Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 11:01
Static task
static1
General
-
Target
acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe
-
Size
3.1MB
-
MD5
182315687f5f35cdf35103bcf51f4b60
-
SHA1
5714baa4a693938a8df4250f1d1de08402f99e3f
-
SHA256
acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e
-
SHA512
5f26459ca04b60e52fc4bc75c9e741de5109c09b215dcc5f62dd737ed3ff45228182ad515dba3ea4cf8b58643c7770d276440e49a4d4320d948ccc3063d1c3ca
-
SSDEEP
98304:vqqng3iVFfLjrgy9D7wzVkvpVaJs7KM1ajtG7:vPn7vKdBG
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://ratiomun.cyou/api
Extracted
lumma
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 279266c69f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 279266c69f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 279266c69f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 279266c69f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 279266c69f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 279266c69f.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bf8c4ef16f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 279266c69f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6fe0321c4c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2a27005727.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3808 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 279266c69f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6fe0321c4c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6fe0321c4c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2a27005727.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2a27005727.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bf8c4ef16f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bf8c4ef16f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 279266c69f.exe -
Executes dropped EXE 9 IoCs
pid Process 2824 skotes.exe 596 273d065ee8.exe 1620 81cbfab3f7.exe 1252 W4KLQf7.exe 2288 cd3224bbcf.exe 2912 bf8c4ef16f.exe 568 279266c69f.exe 3252 6fe0321c4c.exe 3840 2a27005727.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 2a27005727.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine bf8c4ef16f.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 279266c69f.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 6fe0321c4c.exe -
Loads dropped DLL 16 IoCs
pid Process 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 2824 skotes.exe 3840 2a27005727.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 279266c69f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 279266c69f.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cd3224bbcf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014366001\\cd3224bbcf.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\bf8c4ef16f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014367001\\bf8c4ef16f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\279266c69f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014368001\\279266c69f.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00060000000190c9-273.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 2824 skotes.exe 2912 bf8c4ef16f.exe 568 279266c69f.exe 3252 6fe0321c4c.exe 3840 2a27005727.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81cbfab3f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language W4KLQf7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systeminfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cd3224bbcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf8c4ef16f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 279266c69f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 273d065ee8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a27005727.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language cd3224bbcf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage cd3224bbcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6fe0321c4c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 273d065ee8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 273d065ee8.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2012 timeout.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4028 systeminfo.exe -
Kills process with taskkill 5 IoCs
pid Process 2268 taskkill.exe 1864 taskkill.exe 2424 taskkill.exe 1704 taskkill.exe 2128 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 273d065ee8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 6fe0321c4c.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 6fe0321c4c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 273d065ee8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 273d065ee8.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 2824 skotes.exe 596 273d065ee8.exe 2912 bf8c4ef16f.exe 568 279266c69f.exe 2288 cd3224bbcf.exe 568 279266c69f.exe 568 279266c69f.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 3252 6fe0321c4c.exe 3252 6fe0321c4c.exe 3840 2a27005727.exe 3840 2a27005727.exe 3808 powershell.exe 1252 W4KLQf7.exe 1252 W4KLQf7.exe 1252 W4KLQf7.exe 1252 W4KLQf7.exe 1252 W4KLQf7.exe 1252 W4KLQf7.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2268 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 2424 taskkill.exe Token: SeDebugPrivilege 1704 taskkill.exe Token: SeDebugPrivilege 2128 taskkill.exe Token: SeDebugPrivilege 1396 firefox.exe Token: SeDebugPrivilege 1396 firefox.exe Token: SeDebugPrivilege 568 279266c69f.exe Token: SeDebugPrivilege 3808 powershell.exe -
Suspicious use of FindShellTrayWindow 23 IoCs
pid Process 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 1396 firefox.exe 1396 firefox.exe 1396 firefox.exe 1396 firefox.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 1396 firefox.exe 1396 firefox.exe 1396 firefox.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe 2288 cd3224bbcf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1252 wrote to memory of 2824 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 30 PID 1252 wrote to memory of 2824 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 30 PID 1252 wrote to memory of 2824 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 30 PID 1252 wrote to memory of 2824 1252 acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe 30 PID 2824 wrote to memory of 596 2824 skotes.exe 32 PID 2824 wrote to memory of 596 2824 skotes.exe 32 PID 2824 wrote to memory of 596 2824 skotes.exe 32 PID 2824 wrote to memory of 596 2824 skotes.exe 32 PID 2824 wrote to memory of 1620 2824 skotes.exe 35 PID 2824 wrote to memory of 1620 2824 skotes.exe 35 PID 2824 wrote to memory of 1620 2824 skotes.exe 35 PID 2824 wrote to memory of 1620 2824 skotes.exe 35 PID 596 wrote to memory of 3044 596 273d065ee8.exe 36 PID 596 wrote to memory of 3044 596 273d065ee8.exe 36 PID 596 wrote to memory of 3044 596 273d065ee8.exe 36 PID 596 wrote to memory of 3044 596 273d065ee8.exe 36 PID 3044 wrote to memory of 2012 3044 cmd.exe 38 PID 3044 wrote to memory of 2012 3044 cmd.exe 38 PID 3044 wrote to memory of 2012 3044 cmd.exe 38 PID 3044 wrote to memory of 2012 3044 cmd.exe 38 PID 2824 wrote to memory of 1252 2824 skotes.exe 39 PID 2824 wrote to memory of 1252 2824 skotes.exe 39 PID 2824 wrote to memory of 1252 2824 skotes.exe 39 PID 2824 wrote to memory of 1252 2824 skotes.exe 39 PID 2824 wrote to memory of 2288 2824 skotes.exe 40 PID 2824 wrote to memory of 2288 2824 skotes.exe 40 PID 2824 wrote to memory of 2288 2824 skotes.exe 40 PID 2824 wrote to memory of 2288 2824 skotes.exe 40 PID 2288 wrote to memory of 2268 2288 cd3224bbcf.exe 41 PID 2288 wrote to memory of 2268 2288 cd3224bbcf.exe 41 PID 2288 wrote to memory of 2268 2288 cd3224bbcf.exe 41 PID 2288 wrote to memory of 2268 2288 cd3224bbcf.exe 41 PID 2824 wrote to memory of 2912 2824 skotes.exe 43 PID 2824 wrote to memory of 2912 2824 skotes.exe 43 PID 2824 wrote to memory of 2912 2824 skotes.exe 43 PID 2824 wrote to memory of 2912 2824 skotes.exe 43 PID 2824 wrote to memory of 568 2824 skotes.exe 45 PID 2824 wrote to memory of 568 2824 skotes.exe 45 PID 2824 wrote to memory of 568 2824 skotes.exe 45 PID 2824 wrote to memory of 568 2824 skotes.exe 45 PID 2288 wrote to memory of 1864 2288 cd3224bbcf.exe 46 PID 2288 wrote to memory of 1864 2288 cd3224bbcf.exe 46 PID 2288 wrote to memory of 1864 2288 cd3224bbcf.exe 46 PID 2288 wrote to memory of 1864 2288 cd3224bbcf.exe 46 PID 2288 wrote to memory of 2424 2288 cd3224bbcf.exe 48 PID 2288 wrote to memory of 2424 2288 cd3224bbcf.exe 48 PID 2288 wrote to memory of 2424 2288 cd3224bbcf.exe 48 PID 2288 wrote to memory of 2424 2288 cd3224bbcf.exe 48 PID 2288 wrote to memory of 1704 2288 cd3224bbcf.exe 50 PID 2288 wrote to memory of 1704 2288 cd3224bbcf.exe 50 PID 2288 wrote to memory of 1704 2288 cd3224bbcf.exe 50 PID 2288 wrote to memory of 1704 2288 cd3224bbcf.exe 50 PID 2288 wrote to memory of 2128 2288 cd3224bbcf.exe 52 PID 2288 wrote to memory of 2128 2288 cd3224bbcf.exe 52 PID 2288 wrote to memory of 2128 2288 cd3224bbcf.exe 52 PID 2288 wrote to memory of 2128 2288 cd3224bbcf.exe 52 PID 2288 wrote to memory of 308 2288 cd3224bbcf.exe 54 PID 2288 wrote to memory of 308 2288 cd3224bbcf.exe 54 PID 2288 wrote to memory of 308 2288 cd3224bbcf.exe 54 PID 2288 wrote to memory of 308 2288 cd3224bbcf.exe 54 PID 308 wrote to memory of 1396 308 firefox.exe 55 PID 308 wrote to memory of 1396 308 firefox.exe 55 PID 308 wrote to memory of 1396 308 firefox.exe 55 PID 308 wrote to memory of 1396 308 firefox.exe 55 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe"C:\Users\Admin\AppData\Local\Temp\acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\1014363001\273d065ee8.exe"C:\Users\Admin\AppData\Local\Temp\1014363001\273d065ee8.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014363001\273d065ee8.exe" & rd /s /q "C:\ProgramData\NYMYCB1VS0ZM" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014364001\81cbfab3f7.exe"C:\Users\Admin\AppData\Local\Temp\1014364001\81cbfab3f7.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"C:\Users\Admin\AppData\Local\Temp\1014365001\W4KLQf7.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1252 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\hyper-v.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- System Location Discovery: System Language Discovery
- Gathers system information
PID:4028
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014366001\cd3224bbcf.exe"C:\Users\Admin\AppData\Local\Temp\1014366001\cd3224bbcf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.0.1139107233\761995410" -parentBuildID 20221007134813 -prefsHandle 1276 -prefMapHandle 1232 -prefsLen 20769 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b79aa953-c08b-4d77-a3ca-224748ba5490} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 1348 106f0a58 gpu6⤵PID:2380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.1.1502390086\1829503387" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21630 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf37b1e3-2a79-4e00-94f8-b53a155ac9c8} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 1548 f2ed058 socket6⤵PID:1172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.2.1538681930\2086156615" -childID 1 -isForBrowser -prefsHandle 1932 -prefMapHandle 1828 -prefsLen 21668 -prefMapSize 233414 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7217ed21-5c9f-4633-81e0-dbd5e8ce9fd2} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 1944 1065e558 tab6⤵PID:2348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.3.1405969273\432832528" -childID 2 -isForBrowser -prefsHandle 2800 -prefMapHandle 2796 -prefsLen 26138 -prefMapSize 233414 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2ed327c-d155-4893-ba7e-466bf861fcc0} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 2812 d64258 tab6⤵PID:492
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.4.1689703273\1860112908" -childID 3 -isForBrowser -prefsHandle 3736 -prefMapHandle 3728 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e44f8dac-e709-4788-a07a-c922fb0362e3} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 3748 1eafc758 tab6⤵PID:1936
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.5.1634140358\1108932181" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebdcc47f-b315-4d0d-8463-757e862522c5} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 3916 1eafe558 tab6⤵PID:2712
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1396.6.1143687519\342417635" -childID 5 -isForBrowser -prefsHandle 4092 -prefMapHandle 4100 -prefsLen 26273 -prefMapSize 233414 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d09a8e39-7a9e-4144-8bea-5b9ca71989c1} 1396 "\\.\pipe\gecko-crash-server-pipe.1396" 4080 1f162758 tab6⤵PID:1368
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014367001\bf8c4ef16f.exe"C:\Users\Admin\AppData\Local\Temp\1014367001\bf8c4ef16f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\1014368001\279266c69f.exe"C:\Users\Admin\AppData\Local\Temp\1014368001\279266c69f.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\1014369001\6fe0321c4c.exe"C:\Users\Admin\AppData\Local\Temp\1014369001\6fe0321c4c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
-
C:\Users\Admin\AppData\Local\Temp\1014370001\2a27005727.exe"C:\Users\Admin\AppData\Local\Temp\1014370001\2a27005727.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58bc30159e6e1e551f5576ee0185453e7
SHA1e4abb2323f3cdf0a6648e3a4ed431f4420080922
SHA2562062b91b07c79c1b00703d988fb13f6528d3bc97cc0a4795f62766c837bb81da
SHA512f14dac599bf15eca6a6db1646de6e94c734f664e73229902b994e2d0f10d0c3eb6d1a583ac86d051358d56d5ccbda095ece0be5df13c340d8beda47534442ad6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD5ffeed06480dc94a94523dd767ed62dc6
SHA13281a6297276939429b1d55b99ebc8a646498b53
SHA25614db11f4d42cfc2cafcd501a7e2a5b2cb5c7893bffda3fadbb24490b10bd2778
SHA51238edc278a15d2b363e5f7549795bd2fced6f1fa842a5c35717851546e5076d79bbdbc1c085761d0e765cc3ec725f6bb14cab4bafdb9b94494e60d540fb1a7aee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1bogwdvw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
3.7MB
MD512c766cab30c7a0ef110f0199beda18b
SHA1efdc8eb63df5aae563c7153c3bd607812debeba4
SHA2567b2070ca45ec370acba43623fb52931ee52bee6f0ce74e6230179b058fa2c316
SHA51232cad9086d9c7a8d88c3bfcb0806f350f0df9624637439f1e34ab2efffa0c273faef0c226c388ed28f07381aef0655af9e3eb3e9557cbfd2d8c915b556b1cf10
-
Filesize
946KB
MD52f31d29ec74040cc7ce4b9cc341cce0b
SHA13a122771d15a91371c31b06f705d7e0a07774935
SHA25617b8d14a92e07b825cf03f14b0fb4718f706872fc1a31172a525706e2f69c4d2
SHA512a88970d65f00755926ac77846fbe51b26a0aac781e1b51c0c2ce4f40805581bdd6278f2a6570a2237aff4e353278aa45b8ebb133efe00db378b7b820c2eec3a1
-
Filesize
1.7MB
MD5807a67da4cfbc1cf70de9fecfea9fb09
SHA1e2c37f774fe4daf510961d6ed7239d8b03d83036
SHA256c85b9fda965fb5d13142b0ef3369e46abbc5f4bfb948fd2179d6d160123c0689
SHA51265c46a8585e0b87c53d242a18dab0ed9d83c1378347ac0209bf5522b93c34051ae1aa7e0b63829980f1cb156d54bab3060c39152d27ff694a79876aabcd78561
-
Filesize
2.7MB
MD5d6160b483577667b6a0056f5f3325103
SHA1811c2a568c756389939ad598e379d48a5be37789
SHA256cf9ded7b486e8bcddc5ac55f90b4b7e2eb2af62f86c4790476a7033087ba9a3b
SHA51243d9b20a2461c13afbf35b021786adca1bed0b7e3024987853242dfbbf5d73b3e24f85847dd873b27cac7a4be7aa168f47f7fad0d59087f2f0f710583d85236b
-
Filesize
1.8MB
MD59d09272ac982d62d77946b1f957b6112
SHA1f431d0c1aeed11eaa7a51d97a1a00e0c1f0530c2
SHA25633b1f3d3f016753911b3e9efeb89ad133c855cd6e4850c0b43b1842ee90ad7fc
SHA51233c1299c43775a31f27dd2b9747734efc8825b74f8237b489d334126917d0202a3477b4677ea674237a65ba475faac4a24b3a5e6b568d3e1eca9367b34767f4d
-
Filesize
1.9MB
MD56b388916c9f72353cbd4799ed242d4f4
SHA164b382ca1909b0ae89f26d49652f19fceaf33a48
SHA25683cc25a9b6c72190cd8886758cc9afa6625be19579a7532faa97f3feb5e6a7fd
SHA51290e42d22d3c2f87daa6703312dab91c00f6026f17325434f75520852d96d31969c4ebca0f94947626c372b18b57cc7e8af11d637cda68c2526d3971d44f7e85a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD518ef517288102b4f149c796583cdbfbf
SHA13e9363630d87ba16924de0cc80689bf58970e0cc
SHA25621b5ed3f0aac45c4dc0d05cd1227eb966bac67c4afff1edbf5bb4ac9cc91074d
SHA51282e5ed0fc1be9b3d715bee701f2fc869d0cabdcfbd9c2451b045ffc6ddbb7e54c212b11c349b3d6535d7f28bab0b3bb1e6135b8720ec1ebcb0390b6ad8b40de0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\971ce8d2-f4d8-4a13-9d3c-aebfcbb1a287
Filesize745B
MD566e32b5ce826dd72feab09037254199d
SHA1e3d8ddecfa3a15203de62d735f8e935923ecdd33
SHA256e0cd8454ba119bf7f87fe12d27a6ba635256d6872989add96bbbb4321336102c
SHA512df358447dfddf6b544e0f292bbfeb10048f10a8cd0637cc2e213478c28072f562ce6a560a4c781b56a051a206b19b36a1e8c56719b22c618585bcb857db09085
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\datareporting\glean\pending_pings\b4c3a090-8701-4041-a89d-daee0762cb6a
Filesize11KB
MD59806f2cbcdc5a5b1bfd505d899cc9492
SHA1ef59ed2454a07430a311904b0a724b228e69a219
SHA256c535347ad443455d2ee9dcc3017b5f12a05eff144712f0f70c5aaef379ca2e7c
SHA5121889c9fc55fa8e34f25998f817a09d5614e5dfd5e54c1822e8cac16aba5222251c48a454e96f7b5246b019992c9cd4b042d14a7b2b9cdc54f08e0e70b20135d7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD515a14e92419104a156016e2ef73d49f2
SHA1e78c63e5339a8daffe5e44b740e11a65bb4c0c3c
SHA256c04688792e1ee6cfdf43821f43926beac2f80d9aba76d960c3a6bddf843a7f3d
SHA512f48bb950680d2ae609f22de7656637ef074ffdb189df03b00efbf0d1c8e0538246627ed4a07567ac3e0c7d64590843e1c86f3e96f99ac05134d1d3e90d877e63
-
Filesize
7KB
MD5bd69da2739e28686f3ad3cf25732094c
SHA188350941ce10e0fa939888967be7c11836aa17ba
SHA256e991585fdd35b5c49247ffbd9c558992d50a244cc38367c388f2f813a2b2c448
SHA512d4ad6d921024b5a2e314f9e5f0689892ea2155acebf35a42ffe828004fda2bd96fc30ba61089bbe4cad2869670a4d299c88c7e41f0672d2c8e48f561e5661cb2
-
Filesize
6KB
MD5f0fb83f546fb504de14d9efd68cf1f07
SHA19e3d980d47b36a3f0babe24c9a3a5d05a824645e
SHA256ffbf96352b9a71a0801dd5ef3be249457e584bba546c4762bd7e83d29f1b6d4a
SHA512db9069d8928493861dbe79442391b463b7295cf49f93e26f9c98bc6a24c9ff1cde4bd75a8320079417ad604a8bb716328a8b8a8e9432d45dfb5b9f2fdfd1b3c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD57c02ed4e20b0f57f26355df3fb730ccc
SHA1d19dffcc0c0883b5ef34638719abd90bcccbee50
SHA256a9a4a634b4239162618e85b06f24d92a88766e1e106ac3b07843da277b38fd2b
SHA512b57ccc55967c0a38ec49a64e641dd14b55872f4e4696cd26f4b2cc886fa180f1a7392d4869f51bd8dcde05424517932f911a0763f77d8d63b697118ea6740eff
-
Filesize
1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd
-
Filesize
3.1MB
MD5182315687f5f35cdf35103bcf51f4b60
SHA15714baa4a693938a8df4250f1d1de08402f99e3f
SHA256acf84ea685f614a0bd5ee87c46ed083b9f0c7e82b5ca50de9c38407952c39c4e
SHA5125f26459ca04b60e52fc4bc75c9e741de5109c09b215dcc5f62dd737ed3ff45228182ad515dba3ea4cf8b58643c7770d276440e49a4d4320d948ccc3063d1c3ca