rd /s /q "C:\ProgramData\1D2DTRQIEU37" & exit7⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\timeout.exetimeout /t 108⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1020
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 21407⤵
- Program crash
PID:3396
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014540001\d06343412e.exe"C:\Users\Admin\AppData\Local\Temp\1014540001\d06343412e.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3132 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵PID:3040
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2008 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2068 -parentBuildID 20240401114208 -prefsHandle 1980 -prefMapHandle 1972 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eda0e7c9-e7bc-42a7-8472-1601d9807399} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" gpu9⤵PID:2552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2504 -prefMapHandle 2500 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf86533e-a8a8-4690-a344-14cc27c81307} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" socket9⤵PID:4568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3284 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5c41903-808e-414e-b886-3ad32c0b6b2e} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab9⤵PID:4724
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -childID 2 -isForBrowser -prefsHandle 4240 -prefMapHandle 4236 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15b6f61f-cdf4-42b0-aa5c-b3e4bc9e859d} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab9⤵PID:2428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de9c494f-34fe-4d78-bc4d-710e29f31696} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" utility9⤵
- Checks processor information in registry
PID:6700
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5332 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d99d8330-95cd-44a0-b134-b1616ba869c7} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab9⤵PID:5268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5468 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c43e0c6-3bc6-4f32-996e-d82ed331631f} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab9⤵PID:5260
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5676 -prefMapHandle 5680 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1348 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f92f175f-0d82-4b4d-96a2-4ba1d0dc99b2} 2008 "\\.\pipe\gecko-crash-server-pipe.2008" tab9⤵PID:5396
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014541001\71244d7de4.exe"C:\Users\Admin\AppData\Local\Temp\1014541001\71244d7de4.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
C:\Users\Admin\AppData\Local\Temp\1014542001\cabc97113d.exe"C:\Users\Admin\AppData\Local\Temp\1014542001\cabc97113d.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5880
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r02E.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3r02E.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4M186F.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4M186F.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4528 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6208
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4316 -ip 43161⤵PID:1524
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3632 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5056 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4216
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4664 -ip 46641⤵PID:6548
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5388
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5612 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5728 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1680
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1KB
MD588be3bc8a7f90e3953298c0fdbec4d72
SHA1f4969784ad421cc80ef45608727aacd0f6bf2e4b
SHA256533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a
SHA5124fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD596bb1cfe69d9aa497671daac842d93ed
SHA1010d80abe9356ffdce9aa6955b7f0906c315dbe5
SHA25660d6a59198558970d272c4784c473f443241af54ddc56c31bf339203b6fe6787
SHA512b3e79784ec7570e84476308ade1bac671620230ae02faa518827252d4c5767ca7728c791260d532154e126461b78feb51cdbae35f3192fb698448b77c1f12854
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD53f4a8c8a107c495d4da6971bddf6b901
SHA14f4b23161efe7f844cbc6766e5aa34979614baa6
SHA256490ec283666ca8ff7a26f92d69595d17cf64e27fb0e07607b3ef53a2b5a5413d
SHA512ad468cb1208e780256a49fd294bd4000095be3433cabbf38998e23ffeab2d2b2aa69185939e00fdfdbc59e22e92db4bad2b5837d4b39115758c03a0dc006da83
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
5.7MB
MD5761e717467ab9a835592eb17f0bdda68
SHA173f921f81fe40b4477a0f27703b00976cec7eced
SHA256c3911b588662879da105e02b56f161f5fd4bea8d256e24f554557177dbcfc1fa
SHA5125e83c663e867fd08479e0b0b5b2b7ee8f7c7a03d26eefb2a526f1441422341a432103324ad06fd4c439730eb1537c64f94c962fb10a1e8785ad884ec389d0f0b
-
Filesize
1.9MB
MD5dd44780d69d56d86bd3be9d6ca0f69a9
SHA1c9afab3e117153f469723102214a907685a509d6
SHA2565cf283b12d73892ee010289b4d554e5b1c7d1aede0a8e6cd0a33415513526b5b
SHA5122941a447f343d039f356cd63a009b33f5eb042553143c009a23a4e68e76c59101052fc9a8092f56b81bf61b3c068b3c685c558933a672ec03c0e94fb4b873eff
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
947KB
MD57414996933790ec650a45e30c49a556e
SHA129622d448981a83ae0d29cd8204ff1b4ae103f74
SHA25697cf1cc2b43ab2cfde431c45d735b879eb6c88c2dbdd277ac6fe252b4db0a4cf
SHA512d4940288b3943fa0fed07ee9020bff97cbdf479012c80857a04615ab9c2a9123425c16530aa08c4a135a8b964753c6ba2ddc8067184dc7b55f34d2e4ffc49176
-
Filesize
1.8MB
MD511bf0c70ccd9edaaa470be5b5a6b05c6
SHA1bdcda48fb20caf28a9285bf5bb5d1d10c4540b55
SHA256cefd403d738a98aacd4c0bcbcfd8bd16af6da5e9fd6bb371b183270724745b4c
SHA512a8c3c7fc7550dff1558caceae2c32e5b4895ae2ba855c3c9483567af9be77b1e17ec6b35cb596c053a129464cb58821cf00d4f3b62fe1ee99b21f06f5b0f550a
-
Filesize
2.7MB
MD5ee8046710a595a89a47f966c3d079a16
SHA1214f4033800c0719dd71606f4e9bfd7e5f5c38db
SHA256e3250f081adfee41f27cc0abf474af4d01de649ffdf0c9f5d4141a5d81b0e744
SHA5124f13dabb5bcfd84be723eb82dfad787c110382e85cd94e949c0f6b05b4050a6ad899ef1d66241a09bc4690cf67b3fddc4ef3104f2ea9742cd275123cd365f46d
-
Filesize
2.6MB
MD539d7cc067a59d8f1770a51c3bbef5b32
SHA179c6ae975688b81552a74bad9d0b4c59210b5f4d
SHA2562126a93fc9cd6b40d454914419705a7d70c19d79b1c7beb11aeaa39a1c8a566f
SHA5125f211708fd7353499d73314056798665ebad1e8a7cf4b3818018d0fe3978062aea35d2e15f8d7782d7d97e04353f04cfefaedb12b84c3c2e691888fc0a0d63f3
-
Filesize
3.5MB
MD5b6f645e345a25cefbcb2dd816f01a02d
SHA1943475c48372b4b13f190aecd33f0f533b6c695f
SHA256c6aea93b73c377a92786be363e25bb5960e661c9896a126b366c1a50570af281
SHA5122208286128c84c058a5502cf57e9a0429a80133a310830db11abb45e539daa17fdb4d800e3f56f005b1a51b681f5fdfe16e5edb1ba8c34866f2d8a552364d637
-
Filesize
3.0MB
MD54873dec39296c80c3863e04149e492bb
SHA14ceb2e1553a82ac5f05cefc8c1b688e768c92de3
SHA256172e1e49642648745fefdbebd4c76c41049a4f0edd14eeb7904b709f0add5cbc
SHA512c827eaf7b8910fdc5d5d9a2d51611573b49a4fffb6fc37cc9279d77f1d05071f0b862dd11b65a69b6ca351a4c1876bee77630e5a8a1c05f806cb7e474969e92c
-
Filesize
1.7MB
MD536ce95040ed17e3c4ccf84ef67666738
SHA16bd06628eb201fb91f20e3905bbf1f052bab16c5
SHA256888781cacec83eae2a8ea38778dc47d6787ef7bf54f6e05122b9c75a9349c84b
SHA5123ed7c233e6f90ecd461073db2e80e321416cdc1da6c6c3295ff321357084f6ad1232bd537d715b8ca979177287b19a7efca9d804060682bb559055c9239e0e7d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD5579a63bebccbacab8f14132f9fc31b89
SHA1fca8a51077d352741a9c1ff8a493064ef5052f27
SHA2560ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA5124a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f
-
Filesize
1.7MB
MD55659eba6a774f9d5322f249ad989114a
SHA14bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4
-
Filesize
1.7MB
MD55404286ec7853897b3ba00adf824d6c1
SHA139e543e08b34311b82f6e909e1e67e2f4afec551
SHA256ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30
-
Filesize
1.7MB
MD55eb39ba3698c99891a6b6eb036cfb653
SHA1d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA5126c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e
-
Filesize
1.7MB
MD57187cc2643affab4ca29d92251c96dee
SHA1ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA51227985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
1.7MB
MD583d75087c9bf6e4f07c36e550731ccde
SHA1d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA25646db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin
Filesize10KB
MD55703f7a7672f3e78c1c400619dfb4312
SHA1e7535fc0a5387dfefb88639c2f9ac1e49518651e
SHA256e2a6d34cf1de98ccc566cec4bc4bc593807f5c689828f6ac0e747227ec57298a
SHA5125bf4b8ba2a43170337244f5fdf9fd4524d6c411b60789ace7fd1f1fa7c244cb3d043dcf77447918d9ec75f2f7b4da31fbe8b18b9633882c8c2ce2b8f0caf3eb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5c02976b8b3aeada21ff359814a9d571a
SHA10b7c1609f4771e5079de9aded3eeac76b83a3766
SHA2567ebe8fb5ecabd455768f7b24732dc616b7bcc4c8125b2dde37e61b55892f8f05
SHA512bd55a6553636d222c4367c6aaac5438f894757143b3cf469f0bd874356fd86db1f9d04294d7fb179643f801393e3fa8f3588526969b6c9c3256f0ab464e3d2d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD597cce0fc5116b46b047be1d40d07c096
SHA1ff21aa299a6fe0c11d5b5cc372f22f41eabcf6d1
SHA2565b2e1d52079f99fbec1e653135d65773ee635c235489ed2b9577f7383a17b15b
SHA512b54f9307b60c6e81a40096a31a72eda8463ee9b551820da04f4f0f29e60a44b98c0c5d323caa76239cf75775891d7df017605be8efe8f85e98213aaf3a3bcc57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD53ce0c119f43bc5425dff19f95a2165e1
SHA1d8a06ccc107cd98700b05e1ae669e2868e4502f1
SHA2560fb31b9e5e840558608cc20db0b5e7d410943a13ef4635065c72d913b8844742
SHA5123df9fd90b83a5091994fc8d001c39a744620a62e83ee179452971934bc5a3fb5c563fa3f8dc04a6e65e36dd969234e4d9916974c68439720d08b90298eb0a637
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD5c898016d42a675040ea2063c465b3ee9
SHA11fda18578f0f7095b08050d4468bccb7aec8aa44
SHA2563b044b5a04234078cbef1033cf007bc2baae6a073cf5509c73f3f75d14a9497a
SHA5120768e1eacc343542e577f7d7e6583406148e5f15963d24413e1f4717ad4c8d618a6d43f71375a537dea9cdcb4a70ec2d7d18ce9c89fb94ff26e6ddc652cd032a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD52fe18f155bfbe01a602130192015e092
SHA19d3f6a0cbb6530ffc47b2ea0a132dfa43ee14b2e
SHA2567ff6b5308508714b1466abddda0226db0d09f432a91982fea809bfd89787bbdb
SHA5122c959034e1e5d982cf69c154aaf89014e8f87f276f4eb8d4811390888c84157e9d9042b318f5859dff462d0e9e8eec2a66b3750b92279f909959a58c3c7d17e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5401bacb88152231475d08d5e4adc8cb6
SHA15597bc19381245f272ef2ccef87c3dfbbd3f48fa
SHA256f59c6b2056a5eb9727556053aac08db1d6c8d2eb6656b57c2c6d2283ab22d4b8
SHA512c55ad1c121d9e68489f84bed8a485543690b28516813e8c91c4d1fd04a4825de15e3e6ea0488690967d748623efac2db1d48de9fc0548584094f7000d2aef4d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD577f2916bb4588049005b3f323b8a334c
SHA10c5cae056870341d616c9acd1553a88e4beefce2
SHA2568c1e4178a401f8413fe92c28fcd5edebc5be1c9ce81a71d10f2e1d2d8e1a1553
SHA512794136d5f300a045ccebe9e8b6921a9414e4c6832cf7ef67bcae329304407e79e61d195920109549b710c9baf8fe34ef94b24ce47135dc9e3ac998e5864f5dc8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\044be299-b7b9-4fae-9b5d-2ada05641c69
Filesize671B
MD5f31a534b68970887bb903267d2a5adf2
SHA1efa31c13c3132e9fb31701a14567659446e48633
SHA2563669b5ddf2f4aa4c0813b49254e4d8cbc81da11813546d0811f99bacfab434e3
SHA51291ad78a797be94ce3dc97f08b02fdc3866aa559f2b5e1f8762b71801b3ebf22e8fe0e7679274e359e13da1e679fa31b3698af615e4af8ae82d651206e6a6745d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\c4524a1a-e30e-4bc4-b30e-7f92a88a155f
Filesize982B
MD56accec1f4080af70ea3938afda0916ff
SHA1823dfe712b761692e678779e51c5fb4370efeb4d
SHA25679a6ef6e536ab3390b795415f629d477b332789c19733857719b7dcd9745b1f9
SHA512064135e5ab6b0734727b78c8e37e139363fa5dc016e2860ab4054695c25313521f25bea8a933a283eebfd223d51ca764291a5a52e91010764c6ba9dd9b6d8c74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\c4e2d12c-c6dc-44ef-8f19-7706c3442ca3
Filesize26KB
MD52a436f43302dcb12f6e0f3cf9017070d
SHA1cc9d4d894a7bf6d896dc90993ae71dcb2f29b35c
SHA2567f061da08a152645168bc1c9d5ee5b3ca879429b639a86997f764fa5c94486a1
SHA51213fa34ef202454d171f37b2bdb013b16bd03edb06ec00ae99608233da4731210da72ff3581dea7826e8a44442ca67b66f2b8868a0c03c4f53146893a44ae720b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD50d74218dd8fdd60b3c6afbc503a02f94
SHA1c33421b2a2668aea8be707f096237c8864d1f97b
SHA256e8241b70e03e69e2ec31cc530c540a6068c1fd898dc38d72cadf32cb6ef22026
SHA512f385b88a470e528ac7456a2b9914a294b0f2b513c1897f6023e67b34bba352f21f8c94cfb145295eeb9ff4e36c549ea7a204651fc40cec539be1b1508ce8788c
-
Filesize
11KB
MD5ca141623eff4f4c7d1a3c26511d835d7
SHA112dd34eb3078398800f9ce3181f664295df6f3e0
SHA256db77b64514b5903bee3180d541731c8f1c298eca865c04a92e01fda9b190b8b9
SHA512d5280ad84d53f3ca03925d5e67a0e15ac347f968b1ef8e6741c14d6081d862336618ad5d7823a39ab15740b5da33626ef7eb650b713e38f1b699513c95824b2d
-
Filesize
15KB
MD502e678a34fb68804c1904f24cd7c5dbf
SHA1b40450d425dc8550e03a4d9edb2599947be4afeb
SHA256ebd080a92db2c62c0e1708515669359bdcabd92559420359b588d83474889deb
SHA51279232976767b323adf37a89d0af49ab90ef39293a01d9555b05d7e3382488141a55b3b87fde9b52eaaba8d671279aedfce0489e782b1ca2a2cece1e38fd9fdd6
-
Filesize
15KB
MD519d12b49f0343401211543e8407b82b6
SHA1241455f768a903e35bec904504c4e114343b5c35
SHA25633e44d8cd4ef9c0914f2daf00a6e70783fedb2ac212b6423aeff27854c976fec
SHA512a79b9aca81d49dc7c0420a9a792eebeafe884012edf1dcf79f64e2a57286345573519d4ba79e27adb1b421a6816d4f7dbe5738cab9aac4c4c072e372651aa147
-
Filesize
10KB
MD53ed9b81f442dcce9458485be28a389fd
SHA1a44f9080b29638b1d5efb1289960f37433fd7cc1
SHA256619c0163e75844934c04fcb84ac25acba1f90e723b5a0c99b9ab9c90dccefcbf
SHA512e759f77bd1b0f80ab49e2cc5bc48cf445f84ccb349dbec9cc3cbe45b9094c68bd57286473d00554725d959b7a10d674ba014c6982234735338147cb41a00682d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize3.0MB
MD58ce71e88545f4acb1c5cc6f51e1bd346
SHA10d8aa21aad0e1922444200d7b651910a420df514
SHA2568be37f29f4985fdcd427d378b69e1de06240f792cb8c6875920e00fa6b270663
SHA512582edbb49671d2053132128e329d51449e5f27d47190762e592307f1d4f76b189722d46454230c0bf8af17a2b6986c27f659b8d55449b2940df760a9652634e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize9.4MB
MD59f5ff4564b51916c527fd4f907ca5e3e
SHA1571fafb3b0af44b707a52f92c25e928bdfa5265e
SHA2564192e47b10dae10102cc5b03fd14233d57c747bb1938018c8aaac65a166c51f1
SHA51288d915d441f91a852a9868f461dcce98694399262690251b197ff0f163a3645061513f6662f98ee47a77347aa083636571e5d58e3f2e5005cf9e59f14664293f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize9.4MB
MD56a24fe0d30addf2cc9f1e3db2d54082d
SHA1e55536f25c3e5a8c43299ff09077a36ff8167f43
SHA25634610bd88bfbc5b78d3fd841f9ec17b0afbb441cbf63f85728b06481cbd173fe
SHA51213197245c7ec78470e4c5a9d4d43e68aa5ce8790719a6845b3a994127ad835e34fa4716a30ac8b0609529ccb6795ee7a5cf8efac51f55fb420fef9fcfaf942b0