Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 22:49
Static task
static1
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
3197aa29fd7d023f4483200e06a95d7a
-
SHA1
62cd61a0004ef666d0d6427c42c8a6ec7b30617c
-
SHA256
ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a
-
SHA512
7379939f14ce763a9726638f6b694e0a84dbc80a2128db6e58224e2db432ad242cfc04e2576ffd462e1c75836141310cfd0ac751245061170d041b211e528637
-
SSDEEP
49152:of5+2z7fYXSXFA0R8kTiglrFF852feG2ezYVW5es:o5fYXSXm0RbTiglv852XZzeW5e
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 25f634d9be.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 25f634d9be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 25f634d9be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 25f634d9be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 25f634d9be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 25f634d9be.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9ef3181754.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bb87577ae6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 25f634d9be.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2328 powershell.exe 2544 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bb87577ae6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 25f634d9be.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9ef3181754.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9ef3181754.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bb87577ae6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 25f634d9be.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindosCPUsystem.vbs CuKxXX0.exe -
Executes dropped EXE 27 IoCs
pid Process 2724 skotes.exe 1704 W4KLQf7.exe 2776 dwVrTdy.exe 2280 AzVRM7c.exe 2028 graph.exe 2452 t5abhIx.exe 1492 graph.exe 1712 CuKxXX0.exe 2580 9ef3181754.exe 1560 6d5d5922b5.exe 1008 7z.exe 2248 7z.exe 2852 7z.exe 1144 7z.exe 1256 7z.exe 380 7z.exe 2552 7z.exe 1768 7z.exe 760 1bccb831cb.exe 2776 in.exe 2944 1bccb831cb.exe 2032 1bccb831cb.exe 1640 c2474be541.exe 1976 bb87577ae6.exe 4088 25f634d9be.exe 3764 3fd0c2c94d.exe 3716 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 9ef3181754.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine bb87577ae6.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 25f634d9be.exe -
Loads dropped DLL 48 IoCs
pid Process 3000 file.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2776 dwVrTdy.exe 2724 skotes.exe 2280 AzVRM7c.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2532 cmd.exe 1008 7z.exe 2532 cmd.exe 2248 7z.exe 2532 cmd.exe 2852 7z.exe 2532 cmd.exe 1144 7z.exe 2532 cmd.exe 1256 7z.exe 2532 cmd.exe 380 7z.exe 2532 cmd.exe 2552 7z.exe 2532 cmd.exe 1768 7z.exe 2724 skotes.exe 2724 skotes.exe 2532 cmd.exe 2532 cmd.exe 760 1bccb831cb.exe 760 1bccb831cb.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2256 WerFault.exe 2724 skotes.exe 2256 WerFault.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2580 9ef3181754.exe 2360 taskeng.exe 2360 taskeng.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 25f634d9be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 25f634d9be.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\25f634d9be.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014555001\\25f634d9be.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" dwVrTdy.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" AzVRM7c.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\c2474be541.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014553001\\c2474be541.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\bb87577ae6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014554001\\bb87577ae6.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 7 drive.google.com 8 drive.google.com 18 drive.google.com -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ipinfo.io 21 ipinfo.io 32 ipinfo.io 33 ipinfo.io -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000400000000f867-1537.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3000 file.exe 2724 skotes.exe 2580 9ef3181754.exe 1976 bb87577ae6.exe 4088 25f634d9be.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 760 set thread context of 2032 760 1bccb831cb.exe 75 PID 3716 set thread context of 3796 3716 Intel_PTT_EK_Recertification.exe 116 -
resource yara_rule behavioral1/memory/2776-1493-0x000000013FE60000-0x00000001402F0000-memory.dmp upx behavioral1/memory/2360-2597-0x000000013FC50000-0x00000001400E0000-memory.dmp upx behavioral1/memory/3716-2599-0x000000013FC50000-0x00000001400E0000-memory.dmp upx behavioral1/memory/3716-2610-0x000000013FC50000-0x00000001400E0000-memory.dmp upx -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f AzVRM7c.exe File created C:\Program Files\Windows Media Player\graph\graph.exe dwVrTdy.exe File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip dwVrTdy.exe File opened for modification C:\Program Files\Windows Media Player\graph\graph.exe t5abhIx.exe File created C:\Program Files\Windows Media Player\graph\graph.exe AzVRM7c.exe File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip AzVRM7c.exe File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip AzVRM7c.exe File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f dwVrTdy.exe File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip dwVrTdy.exe File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f dwVrTdy.exe File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f AzVRM7c.exe File opened for modification C:\Program Files\Windows Media Player\graph t5abhIx.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bccb831cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language c2474be541.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb87577ae6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language W4KLQf7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2474be541.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage c2474be541.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 25f634d9be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fd0c2c94d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ef3181754.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6d5d5922b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bccb831cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2104 PING.EXE 4008 powershell.exe 2408 PING.EXE 2364 powershell.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3fd0c2c94d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3fd0c2c94d.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4092 timeout.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2716 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2896 systeminfo.exe -
Kills process with taskkill 5 IoCs
pid Process 2928 taskkill.exe 2944 taskkill.exe 2496 taskkill.exe 1016 taskkill.exe 2692 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C524BC1-B8DB-11EF-86C1-D60C98DC526F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f73443e84cdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e647b6a0a13c6b46ad50c566249f6c2300000000020000000000106600000001000020000000aaff3be7a9be3e4154581ed4f88284f0d25f9fd385a2cf8df50f96eb76d48404000000000e800000000200002000000012af3c9444c3c100ac390b20d3c63535ae633924856cc1e263e8fbad83a717d62000000006a77fe04b0e20762ccab73f36359c3f65f46a093de4c0b06e3816ad4e2c30c140000000140c065e6c2052fcc1433afc7d5e41f778f8f44493f4fa425d8aa11cae0ab04f3b565c90c996fab260bd524dc953cb9cf21eef9e29b5b0f8b01281e5de16cbb4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e647b6a0a13c6b46ad50c566249f6c2300000000020000000000106600000001000020000000cb8648c07d3df10af440f40f1ea4ecc25e9cbb3397e060b3669e73c89319f33d000000000e8000000002000020000000ca680a632c1381ce39733ae8b8b8e60c634b69e2d009e45572bf110a8fa2c06e90000000384269c510c94a76ebbeb7dc6c271a0682cd8b2fef2a7ccfa4b94370a64607e1b480f78ef8fcc1827f4643bf9b8cae514bb0d5d49744d7c74fa029752d3dafea2d62c05f2054eb8850b07b08b37269d04e1f50301af04174af18e17563d54ed64adca2482c5deba5bdd6ff3cd2213ee30b609078a16fb275d52266818991f8336174fd0e95a5bc71c32f3e2644a55a504000000096eae90b76f51fded08de9389f6787d0d864c34634a5738388b540622f9ea4fbd4f8f0cf88fd1bb5a9122ebe8b83db1d327d2a152695a89b73dce1e599c056bd iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440205670" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 dwVrTdy.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 dwVrTdy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 3fd0c2c94d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 3fd0c2c94d.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2104 PING.EXE 2408 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3000 file.exe 2724 skotes.exe 2776 dwVrTdy.exe 2776 dwVrTdy.exe 2776 dwVrTdy.exe 2280 AzVRM7c.exe 2280 AzVRM7c.exe 2280 AzVRM7c.exe 2028 graph.exe 2028 graph.exe 2452 t5abhIx.exe 2452 t5abhIx.exe 2452 t5abhIx.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 2580 9ef3181754.exe 1492 graph.exe 1712 CuKxXX0.exe 1712 CuKxXX0.exe 1712 CuKxXX0.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 1492 graph.exe 2476 powershell.exe 1492 graph.exe 1492 graph.exe 2364 powershell.exe 1492 graph.exe 1492 graph.exe 1712 CuKxXX0.exe 1712 CuKxXX0.exe 2544 powershell.exe 1492 graph.exe 2328 powershell.exe 1492 graph.exe 1704 W4KLQf7.exe 1704 W4KLQf7.exe 1492 graph.exe 1640 c2474be541.exe 1704 W4KLQf7.exe 1704 W4KLQf7.exe 1704 W4KLQf7.exe 1704 W4KLQf7.exe 1492 graph.exe 1976 bb87577ae6.exe 1492 graph.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 1712 CuKxXX0.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeRestorePrivilege 1008 7z.exe Token: 35 1008 7z.exe Token: SeSecurityPrivilege 1008 7z.exe Token: SeSecurityPrivilege 1008 7z.exe Token: SeRestorePrivilege 2248 7z.exe Token: 35 2248 7z.exe Token: SeSecurityPrivilege 2248 7z.exe Token: SeSecurityPrivilege 2248 7z.exe Token: SeRestorePrivilege 2852 7z.exe Token: 35 2852 7z.exe Token: SeSecurityPrivilege 2852 7z.exe Token: SeSecurityPrivilege 2852 7z.exe Token: SeRestorePrivilege 1144 7z.exe Token: 35 1144 7z.exe Token: SeSecurityPrivilege 1144 7z.exe Token: SeSecurityPrivilege 1144 7z.exe Token: SeRestorePrivilege 1256 7z.exe Token: 35 1256 7z.exe Token: SeSecurityPrivilege 1256 7z.exe Token: SeSecurityPrivilege 1256 7z.exe Token: SeRestorePrivilege 380 7z.exe Token: 35 380 7z.exe Token: SeSecurityPrivilege 380 7z.exe Token: SeSecurityPrivilege 380 7z.exe Token: SeRestorePrivilege 2552 7z.exe Token: 35 2552 7z.exe Token: SeSecurityPrivilege 2552 7z.exe Token: SeSecurityPrivilege 2552 7z.exe Token: SeRestorePrivilege 1768 7z.exe Token: 35 1768 7z.exe Token: SeSecurityPrivilege 1768 7z.exe Token: SeSecurityPrivilege 1768 7z.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 1712 CuKxXX0.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 2328 powershell.exe Token: SeDebugPrivilege 2928 taskkill.exe Token: SeDebugPrivilege 2944 taskkill.exe Token: SeDebugPrivilege 2496 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 2692 taskkill.exe Token: SeDebugPrivilege 2932 firefox.exe Token: SeDebugPrivilege 2932 firefox.exe Token: SeDebugPrivilege 4088 25f634d9be.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeLockMemoryPrivilege 3796 explorer.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 3000 file.exe 1640 c2474be541.exe 1640 c2474be541.exe 2316 iexplore.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 1640 c2474be541.exe 1640 c2474be541.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 1640 c2474be541.exe 2932 firefox.exe 2932 firefox.exe 2932 firefox.exe 1640 c2474be541.exe 1640 c2474be541.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2316 iexplore.exe 2316 iexplore.exe 1980 IEXPLORE.EXE 1980 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 2724 3000 file.exe 30 PID 3000 wrote to memory of 2724 3000 file.exe 30 PID 3000 wrote to memory of 2724 3000 file.exe 30 PID 3000 wrote to memory of 2724 3000 file.exe 30 PID 2724 wrote to memory of 1704 2724 skotes.exe 33 PID 2724 wrote to memory of 1704 2724 skotes.exe 33 PID 2724 wrote to memory of 1704 2724 skotes.exe 33 PID 2724 wrote to memory of 1704 2724 skotes.exe 33 PID 2724 wrote to memory of 2776 2724 skotes.exe 34 PID 2724 wrote to memory of 2776 2724 skotes.exe 34 PID 2724 wrote to memory of 2776 2724 skotes.exe 34 PID 2724 wrote to memory of 2776 2724 skotes.exe 34 PID 2724 wrote to memory of 2280 2724 skotes.exe 35 PID 2724 wrote to memory of 2280 2724 skotes.exe 35 PID 2724 wrote to memory of 2280 2724 skotes.exe 35 PID 2724 wrote to memory of 2280 2724 skotes.exe 35 PID 2776 wrote to memory of 2028 2776 dwVrTdy.exe 37 PID 2776 wrote to memory of 2028 2776 dwVrTdy.exe 37 PID 2776 wrote to memory of 2028 2776 dwVrTdy.exe 37 PID 2724 wrote to memory of 2452 2724 skotes.exe 38 PID 2724 wrote to memory of 2452 2724 skotes.exe 38 PID 2724 wrote to memory of 2452 2724 skotes.exe 38 PID 2724 wrote to memory of 2452 2724 skotes.exe 38 PID 2280 wrote to memory of 1492 2280 AzVRM7c.exe 39 PID 2280 wrote to memory of 1492 2280 AzVRM7c.exe 39 PID 2280 wrote to memory of 1492 2280 AzVRM7c.exe 39 PID 2724 wrote to memory of 1712 2724 skotes.exe 40 PID 2724 wrote to memory of 1712 2724 skotes.exe 40 PID 2724 wrote to memory of 1712 2724 skotes.exe 40 PID 2724 wrote to memory of 1712 2724 skotes.exe 40 PID 2724 wrote to memory of 2580 2724 skotes.exe 41 PID 2724 wrote to memory of 2580 2724 skotes.exe 41 PID 2724 wrote to memory of 2580 2724 skotes.exe 41 PID 2724 wrote to memory of 2580 2724 skotes.exe 41 PID 1712 wrote to memory of 2456 1712 CuKxXX0.exe 43 PID 1712 wrote to memory of 2456 1712 CuKxXX0.exe 43 PID 1712 wrote to memory of 2456 1712 CuKxXX0.exe 43 PID 2456 wrote to memory of 2716 2456 cmd.exe 45 PID 2456 wrote to memory of 2716 2456 cmd.exe 45 PID 2456 wrote to memory of 2716 2456 cmd.exe 45 PID 2724 wrote to memory of 1560 2724 skotes.exe 46 PID 2724 wrote to memory of 1560 2724 skotes.exe 46 PID 2724 wrote to memory of 1560 2724 skotes.exe 46 PID 2724 wrote to memory of 1560 2724 skotes.exe 46 PID 1712 wrote to memory of 2476 1712 CuKxXX0.exe 47 PID 1712 wrote to memory of 2476 1712 CuKxXX0.exe 47 PID 1712 wrote to memory of 2476 1712 CuKxXX0.exe 47 PID 1560 wrote to memory of 2532 1560 6d5d5922b5.exe 50 PID 1560 wrote to memory of 2532 1560 6d5d5922b5.exe 50 PID 1560 wrote to memory of 2532 1560 6d5d5922b5.exe 50 PID 1560 wrote to memory of 2532 1560 6d5d5922b5.exe 50 PID 2532 wrote to memory of 1660 2532 cmd.exe 52 PID 2532 wrote to memory of 1660 2532 cmd.exe 52 PID 2532 wrote to memory of 1660 2532 cmd.exe 52 PID 2532 wrote to memory of 1008 2532 cmd.exe 53 PID 2532 wrote to memory of 1008 2532 cmd.exe 53 PID 2532 wrote to memory of 1008 2532 cmd.exe 53 PID 2532 wrote to memory of 2248 2532 cmd.exe 54 PID 2532 wrote to memory of 2248 2532 cmd.exe 54 PID 2532 wrote to memory of 2248 2532 cmd.exe 54 PID 2532 wrote to memory of 2852 2532 cmd.exe 55 PID 2532 wrote to memory of 2852 2532 cmd.exe 55 PID 2532 wrote to memory of 2852 2532 cmd.exe 55 PID 2532 wrote to memory of 1144 2532 cmd.exe 56 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 1732 attrib.exe 2696 attrib.exe 2808 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:2896
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe"C:\Users\Admin\AppData\Local\Temp\1014430001\dwVrTdy.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Program Files\Windows Media Player\graph\graph.exe"C:\Program Files\Windows Media Player\graph\graph.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014431001\AzVRM7c.exe"C:\Users\Admin\AppData\Local\Temp\1014431001\AzVRM7c.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Program Files\Windows Media Player\graph\graph.exe"C:\Program Files\Windows Media Player\graph\graph.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1492
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014432001\t5abhIx.exe"C:\Users\Admin\AppData\Local\Temp\1014432001\t5abhIx.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\1014535001\CuKxXX0.exe"C:\Users\Admin\AppData\Local\Temp\1014535001\CuKxXX0.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release4⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\system32\ipconfig.exeipconfig /release5⤵
- Gathers network information
PID:2716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANAA1ADMANQAwADAAMQBcAEMAdQBLAHgAWABYADAALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANAA1ADMANQAwADAAMQBcAEMAdQBLAHgAWABYADAALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFcAaQBuAGQAbwBzAEMAUABVAHMAeQBzAHQAZQBtAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFcAaQBuAGQAbwBzAEMAUABVAHMAeQBzAHQAZQBtAC4AZQB4AGUA4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://google.com"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2316 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1980
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1712 -s 7364⤵
- Loads dropped DLL
PID:2256
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014550001\9ef3181754.exe"C:\Users\Admin\AppData\Local\Temp\1014550001\9ef3181754.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580
-
-
C:\Users\Admin\AppData\Local\Temp\1014551001\6d5d5922b5.exe"C:\Users\Admin\AppData\Local\Temp\1014551001\6d5d5922b5.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\system32\mode.commode 65,105⤵PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:2808
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:2696
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2104
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014552001\1bccb831cb.exe"C:\Users\Admin\AppData\Local\Temp\1014552001\1bccb831cb.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:760 -
C:\Users\Admin\AppData\Local\Temp\1014552001\1bccb831cb.exe"C:\Users\Admin\AppData\Local\Temp\1014552001\1bccb831cb.exe"4⤵
- Executes dropped EXE
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\1014552001\1bccb831cb.exe"C:\Users\Admin\AppData\Local\Temp\1014552001\1bccb831cb.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014553001\c2474be541.exe"C:\Users\Admin\AppData\Local\Temp\1014553001\c2474be541.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:2060
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2932.0.478027866\1744303064" -parentBuildID 20221007134813 -prefsHandle 1260 -prefMapHandle 1252 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e76650ba-bde7-47e3-a38d-e70a368ddebc} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 1348 14e28158 gpu6⤵PID:2780
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2932.1.464637995\571109681" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1a2d648-7c61-4b61-817a-b683dd7deda1} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 1536 f244658 socket6⤵PID:2476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2932.2.2105397240\673677396" -childID 1 -isForBrowser -prefsHandle 2220 -prefMapHandle 2216 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3f3a9a9-14b4-4477-9aeb-246e00f70299} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 2244 1a1edf58 tab6⤵PID:1608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2932.3.345051427\1143188293" -childID 2 -isForBrowser -prefsHandle 2800 -prefMapHandle 2796 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d503240-2feb-45d3-9a9e-a1c347c95f54} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 2812 d60858 tab6⤵PID:3496
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2932.4.2013158345\992161320" -childID 3 -isForBrowser -prefsHandle 3748 -prefMapHandle 3744 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f20c86ec-7482-4918-a1eb-62f95142ef6f} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 3760 1e56ae58 tab6⤵PID:3252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2932.5.39202817\905754491" -childID 4 -isForBrowser -prefsHandle 3868 -prefMapHandle 3872 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6edfa011-6d35-4548-8e41-f35c2dbed9f9} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 3860 1e56bd58 tab6⤵PID:1768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2932.6.2060464210\526856893" -childID 5 -isForBrowser -prefsHandle 4032 -prefMapHandle 4036 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 828 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebb74f67-824f-4cfb-8930-69f1a14dc8ae} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" 4020 1e56a858 tab6⤵PID:2904
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014554001\bb87577ae6.exe"C:\Users\Admin\AppData\Local\Temp\1014554001\bb87577ae6.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\1014555001\25f634d9be.exe"C:\Users\Admin\AppData\Local\Temp\1014555001\25f634d9be.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
C:\Users\Admin\AppData\Local\Temp\1014556001\3fd0c2c94d.exe"C:\Users\Admin\AppData\Local\Temp\1014556001\3fd0c2c94d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
PID:3764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014556001\3fd0c2c94d.exe" & rd /s /q "C:\ProgramData\NGDT2NG4E3WB" & exit4⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4092
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {91226FAC-A0E3-42B3-A738-6203B52C459C} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:2360 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3716 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4008 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2408
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5f89267b24ecf471c16add613cec34473
SHA1c3aad9d69a3848cedb8912e237b06d21e1e9974f
SHA25621f12abb6de14e72d085bc0bd90d630956c399433e85275c4c144cd9818cbf92
SHA512c29176c7e1d58dd4e1deafcbd72956b8c27e923fb79d511ee244c91777d3b3e41d0c3977a8a9fbe094bac371253481dde5b58abf4f2df989f303e5d262e1ce4d
-
Filesize
120KB
MD553e54ac43786c11e0dde9db8f4eb27ab
SHA19c5768d5ee037e90da77f174ef9401970060520e
SHA2562f606d24809902af1bb9cb59c16a2c82960d95bff923ea26f6a42076772f1db8
SHA512cd1f6d5f4d8cd19226151b6674124ab1e10950af5a049e8c082531867d71bfae9d7bc65641171fd55d203e4fba9756c80d11906d85a30b35ee4e8991adb21950
-
Filesize
245KB
MD57d254439af7b1caaa765420bea7fbd3f
SHA17bd1d979de4a86cb0d8c2ad9e1945bd351339ad0
SHA256d6e7ceb5b05634efbd06c3e28233e92f1bd362a36473688fbaf952504b76d394
SHA512c3164b2f09dc914066201562be6483f61d3c368675ac5d3466c2d5b754813b8b23fd09af86b1f15ab8cc91be8a52b3488323e7a65198e5b104f9c635ec5ed5cc
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD584525ac2c52cedf67aa38131b3f41efb
SHA1080afd23b33aabd0285594d580d21acde7229173
SHA256ae524d9d757bed48d552b059f951ffd25a7d963ae44a554cb1f3a9641e524080
SHA512d898b0913b4005bbbf22a5457ad1e86345860868bc2e53187ad8267c07824d592160a27d850978ebfe78392db784fffb80b73e27418d3a71708383d738ea1d57
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DA548C7E5915679F87E910D6581DEF1_19CA6F55DA8A3B0AB12F649B745C90D5
Filesize471B
MD5f82d5aca5ed5100b9c82259f5c97bd5f
SHA1c5fe6c4d597a84244e0330d53887d7865bc8d430
SHA2568484447947db2ae840af4235ae99c704d8048091b0a71f098d18d755759d7178
SHA5125a9f1b0cba4a1c6974a1d3929c4cf4d6c2b11041bc61cdeac68f8f5915bc19bf56e589b1a8739c8ff3cd4a6e7912405b35bd7f6dbd5ce66dfd465163d638ef47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6F7C58D8F5DC37AD0C4A3BEB81BE1660
Filesize472B
MD56e21d4c7d76f1411934abcec47aa4f6f
SHA16b1ca4ee9524085a35c2f4f99d1603b4a31829e9
SHA256a77a50019d85cd5c6ce6592dfa4b8dcc63399f279e15c06288d13e2dde338e13
SHA512ad2bdb52d35f926ae93710e5a3c7775787fb1b2c1a2802f502b70954b1b41c5aafb24ef6d98bebce19bad0fe6a8f29b1f169b55fa49bc5592fa196a42d8c2868
-
Filesize
504B
MD57534282617c6278db5ebc9da5b2c673b
SHA14d804a0a0e7c4f0ab1791e9c68c58833d7fc7811
SHA2562904a768575e22df734148cd01c687a5dd23a6d2b378ad3a972f6e7f38fa77cc
SHA512c45746c38c1e8f0d694a05ef0785070b4f7e3df34a264a3693983d555232bc7b61e78e24187fce8e093448d1724f1226afc3baf262860ad75f076bf57f5929a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5a52d131c393f94f9bece4c5e28d9bd82
SHA172318a074abc4467155ba3ee46800d854eaa7900
SHA2569aef0fe811f8822bcf3cc7d4f350c0fd723d5f83841aab57bb8b8305ac7e02c6
SHA512ac650078037311718e5cc40ff07535677d70e570eb0b6aab7fd404ff41019e38ffc8198dc1ff20ff8f008a5ef1b9b897a7c2cdc80eaab63bdc0bb1e8e4d22ed5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5ad9a0460658a8c3f6c3e04dd4ccbb9c0
SHA1f2288172b607f62e60c18b0ef733acd9d0459186
SHA256a6e4ed4760782150ac23b2e6bd87f88376f39e257fc6d170ec6a01455a3a97a8
SHA512b923e10949b25dba4c42cfc526431a2b0e47c2ad9399bda82e26fb45633565200ed9676f8bfadd8acfa4759ab0dd5c5bbce95c7ede52aa9a5ba3165258f8545c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5d0005460424140bfe3397e910663733c
SHA172ce03bcb38313d7d52b0c35496d61e9fadf98de
SHA256a28a9056c43c9c6b4fa5d1d5e91ca3e50f2ea5eaa17a6ce79f6938059733ab18
SHA51221dac5aa8f53a5b75b33328e83d1b031805e0a4774137d2114f1fd36823e560615fbaa567c279eea1d96157b69bf53ed7957942e6b2f4d62fe258dfe821e1a05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD526fcdc4ead3e4dff1ce842acaacee55a
SHA131dcc92cfad9940283a4b43a182868d69ad0ff5b
SHA25638f9d1c41260573c601bf1f2f3d583083401088bea5fefd1b19f5d34e2f6ecfc
SHA5124d9f8fee3a21557b8fee4b01b1832e4e64378d8872e5a49eed8ee408540a8d6ec2f0cb3559533f97ae4a77faa66ebcd65025e806c5f8b9fda06a12f123e9206b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DA548C7E5915679F87E910D6581DEF1_19CA6F55DA8A3B0AB12F649B745C90D5
Filesize402B
MD5f62301c83d119d77f0f6480862aa73a5
SHA149585a061e6af13aa2f082b93463934376beb081
SHA256d7aeb5bdde6976ed44c1470ef544470c31ed86b033df9bca72c766d1ba1d6091
SHA512462d78fd18ba462d614b504b6feccee348432ccf93b1f52dab7f37e51da7e5162ce3b83cd7649510969b44f3a339866b4d52cf5c54b971e6ef1d65999b1d3251
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d52e2727a41534a2d39f3a8b365fb1a9
SHA1cde5e3502def95131b33225c86687436a76a6a04
SHA2568aa41c823bda5a2c3242f4e8c654eb4685a690e3f57a9acf181e773b6998d187
SHA5129450561eb460184b1ac8ddc0333f1bffa4deba4930d228d333512aaeb0f7fd574fb95dff923d4b76ac4989059520cc71161ff703477dcde86fdbbf7444630a5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad323c6e55a5c97e980cbe703a2109e5
SHA14cabee0e991883cc2d70ab79b174b731250f5c0f
SHA256cf561e9b2616f4045776341964eac7a006137fc5ff160b7eeb60ca589bb4f840
SHA5128eb9bd90d903b9cf08f39004302ea234fcfb80299c1fbc98973ad0e5df9e206149f7cf3b991235dcc727d85c266fb28785b6ffc7f603e1fc6fa9552eed348e07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD587f9d0ad692fc13d0184b2abbdd4776e
SHA11b10b915838d5df24835b0ecb6f558f448032a4e
SHA256f10fc3bbac5d0e2e705dcf65e13f3961cace36f78785d610488b924e34b1fba5
SHA512ffbbf1c1766dbffe8fc944a67e8b0018cec2ee76bbc186c77a62c5f3ec4a591481b92e7e943e00999ff832f87ad7f3ea9c4ed0e80daed75cb62f57bec56b534d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59b1cd00be7bfc9122828365313ddd5f5
SHA1682cbe9fc0adff631f6df9158c05d1c91a0ec4c8
SHA256b153d17f1b42df8ad2f34335372438268ee7bf629629476ffb05356996d1446c
SHA512328854282e87b33feda7cb9794942e565944cf3bd9f80f8c2328dc3aa16a2733204de033ede84c9a99cdbd558352f86ccdcaaa09c78fadff8aa6d0509a8affd0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57daa7e3c593580846fa3a2583f16346e
SHA1a4b5cb4e185c8cfa6b0f3c65ca4b75485fcb760b
SHA256c9d7d643023f0a831f37507e791e64ff4d583c4f005d575cde5ae9dc075f32d4
SHA512407429293095499006e87f8f1438de46caafeab20715d105463043f3a26210f739c543764d6856015fe7354aa8b3e3273076acd8f2befa2ef3bb522958a937fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a99f6146167038ba25000fc38ac47c66
SHA1c8e9f74be19dc625a429ae45a0a681a87dca41c4
SHA256d276861520b056c4a9078f1a320a5ac4dd7f0edc235b8bf2f6f5af3fc65cc2d3
SHA512d76d6d88e2b6f6b7101cf19648e61b073da297b9760a156e7a0e002cf635d6718180bd596a4421779e158dc7fe43b24eb92a1bece2ef56d3fd6b3fad1f081918
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1de2f9433e39e5efeed99e72cbbd4ef
SHA16e2d42deaad55b5ad3ab8aba0e8c53da3a0e0012
SHA256c2c5c318ae1b134ebaa3bc23bd779ac970ac140a202c5d7b56c554d572a39a2b
SHA5124972910c864dd04e228d653221bb89c79f18bb05220f39e7824009abfc9a1d56af294efe5988190c0e1b5216dc7d4f9b0380dd437efadf91f15e92f842767687
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD517d4dbf4832d19d73b99915ac9a528bc
SHA1a984396117328c7c7ef29fb14bd02f2c3a73c0d5
SHA25667428526515b42a9e5b8d51d8fae2f82687052d98f54a59b4b6f68e97e1bbeea
SHA512548ef24b7a03211cf2f9ee4a0ae326218b36b0e5650179a1fcc7449e1bcdbdfd4505a56e3a7fcfdf05984e090be5269ad2817224a5b2c2a132721fb7eaaaf0ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593cc144611f0f512c19bdace80668469
SHA1c2573f53a4e0059e8428abc33fdfadfc5bf3e1a8
SHA25670ac74be8a8bcbd6e66e9c6e4b300eb1a061021df1d48779b77bec23bed98a4b
SHA5127418a520f628ec1f73a23713a257b738c2ec3cea696fbb0c314de1ffa3da28c27639a071cc52e2cb799f4361a4e58ccd4edbd35e074fe8051b755563cd32a918
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ecd660d842d56b05efce304a92f1a244
SHA12b36f893076b9f1b49d4e4a4eef73b8d8f4f6968
SHA256eb88c7576ecf3eaa8003786c2aaa49828fac821b02578311ce94fd73ca8f456a
SHA512f893447971a09a480a0904ee674400945ad2743794719d4f8188f7db3201a7092390cb13032eea33e8433e64bbef0eaab108b946de4b59f9898b8f9917ba1721
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD557e8aeb763cf879f411d7f3e78cb8031
SHA18f29cce3879f4c76f050d8c4284c7d85bddcbfcc
SHA2560e7183ffcd3d0d791825f6d6571df65aa1203e08a116cc6a8828ee8551fdb4ea
SHA5124c4ab437b6b3c08fb686b12d45d0d62594364c0bd2292c9d94926ece569ce20f7e0a0f10b6d0884a985a5e14d7182f049920476e708a403540d95dc149fbb14b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a10e8c97061c15dfc76aa9d4db7fce32
SHA1ecf63ca5fc6ce5626a4b04ddf64f703b805747c5
SHA2561cc3258dadf588bdf5a15965630edcc1e16f99801d4323f115b79238ec5c03f0
SHA512bb7df39eec205c016ea3fc1538dc7d38512696a919eff2faa0c533108936639d853ca2c8ec1aff6d7deb15b3b24a827e804678359c9ed224e82dfd7db32c3478
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a3de59467e5920797e44ce3c6abf035
SHA16b316b541c4ee812a3ba75363f1b5ef2beea295b
SHA2567586f6702bf925845692fea4050ff43b1f9de4460c59a24d24f181fa616ab3de
SHA5128905891094ed08dbac1073ac32508543fe22a6fd560c4b8f876f49c923975d0c2ae7307b0c5c05148a1b7a71d54f6c8f6d5b0e58fe2ba8368c518864541778ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585985350b50a5dc38661cc34a9c5b71e
SHA1702449f814d4c80456711e32abd6acb64fb5a052
SHA256ce8e45052e5a8f082db2c058d0524564f2306373cc59cecf8265f7e2cd45cc75
SHA51203f630ac6ec448f05cdce936716781127aa74002bbfa4b1f57ad2688ab01cc25ea0f06a9cee76a570769926e740a997756b0ab6630a5345bab291ef72b9f4804
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57622663b92e8b34dbfff0173681b61fa
SHA121e9f86d7fb63ad25427a5bb10d8ea1b6bfca15b
SHA256ddf26a8324efacf61cfee4bb260e9e9a795dadcde15405bc0e79750e844bee18
SHA5121c0d4e3b0403d7a32a8adb0d3c46af365b5014aca15d89e65208b6a1d1aed6b1d3d6a6364c61ea398df9a626739cd08d440ad90415241d6ca4e81cce64e4d062
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD510294af100ea2742d77c6cfb1cfd4961
SHA16f8d6de466d10b7054440fac53c80a47edd7ebbe
SHA256d6181b151e7ecb89138b849a169c5bdb7c434f230be3b2e091e886a39e8417d8
SHA512295b94c89a9e84d25e07a79fdf849777a2693b5df86f7eefd86b862bc4a8ba3ded72ff3163ad957e847f35d81221cd01aab693541d674a864abaa66165ff4919
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6F7C58D8F5DC37AD0C4A3BEB81BE1660
Filesize398B
MD5b20ee70545419d67a7f8df7bf3359d9b
SHA17af84c33b83c6162530f2fe396579a12bac8a629
SHA2567a0d9fd86be88c218fbb40c31a73598b9cdafdcbff1b66f3984b7da944e74173
SHA5123b460f0c469461e009ff22db1d00736ab7ec84c054ce4adcebf27c44952cdcff1f597de616deef162ed5377ab7581d8bf3e34f89217dbe992094b91c86e3e1c3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D73CE810F817D372CC78C5824C36E338
Filesize550B
MD52f80cb161dc6d3d9a69ca9b0c7fd009e
SHA1a84b9b8f50b60683588d885ba61e1d9c6e3b5ebf
SHA256792d5febc1397dd3af740685084dfa3c50133a56b31cc053ad09fb9e4ef79926
SHA512e71390b80da69d4f5d2e78878f1a3e6d4cd661a2131dd6b31fc19a54bf20150eafe6949c09d9e97f37588a91f81ccee80c2a9c96cde89f3d4b8ba783e1dc470d
-
Filesize
98B
MD5c3ee3a81ed00fa6d0a681d8417f03a42
SHA1db8d1819e08a78abc0b95eb01b5fe674bae195ac
SHA2564bdfd470e9984add8128c7ebeaab3c03a6d7665100a05dd8f1023a2a771f9362
SHA5123eaa11b911a66422a9e50e500d2f34f05d59e46967c4f6a4eba7fac9394cd675c5bd281152b82e069e5228578aaa4b0b4d6cfd1eac71ec00af57ec2a4a2b9b2f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\favicon[1].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\random[1].exe
Filesize1.9MB
MD5dd44780d69d56d86bd3be9d6ca0f69a9
SHA1c9afab3e117153f469723102214a907685a509d6
SHA2565cf283b12d73892ee010289b4d554e5b1c7d1aede0a8e6cd0a33415513526b5b
SHA5122941a447f343d039f356cd63a009b33f5eb042553143c009a23a4e68e76c59101052fc9a8092f56b81bf61b3c068b3c685c558933a672ec03c0e94fb4b873eff
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\styles__ltr[1].css
Filesize76KB
MD5c8bc74b65a8a31d4c7af2526b0c75a62
SHA1dd1524ca86eb241b31724a9614285a2845880604
SHA2563b457e0acfb1d231461936c78086c9ea63de3397cbb019c4fe0182a645d67717
SHA5124d7214ac44475cb4d9d848d71caee30a3872cab3957fbb26a0aca13db1933cda1e9799938ba1460581483123dd6f81c3193bbc80989cba7e555f308c212841ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\recaptcha__en[1].js
Filesize546KB
MD581697e6cdd98e37117d7bddcecf07576
SHA10ea9efeb29efc158cd175bb05b72c8516dbaa965
SHA25673dd640564004ec8730e7f3433b9dfaa6876ac3a27e6964a17834f07f6d56116
SHA512fc29d4a1fd39a7c78b7f57b221596acee9b805a133ce2d6ff4bc497a7b3584ab10e3d4ffde30c86884f1abeac7d521598ebda6e0b01fc92525986c98250fa3f8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD59e3910386b462ea482ab7834fc9c2490
SHA1b220fed36fb7f40507ab10d9c2b38f94aee9f03c
SHA2566884561ec511e54f227273feee4890b74e3c381f9333dc39e1c98a76b7d57e0f
SHA5126207c8b019ea295354e1f8e7a817257428203dec0660df883ace1e4560c67d3d42a8d0ce48eb7e8e29968f3cff6e290eb28561d5bd8da1697ea7b04b6dc61473
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
3.7MB
MD512c766cab30c7a0ef110f0199beda18b
SHA1efdc8eb63df5aae563c7153c3bd607812debeba4
SHA2567b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA51232cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10
-
Filesize
591KB
MD53567cb15156760b2f111512ffdbc1451
SHA12fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA2560285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba
-
Filesize
5.6MB
MD5c72b7c1a451219825e066832e38f92f8
SHA170227f19e7092c41d6699efa2a709fa489bb7847
SHA2564e7a2984e68806ab0d4489587aaa2a731171fc968aa7d40532020bf9c26539b3
SHA512cbe4a782cb8500fd7d1c3ba641b58964722d978176d3f8d782693d16b7638a24dc472954200dd085484d132c840f3c420cc7393326cef96fd5ae6342403228bb
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
949KB
MD5e1eb6e279e48e48e1c0021e3dbe01e9b
SHA156fce13b8967a0cd68e48b425f38a50f4a957e18
SHA2561935497fd015edb463f3a1a229be949c565a7346521719595a6e46c8552145dd
SHA512ca71848d6a95c9ba45b7cf73f11a2b301bf4b24cfa2549ee38ec53307e7c99fa7cdc3884103a7ad281a36b9ebc8567d8fa84ed56f9caeeacefd1a3120d9124be
-
Filesize
1.8MB
MD5bb02eb5eef47a773ae26d60ae263d9fa
SHA1283211e861760787a349aefc7b393f41bd00dda6
SHA256eb9e0ab7722a28e6c8e797d66593cb11b544ec242c245f9d8d924b255ed539ba
SHA5125868e829d7bbb1e3f208631c9b31c93faabc9cb9e197b814364c91459a4d6fd2b84de19552bd36950878c5b54224c1e2cb35c181d9b4115a848386836e140818
-
Filesize
2.7MB
MD5c657bf839fb979c5ce29cec72eebf10b
SHA187e7d374570f137582ffcc4d62d71e44380839df
SHA2569239680c12bab0e396798fd89cbbab0b8ebbd8b65cf03c73ff246236390d85fe
SHA51270098c26906d60437d77fae7bbb6e48f0435e094323d050b23188766bb248d6b77079a44770105b198ddaf439f584f86105c01f32e5f4ad555060870f517295e
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
3.1MB
MD53197aa29fd7d023f4483200e06a95d7a
SHA162cd61a0004ef666d0d6427c42c8a6ec7b30617c
SHA256ac7eab26629e889c428293f303b428424ffccae5658636cca54512753fa2792a
SHA5127379939f14ce763a9726638f6b694e0a84dbc80a2128db6e58224e2db432ad242cfc04e2576ffd462e1c75836141310cfd0ac751245061170d041b211e528637
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
1.7MB
MD57187cc2643affab4ca29d92251c96dee
SHA1ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA51227985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CGK0EHBGBC33GCXZN0PC.temp
Filesize7KB
MD566c2901fc0c04cd9c9a2c9a7aeb516d6
SHA156a4e6c6bb285fdeb8286e77f95ffb023033b1b5
SHA2562054b358b2d0b8dad22d306339a6283f2a0c8f580e8263f1d76e59911b5315b3
SHA5126d2f18fbca2906df358e1a0816a2db1222a900cefc8050d6797b0a343f16f361630985a0c84921e65127270ad063979ad4ab3c4b3845992a34fecd57f0368b36
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5e39b5eb06344fb455c969a0653dbfc16
SHA1b0081f18ea54b0c43a98b5d9bc2a667625383d86
SHA2560c5615ded4e80e1d25388946bfe5f176c71cf4421b9abaafdbba56bea1814b47
SHA512fac558a82cc5e873657ba5ab279f14e2f0c9fcb5efe5a80edd5f278cefcd363c693ed4e6c1b120a897e9e7de76a748b0eda901a10bac6b592590af51e3db43f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\0ca9b4e4-e1a0-43d8-a2ba-dadb2e6c652d
Filesize745B
MD59c1ac48bc4c556509a5e1d778600a8e6
SHA104efa12804cf5aaf1697887ca578ddb62c8035ea
SHA256ca167875651a82335014c2c676e5c44e072d6f8b63cd9a4dfa518205b245e18f
SHA512c5f86d9d5e0a1f593441432761c0be41ec6d7d72cb428743ee8be6eb59eafbdada29e5b88d6f7966ae53dc5dc36bf886675bc7eed4bc6edf26bdf93733c1601d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\194aa613-51b5-4200-b696-62630f7f227e
Filesize13KB
MD56b958f6fe88732e775a475a046be6639
SHA178b569a1636cd365cfb982c05a03d54afe883a12
SHA256a69ea97971a066810bfb36884c23c4c8d4aa4f674390199c784fb62e77a4b519
SHA5123b7791036fd60d562f0ad602410ba4fe2b932d71c1213ad9f7c8b1b22580e990a650c89ebb12898ca6381dfc2397aa03357f1e0c76e2bd194532f88b08fa0d24
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5c709ac526aeb3efd28dad6aef5d113f5
SHA1cf98b6149740ed87664a68bdedcfaac5c1d91138
SHA256ebd8070a52aa5713268c83b840d62116d733d6b7bb8301514a3166ac21cd2132
SHA512729b927d5719e7ebe46e9cc95e172d0e6b49e4a48f27ae19052ae7681c7c3dd410933c70cab318730f64148ae8ab4cdeebdf18fe759de38a8bbef077dba7da92
-
Filesize
7KB
MD5fa6283846f114b8a1eb1228ae055e682
SHA12e04efd367bcd9a9dd987642962d13c2402c35cb
SHA256ced7244825ce99154d0c2e748bd5e3dabfbae0a4ac72c0acaf3518c060e8f183
SHA51228f7bbf5d65e029fd60bd5a24f7c84b30dc0cd21f06ce6a1eaa035cd14b60b4e30aafbacef41affe8e9fd396627f42c805ef30739f6acadbd94583eed3e02759
-
Filesize
7KB
MD5520ee876b598a1ed547a0e7808638e1f
SHA1d72ea829eec164ab641acbcbff74e6efb5d0af66
SHA2569f7f0295bff844fbfe17931204350089193c3da24be06c1dc8fe6e1ed4fc797e
SHA5120a8df63a9e0f178fbafd1f921888a530ffe3d32aa204ddf1950c4b93d99a61e18708c46d2ad1b1e72e7a0e94091bc3374fe011acc68365cf9590e46a7e4165fd
-
Filesize
6KB
MD5c1b7dd62c6e7c9500969cc9c12e5291a
SHA1b2ef7f6ea6bb3558e6a70d6fc98f0005d3078c5d
SHA2566f640267fa948ce487791affbf5945a12309b2cfe3687dd0c462f629ec49eb4b
SHA5120f8fde673b54b0001419cdc44d4c0e6ca1eac3be98295e63012953d70c3333588c52fc72414ed270c999af5219ce76204ee41c9725ee1b042a63553ecd5abd7a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5daeb525f4def50b11f2f8848e58efec4
SHA10a5d4edf372993529494a412ff0637656e8b76c1
SHA25680dcaada39e1e2cab41a2e193cb04fea0b872a213d4c54707c8db352755331b7
SHA512cfa9ca3c1cdeae7b565ae588c6fe3c95728d3a204a72a9b94bf0b94f94227f610a1d6524fcb157d40f88a0f1e7f3ac3eaca32311cd65678c09f895c009158e9b