Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 02:04
Static task
static1
General
-
Target
0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe
-
Size
5.3MB
-
MD5
718f53eb11f4730fac1f40bd5a1ea164
-
SHA1
1646f7000d950f7de88c60d8c10e07a0c3de896e
-
SHA256
0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47
-
SHA512
1178289c2e70d5314459605554bdeefbc80edd5056aa2988b5766a3c4762f0612f88174aa237d36115c5b16a21263fba93682d3c6e1f40b12589a6ab4d9f531a
-
SSDEEP
98304:YHs+3pzhKjT6ocqacT3h1UJDiQdzAKv6u94DS/xo7bS0L73nPl17ghShHYquXPW:YM+3ZhKHNclczQkUzAMne25GSgtBgiHG
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://tacitglibbr.biz/api
https://immureprech.biz/api
https://deafeninggeh.biz/api
https://wrathful-jammy.cyou/api
https://awake-weaves.cyou/api
https://sordid-snaked.cyou/api
https://drive-connect.cyou/api
https://covery-mover.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" afa9d114fd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection afa9d114fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" afa9d114fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" afa9d114fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" afa9d114fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" afa9d114fd.exe -
Stealc family
-
Xmrig family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1u83S5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 51b1b19482.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3J69Q.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 29f465fcac.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2e1328.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ afa9d114fd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
XMRig Miner payload 13 IoCs
resource yara_rule behavioral1/memory/5864-925-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-927-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-928-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-929-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-930-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-931-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-932-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-936-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-934-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5864-940-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5048-3334-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5048-3332-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/5048-3336-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1u83S5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 51b1b19482.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3J69Q.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion afa9d114fd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3J69Q.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion afa9d114fd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1u83S5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2e1328.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2e1328.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 51b1b19482.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 29f465fcac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 29f465fcac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ac34c7f7df.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation f5a2c8e68d.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 1u83S5.exe -
Executes dropped EXE 29 IoCs
pid Process 2996 f6x27.exe 3092 1u83S5.exe 2464 skotes.exe 3188 2e1328.exe 1012 51b1b19482.exe 3456 3J69Q.exe 3172 ac34c7f7df.exe 3980 7z.exe 1584 7z.exe 4592 7z.exe 820 bc9cdd0411.exe 3352 7z.exe 912 7z.exe 4400 7z.exe 4876 7z.exe 3740 7z.exe 3024 in.exe 3080 29f465fcac.exe 5636 skotes.exe 5836 Intel_PTT_EK_Recertification.exe 6336 afa9d114fd.exe 6568 4b08072a96.exe 2620 4b08072a96.exe 6876 f5a2c8e68d.exe 5528 a52771bcb1.exe 6432 skotes.exe 6436 Intel_PTT_EK_Recertification.exe 6612 skotes.exe 6768 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 1u83S5.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 2e1328.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 51b1b19482.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 3J69Q.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine afa9d114fd.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 29f465fcac.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe -
Loads dropped DLL 8 IoCs
pid Process 3980 7z.exe 1584 7z.exe 4592 7z.exe 3352 7z.exe 912 7z.exe 4400 7z.exe 4876 7z.exe 3740 7z.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features afa9d114fd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" afa9d114fd.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" f6x27.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc9cdd0411.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014602001\\bc9cdd0411.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\29f465fcac.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014603001\\29f465fcac.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afa9d114fd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014604001\\afa9d114fd.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023cd2-125.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 3092 1u83S5.exe 2464 skotes.exe 3188 2e1328.exe 1012 51b1b19482.exe 3456 3J69Q.exe 3080 29f465fcac.exe 5636 skotes.exe 6336 afa9d114fd.exe 6432 skotes.exe 6612 skotes.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5836 set thread context of 5864 5836 Intel_PTT_EK_Recertification.exe 153 PID 6568 set thread context of 2620 6568 4b08072a96.exe 161 PID 6436 set thread context of 5048 6436 Intel_PTT_EK_Recertification.exe 180 PID 6768 set thread context of 6732 6768 Intel_PTT_EK_Recertification.exe 186 -
resource yara_rule behavioral1/files/0x0007000000023ce8-170.dat upx behavioral1/memory/3024-175-0x00007FF77B660000-0x00007FF77BAF0000-memory.dmp upx behavioral1/memory/3024-176-0x00007FF77B660000-0x00007FF77BAF0000-memory.dmp upx behavioral1/memory/5836-923-0x00007FF62FBB0000-0x00007FF630040000-memory.dmp upx behavioral1/memory/5836-938-0x00007FF62FBB0000-0x00007FF630040000-memory.dmp upx behavioral1/memory/6436-3335-0x00007FF62FBB0000-0x00007FF630040000-memory.dmp upx behavioral1/memory/6768-3373-0x00007FF62FBB0000-0x00007FF630040000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1u83S5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1928 1012 WerFault.exe 94 1752 6876 WerFault.exe 163 -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6x27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1u83S5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bc9cdd0411.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51b1b19482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3J69Q.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac34c7f7df.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage bc9cdd0411.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b08072a96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a52771bcb1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 29f465fcac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b08072a96.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e1328.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language bc9cdd0411.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa9d114fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5a2c8e68d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6200 PING.EXE 3768 powershell.exe 2648 PING.EXE 3188 powershell.exe 1160 PING.EXE 5920 powershell.exe 6116 PING.EXE 6080 powershell.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f5a2c8e68d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f5a2c8e68d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 6528 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 3476 taskkill.exe 2116 taskkill.exe 4488 taskkill.exe 4156 taskkill.exe 4148 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings firefox.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 1160 PING.EXE 6116 PING.EXE 6200 PING.EXE 2648 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 3092 1u83S5.exe 3092 1u83S5.exe 2464 skotes.exe 2464 skotes.exe 3188 2e1328.exe 3188 2e1328.exe 1012 51b1b19482.exe 1012 51b1b19482.exe 3456 3J69Q.exe 3456 3J69Q.exe 3188 powershell.exe 3188 powershell.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 3080 29f465fcac.exe 3080 29f465fcac.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 5636 skotes.exe 5636 skotes.exe 5836 Intel_PTT_EK_Recertification.exe 5920 powershell.exe 5920 powershell.exe 5920 powershell.exe 6336 afa9d114fd.exe 6336 afa9d114fd.exe 6336 afa9d114fd.exe 6336 afa9d114fd.exe 6336 afa9d114fd.exe 6876 f5a2c8e68d.exe 6876 f5a2c8e68d.exe 6432 skotes.exe 6432 skotes.exe 6436 Intel_PTT_EK_Recertification.exe 6080 powershell.exe 6080 powershell.exe 6080 powershell.exe 6768 Intel_PTT_EK_Recertification.exe 6612 skotes.exe 6612 skotes.exe 3768 powershell.exe 3768 powershell.exe 3768 powershell.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeRestorePrivilege 3980 7z.exe Token: 35 3980 7z.exe Token: SeSecurityPrivilege 3980 7z.exe Token: SeSecurityPrivilege 3980 7z.exe Token: SeRestorePrivilege 1584 7z.exe Token: 35 1584 7z.exe Token: SeSecurityPrivilege 1584 7z.exe Token: SeSecurityPrivilege 1584 7z.exe Token: SeRestorePrivilege 4592 7z.exe Token: 35 4592 7z.exe Token: SeSecurityPrivilege 4592 7z.exe Token: SeSecurityPrivilege 4592 7z.exe Token: SeRestorePrivilege 3352 7z.exe Token: 35 3352 7z.exe Token: SeSecurityPrivilege 3352 7z.exe Token: SeSecurityPrivilege 3352 7z.exe Token: SeRestorePrivilege 912 7z.exe Token: 35 912 7z.exe Token: SeSecurityPrivilege 912 7z.exe Token: SeSecurityPrivilege 912 7z.exe Token: SeRestorePrivilege 4400 7z.exe Token: 35 4400 7z.exe Token: SeSecurityPrivilege 4400 7z.exe Token: SeSecurityPrivilege 4400 7z.exe Token: SeRestorePrivilege 4876 7z.exe Token: 35 4876 7z.exe Token: SeSecurityPrivilege 4876 7z.exe Token: SeSecurityPrivilege 4876 7z.exe Token: SeDebugPrivilege 4156 taskkill.exe Token: SeRestorePrivilege 3740 7z.exe Token: 35 3740 7z.exe Token: SeSecurityPrivilege 3740 7z.exe Token: SeSecurityPrivilege 3740 7z.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeDebugPrivilege 4148 taskkill.exe Token: SeDebugPrivilege 3476 taskkill.exe Token: SeDebugPrivilege 2116 taskkill.exe Token: SeDebugPrivilege 4488 taskkill.exe Token: SeDebugPrivilege 2668 firefox.exe Token: SeDebugPrivilege 2668 firefox.exe Token: SeLockMemoryPrivilege 5864 explorer.exe Token: SeDebugPrivilege 5920 powershell.exe Token: SeDebugPrivilege 6336 afa9d114fd.exe Token: SeLockMemoryPrivilege 5048 explorer.exe Token: SeDebugPrivilege 6080 powershell.exe Token: SeDebugPrivilege 2668 firefox.exe Token: SeDebugPrivilege 2668 firefox.exe Token: SeDebugPrivilege 2668 firefox.exe Token: SeLockMemoryPrivilege 6732 explorer.exe Token: SeDebugPrivilege 3768 powershell.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3092 1u83S5.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 2668 firefox.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe 820 bc9cdd0411.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2668 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5016 wrote to memory of 2996 5016 0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe 83 PID 5016 wrote to memory of 2996 5016 0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe 83 PID 5016 wrote to memory of 2996 5016 0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe 83 PID 2996 wrote to memory of 3092 2996 f6x27.exe 84 PID 2996 wrote to memory of 3092 2996 f6x27.exe 84 PID 2996 wrote to memory of 3092 2996 f6x27.exe 84 PID 3092 wrote to memory of 2464 3092 1u83S5.exe 85 PID 3092 wrote to memory of 2464 3092 1u83S5.exe 85 PID 3092 wrote to memory of 2464 3092 1u83S5.exe 85 PID 2996 wrote to memory of 3188 2996 f6x27.exe 86 PID 2996 wrote to memory of 3188 2996 f6x27.exe 86 PID 2996 wrote to memory of 3188 2996 f6x27.exe 86 PID 2464 wrote to memory of 1012 2464 skotes.exe 94 PID 2464 wrote to memory of 1012 2464 skotes.exe 94 PID 2464 wrote to memory of 1012 2464 skotes.exe 94 PID 5016 wrote to memory of 3456 5016 0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe 97 PID 5016 wrote to memory of 3456 5016 0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe 97 PID 5016 wrote to memory of 3456 5016 0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe 97 PID 2464 wrote to memory of 3172 2464 skotes.exe 102 PID 2464 wrote to memory of 3172 2464 skotes.exe 102 PID 2464 wrote to memory of 3172 2464 skotes.exe 102 PID 3172 wrote to memory of 1952 3172 ac34c7f7df.exe 103 PID 3172 wrote to memory of 1952 3172 ac34c7f7df.exe 103 PID 1952 wrote to memory of 4632 1952 cmd.exe 105 PID 1952 wrote to memory of 4632 1952 cmd.exe 105 PID 1952 wrote to memory of 3980 1952 cmd.exe 106 PID 1952 wrote to memory of 3980 1952 cmd.exe 106 PID 1952 wrote to memory of 1584 1952 cmd.exe 107 PID 1952 wrote to memory of 1584 1952 cmd.exe 107 PID 1952 wrote to memory of 4592 1952 cmd.exe 108 PID 1952 wrote to memory of 4592 1952 cmd.exe 108 PID 2464 wrote to memory of 820 2464 skotes.exe 109 PID 2464 wrote to memory of 820 2464 skotes.exe 109 PID 2464 wrote to memory of 820 2464 skotes.exe 109 PID 1952 wrote to memory of 3352 1952 cmd.exe 110 PID 1952 wrote to memory of 3352 1952 cmd.exe 110 PID 1952 wrote to memory of 912 1952 cmd.exe 111 PID 1952 wrote to memory of 912 1952 cmd.exe 111 PID 1952 wrote to memory of 4400 1952 cmd.exe 112 PID 1952 wrote to memory of 4400 1952 cmd.exe 112 PID 820 wrote to memory of 4156 820 bc9cdd0411.exe 114 PID 820 wrote to memory of 4156 820 bc9cdd0411.exe 114 PID 820 wrote to memory of 4156 820 bc9cdd0411.exe 114 PID 1952 wrote to memory of 4876 1952 cmd.exe 116 PID 1952 wrote to memory of 4876 1952 cmd.exe 116 PID 1952 wrote to memory of 3740 1952 cmd.exe 117 PID 1952 wrote to memory of 3740 1952 cmd.exe 117 PID 1952 wrote to memory of 2728 1952 cmd.exe 118 PID 1952 wrote to memory of 2728 1952 cmd.exe 118 PID 1952 wrote to memory of 3024 1952 cmd.exe 119 PID 1952 wrote to memory of 3024 1952 cmd.exe 119 PID 3024 wrote to memory of 3644 3024 in.exe 120 PID 3024 wrote to memory of 3644 3024 in.exe 120 PID 3024 wrote to memory of 3944 3024 in.exe 121 PID 3024 wrote to memory of 3944 3024 in.exe 121 PID 3024 wrote to memory of 4548 3024 in.exe 122 PID 3024 wrote to memory of 4548 3024 in.exe 122 PID 3024 wrote to memory of 3188 3024 in.exe 123 PID 3024 wrote to memory of 3188 3024 in.exe 123 PID 3188 wrote to memory of 1160 3188 powershell.exe 128 PID 3188 wrote to memory of 1160 3188 powershell.exe 128 PID 820 wrote to memory of 4148 820 bc9cdd0411.exe 129 PID 820 wrote to memory of 4148 820 bc9cdd0411.exe 129 PID 820 wrote to memory of 4148 820 bc9cdd0411.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 3944 attrib.exe 2728 attrib.exe 3644 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe"C:\Users\Admin\AppData\Local\Temp\0a7428f3f91be66d8d3243fc5b29a4176da5b9541cd61245d431457299c84b47.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f6x27.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f6x27.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1u83S5.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1u83S5.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Users\Admin\AppData\Local\Temp\1014600001\51b1b19482.exe"C:\Users\Admin\AppData\Local\Temp\1014600001\51b1b19482.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 17846⤵
- Program crash
PID:1928
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014601001\ac34c7f7df.exe"C:\Users\Admin\AppData\Local\Temp\1014601001\ac34c7f7df.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"6⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\mode.commode 65,107⤵PID:4632
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"7⤵
- Views/modifies file attributes
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe8⤵
- Views/modifies file attributes
PID:3644
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe8⤵
- Views/modifies file attributes
PID:3944
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE8⤵
- Scheduled Task/Job: Scheduled Task
PID:4548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1160
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014602001\bc9cdd0411.exe"C:\Users\Admin\AppData\Local\Temp\1014602001\bc9cdd0411.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:3040
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2668 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4cbdc84-e298-497c-b08a-5bd7320a3aee} 2668 "\\.\pipe\gecko-crash-server-pipe.2668" gpu8⤵PID:2876
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e69198ef-3b7e-4e98-b749-90940b33fab2} 2668 "\\.\pipe\gecko-crash-server-pipe.2668" socket8⤵PID:3580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2784 -childID 1 -isForBrowser -prefsHandle 3252 -prefMapHandle 3300 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {004b7113-e514-498d-bb8b-e754c441796c} 2668 "\\.\pipe\gecko-crash-server-pipe.2668" tab8⤵PID:4644
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2584 -childID 2 -isForBrowser -prefsHandle 4140 -prefMapHandle 4136 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c891e7af-a2b0-4fb9-8049-a762412dad5e} 2668 "\\.\pipe\gecko-crash-server-pipe.2668" tab8⤵PID:660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {949aeaef-72cc-4beb-87f4-1aa1a7ad176a} 2668 "\\.\pipe\gecko-crash-server-pipe.2668" utility8⤵
- Checks processor information in registry
PID:6652
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5188 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5236 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {285847ab-b840-4811-941f-5c9adf41e634} 2668 "\\.\pipe\gecko-crash-server-pipe.2668" tab8⤵PID:1560
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5048 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48edba04-c663-405d-a7a2-986716e88856} 2668 "\\.\pipe\gecko-crash-server-pipe.2668" tab8⤵PID:772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 5 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d58edee5-1604-49c8-8cfd-dca4129d5438} 2668 "\\.\pipe\gecko-crash-server-pipe.2668" tab8⤵PID:4220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014603001\29f465fcac.exe"C:\Users\Admin\AppData\Local\Temp\1014603001\29f465fcac.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3080
-
-
C:\Users\Admin\AppData\Local\Temp\1014604001\afa9d114fd.exe"C:\Users\Admin\AppData\Local\Temp\1014604001\afa9d114fd.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6336
-
-
C:\Users\Admin\AppData\Local\Temp\1014605001\4b08072a96.exe"C:\Users\Admin\AppData\Local\Temp\1014605001\4b08072a96.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6568 -
C:\Users\Admin\AppData\Local\Temp\1014605001\4b08072a96.exe"C:\Users\Admin\AppData\Local\Temp\1014605001\4b08072a96.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014606001\f5a2c8e68d.exe"C:\Users\Admin\AppData\Local\Temp\1014606001\f5a2c8e68d.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014606001\f5a2c8e68d.exe" & rd /s /q "C:\ProgramData\Q9RQQIMOZU3E" & exit6⤵
- System Location Discovery: System Language Discovery
PID:6328 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:6528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 21966⤵
- Program crash
PID:1752
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014607001\a52771bcb1.exe"C:\Users\Admin\AppData\Local\Temp\1014607001\a52771bcb1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5528
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2e1328.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2e1328.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3188
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3J69Q.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3J69Q.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5636
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5836 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6116
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1012 -ip 10121⤵PID:7148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6876 -ip 68761⤵PID:6344
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6432
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6436 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6080 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6200
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6612
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:6768 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2648
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5061ae0050c064606b77c3df3dce0bfa1
SHA171c564686a91e29bb506dae376c866b29f736967
SHA256500b21c7fb4875bb7755bb0ad840c50368c3c1f54f881c427309b128e67dd76a
SHA512fa5ce6f2ac5c9c705e1079ed35d32a8f6086b5cf7928fcf6a16146cb679f8e44f8fe351e1d64a0c050f452a09f02e9e89809701d659ba9bb9df91ff5d5396cb6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5dca8233c9687eccb2a00807992e27ef6
SHA16ee82f93d068fccf380dfca6e84ce01361c09b36
SHA2566e78ff0164b1fd419de294b14379f0c5ad076e2153a6669d4cba21c21b0d26c3
SHA512a4f03f2e440d3ec4ad5bd06e5a984dce21213c3ef5399615fbd07f98251b689b9f68449ec5e54a0348ed70e3d3ce5e2ea0b7ff84e4cd1409c66c22089d810451
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.9MB
MD50a2e0cf36cb5586fb3ecff4872b27b9d
SHA1b8ab43272fbbad21c1985ee536ecd5ccbdc0a761
SHA256417e7e396fbadbf07bf6952dbd3c0b6b496bc18871047645879db777552552b1
SHA51254f788a088be98537649567c9c9c1c13fb148502900862832b91438a4e0ea1cfab5d8c465834059556f2799d83390ef2bc07efa6c3a63b225484528c2e85eedf
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
947KB
MD57e271a875a2075fc56fd2b53f7a7380e
SHA15ca375a3aa3ebbe313e102a7cc86b994d6d131ab
SHA2563d6a9fef59bb4b070ba29ffc1aa80439eebb6f4aa927582daef443955d1ef2eb
SHA512b9a2b6276615abb77a455d36debd609b4da7de281f23b2ac78b47b72eaa74881b512dcf701dae3c054c600f41dd7245ce176e84c588e1f4725e231e5731c799b
-
Filesize
1.7MB
MD591c87d6521355c02422acb98aea28b43
SHA171f5a66b2d645b355e675ce458f302b192da214b
SHA256f7df3bbf114ddb67167ed7b1bbea2ce1a575b0cba8d5b54a21a59b662dfd5139
SHA512dea14418513777047d89268e316fa71a2f17f3cdd7d912688302ee332b4a15343ee4a0bf515beb308b58ea742b905b5e29f57531fcf8da1d3d83708ce8cab1a5
-
Filesize
2.6MB
MD59d094fe064d40613e4432c8ce26a0827
SHA1fb4079101b4e06d5eee29066a7425dd5c11f3491
SHA2560ba7e21d13de7a72853b599863bf4bef7d606aff8b4befa84c1a3dc304ed2428
SHA51228d2232bb16f13b8a9fe745da6d6aa06c85da9dab14722788c3e923a61a2e706e33d1f6da6d578ed19be4f26e53e0e87635dec62ca74fc73749532d784137ce3
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
1.7MB
MD50db86f415beec566f74ae32230607940
SHA159ad2e80445397031efa8cb4cf90488ca03e809e
SHA2564f3f3cebaedafaca661c5852c61b1cc62377805ddb893891c795097cc4d90216
SHA512b4f1fe2f7805091a7fd6611dede047f35fa403770f6351bf3cba4243a74d4539bd84cb687569b60c7a58b8664f549202b4009c75cc82392a5b16507c7f8dfaf8
-
Filesize
3.5MB
MD5a00bf8c789c0077688fbdc4bad39ce3e
SHA1604f468b6d065731aae511360cfcb16bc10258a2
SHA256c5ba3e08e8b4c60113430fefc63b67149d1690a0c9f8dbe29cadf1bf49ce8ca1
SHA5125b01c45b6a87366de516ab27257d4642c8a3372b69563e4cfbfd9e4b44bc53f79186bb6cc659c9b18a63dbabeca022718d4b23bd4bf365605eee7cdcc00d2b7b
-
Filesize
3.1MB
MD5bfafb8154be49c061ea87bb8f1b1d2e3
SHA128aea3a6010fa9ed6587b9a3ec48399f7e2cd3e3
SHA25606dd79ee8be1ee3c3e51c2499e84a9823cf51c0049d12383b1e333157d56d43a
SHA512a6941502929f5f708191df88005e8734b07b0a34538ff030131edce34f7f2672ac586abd75855ac001d8a1e182e4d632f0516b687d74c78d950e77bbfb79e5f9
-
Filesize
1.8MB
MD59c44476a000428e61f66dc47e2c5cc34
SHA1e427c00e570aa70c5cb083e56e48a2b4b4990235
SHA2569e48bf805ff254a4b2c920460a8ba4348a65132a574dd3702d15be9f5470080e
SHA512c11e86955068a68c164ab2fcab24419d751a6c0948308104d8502c27d52aca33c8fad7f367d8c455a56d23ea8d316d83584625e41778e07c360d11ccf2652aa0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD5579a63bebccbacab8f14132f9fc31b89
SHA1fca8a51077d352741a9c1ff8a493064ef5052f27
SHA2560ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA5124a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f
-
Filesize
1.7MB
MD55659eba6a774f9d5322f249ad989114a
SHA14bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4
-
Filesize
1.7MB
MD55404286ec7853897b3ba00adf824d6c1
SHA139e543e08b34311b82f6e909e1e67e2f4afec551
SHA256ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30
-
Filesize
1.7MB
MD55eb39ba3698c99891a6b6eb036cfb653
SHA1d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA5126c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e
-
Filesize
1.7MB
MD57187cc2643affab4ca29d92251c96dee
SHA1ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA51227985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
1.7MB
MD583d75087c9bf6e4f07c36e550731ccde
SHA1d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA25646db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize6KB
MD5cec6e1aa2691e8cc3f1a91f52e7a4a42
SHA1b7bcf6f9d6ee842b493f4be027a2d87d1b54bf4a
SHA256595e2582933c188b20775b73cfcc6076e624a30cafa2c52e4196b3ecf2f05a21
SHA512344576d39e2727f7740176a7e4a2b7041754aed53a0f87579bd10a23c5ba3e369a9a19b3d756709d6f825413da9335f3a54d7550a2fe95ccf874393157507e0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize10KB
MD592ac56708bf79825f8ca7599ce111cfe
SHA18095ef32d733ee6efb1fb084de95bb9a25074f54
SHA256c93b3100c77f85b1a86bcff44ca9b88e12ff5a438a7cf2f16a730a4ab64400b0
SHA512331b18baa8a6d29a69ba84d0960db2f50fdf1b24917fa07b7bbf3684a149f75a90ab1f82cce3250185d4288c2ec4a826fdf15e35a5a6a6c66e2027a82bcfb9d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD50464decb904441afac6048ecc71d52af
SHA14afb68076b84efa8f204bd3cc8a1fe002ccc27aa
SHA25619cb23e5d6c45de0c05388ba6ce1e581256d4cad9bd1565e1ab8400745678813
SHA51265cd2e8330972484978380d5fda76dccf38d803b3040a0540f89bfb9904fb9fd492948148d29293950e5cd78f65893361f1588cf0c401b34dbf2057c715b466e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD525856f1aff4f26538b6d00c8e224f268
SHA16b1ac929885b4a8c4b7c2924e213b7d160bad125
SHA25672e532f8345f90c6bf42870826d6f1d9f25407a36fc195b494a8989b2dd96b14
SHA512a7f326b012cb67d19128a590d2795056c87e6d974b2112066c3890209d9629b67c029059ba7a06d4b65d254a0369f6710e10b9873dd9d924385a2fe1cbb1e624
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD534cec85da851bf6a4b4687afafe50c9b
SHA1f6374c4fe558ea509e2d0add0870f536ed10965e
SHA2568be292867b29bc5274800cbe10062a51a726071df1c0b0b6dfc01a20bc916b20
SHA512bcfbb5bf43051597df89d247230f513e42978a4733e7478d82c64ab8973fc206bbf6c44058e0c0acecc00cd024521c58ee08016f0c89d682c48e8cff5a95d6a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD57555ab1e0fcb5f2228a4a80696c6a617
SHA196f16bd937ce579b5a2bdece7c4570dccc46e19e
SHA256c8480b0d34a191a8f240197f17c3411422d1c6cc27c4d3224be27c968f6bc2cf
SHA5126e892b2a615ce384714cb9b217cc2502fa7114d6ff9ffc8517f2efd0e21622a26593d23a004584d3abe4762f07c73211351ded2c07e6d42b8851e0ec81f19888
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5fefd81c6d9369a6c88092c228e17cd49
SHA1af28bf04da36c97e860029954ea7e15c4951e908
SHA25682357d3645ffc8e549355513a2912d24072fe675bf790f77b6a72c8a234276de
SHA5129aec7e35d3f144a21e740caecc411df770aa764b8218407e0ec3cea301563ae4c38fdcf2b00348fcd144e2e5e825727f00a32d658630a82722152aba348cd79a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5a29753ff2bd3d42aa9d17b3177ec9509
SHA13744a91a67136cb0bf2bdc9a6706c7d9e3e74b85
SHA256eb90da66791d7d5849211a2cd92c4463e766b35b114fe28486caafad8f04a06f
SHA51262daea7570c9cb735580be5bf8dea5fbaaecbdde3246885d0e468b07faa397af8a285db65886428a4bbdfaffa41c9fb1b95bbdf45a2ddde274719a6e08b99624
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5c9e96081201facb7af2da33bed1fad77
SHA1af417bd754578901512bdcfcc74619aaf04b844d
SHA2567849c89c3b2b4b26887fee0f0f8b1f61ed010b7cb0e59336dacc939b4eaaf199
SHA51297cd6f662511c924cace3d314d17ce1f905c6aff56a67a46f10a148f64cb77b0fb43094c6da02e73c0084f42809063d5bdca95af5ba3789b0677533288f8e703
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5e5340044a4557de5887f3f1ba00fe592
SHA1010719df623bc735c29b9f76f8ed394cf9f838a4
SHA2560031727c12615838da9af39744a22ebae8a91e2a5531c74ce7869961f6c4e2f8
SHA5126063609ac3c988fe6b413c6bef560b0d0369a8f3007551007430ccf5c7463124cdf7a94a2e3d1260b30b4bae5512e551e54d872b3b590901b397ee2a7c352bec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\2e49c392-7d21-4fb2-a122-8442b39b6caa
Filesize659B
MD50c4ae92cad78db8efcd613780c26c27e
SHA11ca6c208e51326d2fa46daf7dbb43817610f1d6f
SHA2563c075704fa69a7aafd5ca3b5b767fe0b0be1941dc703ec93e13c35ab8c7c0d1a
SHA512982a4f040cc03fa396477cbd300db2496a61b2e28f99df64e9d562873d4ff67a678710fa772cb15848448e268a5a9b1ae4d4cd6d78a26f2cdfdb5e42e393d22a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\c9e43464-4a51-45e1-a268-f2f45441e912
Filesize982B
MD51f3dfcc5b56049cbc3b2776c67641612
SHA1767810911adccfb88f5bdae9b954c781ca095202
SHA256239775a4c1bf84fe00fcd1f795bbbee06e243116ae0ce48758de94f2828fed31
SHA51254d4106cdb9c21010c13f1f9f32c4c09279c900d1b81a0591ab2857b7c90dc3563c370bbe52210cf08924957268c7726be41118b60ac5b243ebd3badbcbd8dc4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5fe8073d98c232265f3a3c1afc9e934be
SHA1d8ab577aa19ba6b2f7bc0c63a50122b527c8e012
SHA2561abe8d210cf1c2cb716d5b7da357ef6a749a3d9434b3aad9fd452f52984218f8
SHA512e4de0a0d1fa6433d5e0f196554c25a71d32050630848ce1a76187e260b92aa5e266d7110d1b87b54595c63131ce13c4a10fc54532c4ee68a51a0f5a580a15bf7
-
Filesize
11KB
MD5f54dfc95ec5e01b49b640f640f8e37e9
SHA177b58d727cd7c0015bcc86ae51ed8efed54d681f
SHA256cf2e36fdf781f4ac031c5974c2f92d986016c8bad4b3ecb1dde0a8270effd619
SHA51251862d13ece579cbb77dc412835b5e29b94128463f13fe368ef2300c26b8280e8e12dba6d4656107e56d2a7db1f9ee13aca78bd09b5f1dde850183e7f2ddef89
-
Filesize
15KB
MD506dfb318b4946c832685c001145e120a
SHA155d825d93d00d17ae2bc8556f2ed38ccc39ceec9
SHA25621a71e623d808b783db5fde272b3d81f479042723a55d5fd4f1b1ecca40c588f
SHA512bc388ec9e3ddb8b38916989a878d29bb60432d35534645ee7ea2957491411609740237817fe5c741cff8aa7d81dc8e1fe2da77ee47ed2d36bd3b34e897fd0048
-
Filesize
15KB
MD5dc5ba6f4ed3afcefdda2d769879fd60b
SHA122bca957ffe7fb3b3f5b4547a354b9d29aa7d184
SHA2566255723e5dfa798bc7c3eb04ac9c7461290351cfd2084f06483601014ceb4f25
SHA5123d0dbdc0f3cf9c7ab852b0ae0d9a708597ff18f6bc2cc4fcaf4e908a9a657cc592252d8c03ff3cf86cf6c8a0ea3255678eac757c0ec81482db3e3d0b0f33f0aa
-
Filesize
10KB
MD519d646e4c382edb9d05da30ccba8914e
SHA1787bf1989633808b1a4aff1c29e9b413993d75d8
SHA256ed2b712d18a4d4347ac8b04d40810630b9cb2a0c16dcea3e77bea33232f98c39
SHA512d626155e8dab487e30e47461b012dc10a4db9cf2d0e48ca0cbb089ebf7d8d84d45d08b50d074c803b142ea6742024a11037442a2b763d8212e37fc013d16a95a
-
Filesize
10KB
MD5a4ff5112fc4032ef47cbbcfbab39df50
SHA1a617bd7a023732a3bf50c049ecf90b4157ea1c24
SHA256367ffe291df45f694ff8d10509dd3e21fef25518c773a57ee8d5fcbaf85343a6
SHA5129a76df04863cf4df6217c60b6d9d26f41242537e3fd8f51d80b6cefcaf5ff5810503349d4b16b4754b93a3b2cee1a10bb317c1cf3df379f401485ed570c57a79
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.9MB
MD5b00ee162bf021a74904f0a9ed0f10397
SHA1545a6f5d4fbe648327d1505c7778abb19f429c15
SHA256dfea88b231afd06d7b2e2f077e7c626358ec00359b26c8169cd62c10446b76f4
SHA512e4ed7f9d1dd8459795c9327a2b57e4fc2c3e41c2f91e7509eb39e6c2e66d8b4b4f1f580e1a8458433fed2428be52534426c7b05bc2d91121f24fecbde0b38dc2