Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 14:51
Static task
static1
General
-
Target
file.exe
-
Size
3.2MB
-
MD5
acf48e01c1d4d71dbfde9e5a4b52c38c
-
SHA1
6950a4271a4e357e3309f553673849ff0d26e3c5
-
SHA256
1d43eaa2b566d2111d938ef9617a65304db66158c4499d8b3a37db3d6607daa9
-
SHA512
2013170dc32e9f9e9cc1dbbbc2e3f425a61511635eef161d56815d592537ecc7f0b11209e8d777f3d43cd5db548339d4dcae8d6e6c35ac2046e5936be4fc8299
-
SSDEEP
49152:4VZvytWJYyZcALa38506hvjjO3Rj7IdzCodAXuLdsCT5ApUxAtfpSS2vpb:ULa3850o76hj7IdmodzdsCTayABYSQb
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://drive-connect.cyou/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 05d9dc5952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 05d9dc5952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 05d9dc5952.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 05d9dc5952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 05d9dc5952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 05d9dc5952.exe -
Stealc family
-
Xmrig family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 05d9dc5952.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HJKJEHJKJE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5edf826aaf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 996a858ead.exe -
Renames multiple (8167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/2656-18648-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/2656-18649-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/2656-18647-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/2656-18645-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/2656-18646-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/2656-18643-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/2656-18644-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/2656-18693-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/2656-18695-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4956 chrome.exe 4328 chrome.exe 4552 chrome.exe 4652 chrome.exe 220 chrome.exe 2084 chrome.exe 3972 chrome.exe 1856 chrome.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5edf826aaf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 996a858ead.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05d9dc5952.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05d9dc5952.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HJKJEHJKJE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5edf826aaf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 996a858ead.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HJKJEHJKJE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Executes dropped EXE 27 IoCs
pid Process 2764 skotes.exe 1104 LoaderHRC.exe 1324 LoaderHRC.exe 1812 4ZD5C3i.exe 1204 Process not Found 3396 Loader.exe 2296 Loader.exe 2024 c183eb2bf4.exe 224 c183eb2bf4.exe 2136 fddf14d954.exe 2036 789e6c3467.exe 3552 5edf826aaf.exe 1516 0b818f7c9d.exe 2728 996a858ead.exe 2620 05d9dc5952.exe 4144 a25346ec37.exe 4500 7z.exe 4528 7z.exe 4560 7z.exe 4584 7z.exe 4616 7z.exe 4640 7z.exe 4664 7z.exe 4688 7z.exe 4720 in.exe 2184 Intel_PTT_EK_Recertification.exe 4868 HJKJEHJKJE.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 5edf826aaf.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 996a858ead.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 05d9dc5952.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine HJKJEHJKJE.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe -
Loads dropped DLL 48 IoCs
pid Process 1316 file.exe 2764 skotes.exe 1104 LoaderHRC.exe 1324 LoaderHRC.exe 2764 skotes.exe 2764 skotes.exe 1204 Process not Found 2764 skotes.exe 3396 Loader.exe 2296 Loader.exe 2764 skotes.exe 2764 skotes.exe 2024 c183eb2bf4.exe 2764 skotes.exe 2764 skotes.exe 1204 Process not Found 1204 Process not Found 2764 skotes.exe 2764 skotes.exe 2764 skotes.exe 2764 skotes.exe 2764 skotes.exe 2764 skotes.exe 2764 skotes.exe 2764 skotes.exe 4456 cmd.exe 4500 7z.exe 4456 cmd.exe 4528 7z.exe 4456 cmd.exe 4560 7z.exe 4456 cmd.exe 4584 7z.exe 4456 cmd.exe 4616 7z.exe 4456 cmd.exe 4640 7z.exe 4456 cmd.exe 4664 7z.exe 4456 cmd.exe 4688 7z.exe 4456 cmd.exe 4456 cmd.exe 3488 taskeng.exe 3488 taskeng.exe 2728 996a858ead.exe 2728 996a858ead.exe 4900 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 05d9dc5952.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 05d9dc5952.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\996a858ead.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014831001\\996a858ead.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\05d9dc5952.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014832001\\05d9dc5952.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\0b818f7c9d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014830001\\0b818f7c9d.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 4ZD5C3i.exe File opened (read-only) \??\Z: 4ZD5C3i.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000000b3e2-17978.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1316 file.exe 2764 skotes.exe 3552 5edf826aaf.exe 2728 996a858ead.exe 2620 05d9dc5952.exe 4868 HJKJEHJKJE.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2024 set thread context of 224 2024 c183eb2bf4.exe 45 PID 2184 set thread context of 2656 2184 Intel_PTT_EK_Recertification.exe 124 -
resource yara_rule behavioral1/memory/4720-18545-0x000000013F030000-0x000000013F4C0000-memory.dmp upx behavioral1/memory/4720-18543-0x000000013F030000-0x000000013F4C0000-memory.dmp upx behavioral1/memory/2184-18654-0x000000013FDA0000-0x0000000140230000-memory.dmp upx behavioral1/memory/2184-18652-0x000000013FDA0000-0x0000000140230000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00720_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.HXS 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh89 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_04.MID 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01354_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+1 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00052_.GIF 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00057_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASK.CFG 4ZD5C3i.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18213_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01251_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185806.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ.DLL 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONBttnOL.dll 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Louisville 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ACCVDTUI.DLL 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\HAMMER.WAV 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00602_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml 4ZD5C3i.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18222_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF 4ZD5C3i.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5edf826aaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 996a858ead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 789e6c3467.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fddf14d954.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b818f7c9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c183eb2bf4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ZD5C3i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c183eb2bf4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a25346ec37.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 0b818f7c9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 0b818f7c9d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05d9dc5952.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2844 powershell.exe 4912 PING.EXE 4816 powershell.exe 4244 PING.EXE -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fddf14d954.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 996a858ead.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 996a858ead.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fddf14d954.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3636 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 3568 taskkill.exe 3196 taskkill.exe 3872 taskkill.exe 2364 taskkill.exe 3140 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a fddf14d954.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a fddf14d954.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 c183eb2bf4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a c183eb2bf4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 fddf14d954.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4244 PING.EXE 4912 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4792 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1316 file.exe 2764 skotes.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe 1812 4ZD5C3i.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1812 4ZD5C3i.exe Token: SeBackupPrivilege 1956 vssvc.exe Token: SeRestorePrivilege 1956 vssvc.exe Token: SeAuditPrivilege 1956 vssvc.exe Token: SeDebugPrivilege 2364 taskkill.exe Token: SeDebugPrivilege 3140 taskkill.exe Token: SeDebugPrivilege 3568 taskkill.exe Token: SeDebugPrivilege 3196 taskkill.exe Token: SeDebugPrivilege 3872 taskkill.exe Token: SeDebugPrivilege 3416 firefox.exe Token: SeDebugPrivilege 3416 firefox.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeDebugPrivilege 2620 05d9dc5952.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeShutdownPrivilege 220 chrome.exe Token: SeRestorePrivilege 4500 7z.exe Token: 35 4500 7z.exe Token: SeSecurityPrivilege 4500 7z.exe Token: SeSecurityPrivilege 4500 7z.exe Token: SeRestorePrivilege 4528 7z.exe Token: 35 4528 7z.exe Token: SeSecurityPrivilege 4528 7z.exe Token: SeSecurityPrivilege 4528 7z.exe Token: SeRestorePrivilege 4560 7z.exe Token: 35 4560 7z.exe Token: SeSecurityPrivilege 4560 7z.exe Token: SeSecurityPrivilege 4560 7z.exe Token: SeRestorePrivilege 4584 7z.exe Token: 35 4584 7z.exe Token: SeSecurityPrivilege 4584 7z.exe Token: SeSecurityPrivilege 4584 7z.exe Token: SeRestorePrivilege 4616 7z.exe Token: 35 4616 7z.exe Token: SeSecurityPrivilege 4616 7z.exe Token: SeSecurityPrivilege 4616 7z.exe Token: SeRestorePrivilege 4640 7z.exe Token: 35 4640 7z.exe Token: SeSecurityPrivilege 4640 7z.exe Token: SeSecurityPrivilege 4640 7z.exe Token: SeRestorePrivilege 4664 7z.exe Token: 35 4664 7z.exe Token: SeSecurityPrivilege 4664 7z.exe Token: SeSecurityPrivilege 4664 7z.exe Token: SeRestorePrivilege 4688 7z.exe Token: 35 4688 7z.exe Token: SeSecurityPrivilege 4688 7z.exe Token: SeSecurityPrivilege 4688 7z.exe Token: SeDebugPrivilege 4816 powershell.exe Token: SeShutdownPrivilege 4956 chrome.exe Token: SeShutdownPrivilege 4956 chrome.exe Token: SeShutdownPrivilege 4956 chrome.exe Token: SeShutdownPrivilege 4956 chrome.exe Token: SeShutdownPrivilege 4956 chrome.exe Token: SeShutdownPrivilege 4956 chrome.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeShutdownPrivilege 4956 chrome.exe Token: SeShutdownPrivilege 4956 chrome.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 1316 file.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 3416 firefox.exe 3416 firefox.exe 3416 firefox.exe 3416 firefox.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 220 chrome.exe 4956 chrome.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe 3416 firefox.exe 3416 firefox.exe 3416 firefox.exe 1516 0b818f7c9d.exe 1516 0b818f7c9d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1316 wrote to memory of 2764 1316 file.exe 30 PID 1316 wrote to memory of 2764 1316 file.exe 30 PID 1316 wrote to memory of 2764 1316 file.exe 30 PID 1316 wrote to memory of 2764 1316 file.exe 30 PID 2764 wrote to memory of 1104 2764 skotes.exe 32 PID 2764 wrote to memory of 1104 2764 skotes.exe 32 PID 2764 wrote to memory of 1104 2764 skotes.exe 32 PID 2764 wrote to memory of 1104 2764 skotes.exe 32 PID 1104 wrote to memory of 1324 1104 LoaderHRC.exe 33 PID 1104 wrote to memory of 1324 1104 LoaderHRC.exe 33 PID 1104 wrote to memory of 1324 1104 LoaderHRC.exe 33 PID 2764 wrote to memory of 1812 2764 skotes.exe 34 PID 2764 wrote to memory of 1812 2764 skotes.exe 34 PID 2764 wrote to memory of 1812 2764 skotes.exe 34 PID 2764 wrote to memory of 1812 2764 skotes.exe 34 PID 2764 wrote to memory of 3396 2764 skotes.exe 41 PID 2764 wrote to memory of 3396 2764 skotes.exe 41 PID 2764 wrote to memory of 3396 2764 skotes.exe 41 PID 2764 wrote to memory of 3396 2764 skotes.exe 41 PID 3396 wrote to memory of 2296 3396 Loader.exe 42 PID 3396 wrote to memory of 2296 3396 Loader.exe 42 PID 3396 wrote to memory of 2296 3396 Loader.exe 42 PID 2764 wrote to memory of 2024 2764 skotes.exe 43 PID 2764 wrote to memory of 2024 2764 skotes.exe 43 PID 2764 wrote to memory of 2024 2764 skotes.exe 43 PID 2764 wrote to memory of 2024 2764 skotes.exe 43 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2024 wrote to memory of 224 2024 c183eb2bf4.exe 45 PID 2764 wrote to memory of 2136 2764 skotes.exe 46 PID 2764 wrote to memory of 2136 2764 skotes.exe 46 PID 2764 wrote to memory of 2136 2764 skotes.exe 46 PID 2764 wrote to memory of 2136 2764 skotes.exe 46 PID 2764 wrote to memory of 2036 2764 skotes.exe 48 PID 2764 wrote to memory of 2036 2764 skotes.exe 48 PID 2764 wrote to memory of 2036 2764 skotes.exe 48 PID 2764 wrote to memory of 2036 2764 skotes.exe 48 PID 2136 wrote to memory of 3272 2136 fddf14d954.exe 49 PID 2136 wrote to memory of 3272 2136 fddf14d954.exe 49 PID 2136 wrote to memory of 3272 2136 fddf14d954.exe 49 PID 2136 wrote to memory of 3272 2136 fddf14d954.exe 49 PID 3272 wrote to memory of 3636 3272 cmd.exe 51 PID 3272 wrote to memory of 3636 3272 cmd.exe 51 PID 3272 wrote to memory of 3636 3272 cmd.exe 51 PID 3272 wrote to memory of 3636 3272 cmd.exe 51 PID 2764 wrote to memory of 3552 2764 skotes.exe 52 PID 2764 wrote to memory of 3552 2764 skotes.exe 52 PID 2764 wrote to memory of 3552 2764 skotes.exe 52 PID 2764 wrote to memory of 3552 2764 skotes.exe 52 PID 2764 wrote to memory of 1516 2764 skotes.exe 53 PID 2764 wrote to memory of 1516 2764 skotes.exe 53 PID 2764 wrote to memory of 1516 2764 skotes.exe 53 PID 2764 wrote to memory of 1516 2764 skotes.exe 53 PID 1516 wrote to memory of 2364 1516 0b818f7c9d.exe 54 PID 1516 wrote to memory of 2364 1516 0b818f7c9d.exe 54 PID 1516 wrote to memory of 2364 1516 0b818f7c9d.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4776 attrib.exe 4712 attrib.exe 4768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderHRC.exe"C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderHRC.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderHRC.exe"C:\Users\Admin\AppData\Local\Temp\1014759001\LoaderHRC.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014798001\4ZD5C3i.exe"C:\Users\Admin\AppData\Local\Temp\1014798001\4ZD5C3i.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\1014819001\Loader.exe"C:\Users\Admin\AppData\Local\Temp\1014819001\Loader.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\1014819001\Loader.exe"C:\Users\Admin\AppData\Local\Temp\1014819001\Loader.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014823001\c183eb2bf4.exe"C:\Users\Admin\AppData\Local\Temp\1014823001\c183eb2bf4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\1014823001\c183eb2bf4.exe"C:\Users\Admin\AppData\Local\Temp\1014823001\c183eb2bf4.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:224
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014827001\fddf14d954.exe"C:\Users\Admin\AppData\Local\Temp\1014827001\fddf14d954.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014827001\fddf14d954.exe" & rd /s /q "C:\ProgramData\79H47YUK6F3E" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3636
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014828001\789e6c3467.exe"C:\Users\Admin\AppData\Local\Temp\1014828001\789e6c3467.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\1014829001\5edf826aaf.exe"C:\Users\Admin\AppData\Local\Temp\1014829001\5edf826aaf.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3552
-
-
C:\Users\Admin\AppData\Local\Temp\1014830001\0b818f7c9d.exe"C:\Users\Admin\AppData\Local\Temp\1014830001\0b818f7c9d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:3460
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3416 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.0.775693294\419813392" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1474c0d7-6fd0-41c2-a286-a61548325f54} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 1376 f2edf58 gpu6⤵PID:2556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.1.661197446\734118169" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e3ddb1e-d3a1-43a9-b204-b7e6cdfb4495} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 1548 f2ed358 socket6⤵PID:3840
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.2.826453811\1138022212" -childID 1 -isForBrowser -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86782299-ae95-401f-85a0-a1f132cbdc5e} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 2284 185bbb58 tab6⤵PID:2916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.3.1569712004\105734428" -childID 2 -isForBrowser -prefsHandle 2672 -prefMapHandle 2668 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {054a9f3a-c23a-4b17-9263-d017f5480727} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 2684 1cb4cb58 tab6⤵PID:3960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.4.364923835\351121543" -childID 3 -isForBrowser -prefsHandle 3896 -prefMapHandle 3864 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be24481e-ad09-4859-b5c2-d32db748fefd} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 3884 1ee62858 tab6⤵PID:3112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.5.2107210386\1856319586" -childID 4 -isForBrowser -prefsHandle 3996 -prefMapHandle 4000 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ee52ec7-1ebd-480d-b0a2-74d25ea3c442} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 3984 1fadc558 tab6⤵PID:1344
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3416.6.1863710092\283126112" -childID 5 -isForBrowser -prefsHandle 4164 -prefMapHandle 4168 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e45cbd4-f795-4c0b-a1c6-bb0d116f4ad2} 3416 "\\.\pipe\gecko-crash-server-pipe.3416" 4152 1fadce58 tab6⤵PID:856
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014831001\996a858ead.exe"C:\Users\Admin\AppData\Local\Temp\1014831001\996a858ead.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2728 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:220 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4c69758,0x7fef4c69768,0x7fef4c697785⤵PID:3432
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:2804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1144,i,1914565577888866183,11044907094527004850,131072 /prefetch:25⤵PID:2608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1436 --field-trial-handle=1144,i,1914565577888866183,11044907094527004850,131072 /prefetch:85⤵PID:3728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1480 --field-trial-handle=1144,i,1914565577888866183,11044907094527004850,131072 /prefetch:85⤵PID:3764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2444 --field-trial-handle=1144,i,1914565577888866183,11044907094527004850,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:2084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2736 --field-trial-handle=1144,i,1914565577888866183,11044907094527004850,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:3972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2776 --field-trial-handle=1144,i,1914565577888866183,11044907094527004850,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:1856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1172 --field-trial-handle=1144,i,1914565577888866183,11044907094527004850,131072 /prefetch:25⤵PID:2844
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4956 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4b09758,0x7fef4b09768,0x7fef4b097785⤵PID:4968
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1004 --field-trial-handle=1488,i,13993290409139177853,11031504521105057431,131072 /prefetch:25⤵PID:4160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1488,i,13993290409139177853,11031504521105057431,131072 /prefetch:85⤵PID:3620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1508 --field-trial-handle=1488,i,13993290409139177853,11031504521105057431,131072 /prefetch:85⤵PID:4252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1488,i,13993290409139177853,11031504521105057431,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:4328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2684 --field-trial-handle=1488,i,13993290409139177853,11031504521105057431,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2692 --field-trial-handle=1488,i,13993290409139177853,11031504521105057431,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:4652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1892 --field-trial-handle=1488,i,13993290409139177853,11031504521105057431,131072 /prefetch:25⤵PID:2364
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\HJKJEHJKJE.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\Documents\HJKJEHJKJE.exe"C:\Users\Admin\Documents\HJKJEHJKJE.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4868
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014832001\05d9dc5952.exe"C:\Users\Admin\AppData\Local\Temp\1014832001\05d9dc5952.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\1014833001\a25346ec37.exe"C:\Users\Admin\AppData\Local\Temp\1014833001\a25346ec37.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4144 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
PID:4456 -
C:\Windows\system32\mode.commode 65,105⤵PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4688
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:4712
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:4768
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:4776
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:4792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4816 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4244
-
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3908
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4532
-
C:\Windows\system32\taskeng.exetaskeng.exe {94070CA0-4F70-4A60-A493-639B1A4A9D00} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:3488 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2184 -
C:\Windows\explorer.exeexplorer.exe3⤵PID:2656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4912
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "183241449-129471185318350588562124015673-137888419416187016401056113380-1442783258"1⤵PID:4792
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
8Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533B
MD581d185495b4e6430a87dfd37789bb872
SHA1b5da653f81a548c74205c7ae3d19f30af1a14271
SHA256838d654b9cb0360d8b3bb767db8fc1954fc41ba0a56fc34688aad9b50f5ddb40
SHA5121106c9c2245cbd44effb42e4e1365eb796d3b2390b011fb97205550bf183b097c489194aa001f97f949e9d1ed1c970eea6cbb0477da47511e5bc18e88bf2dfa5
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD52cb1f3be7fc548ed03d8586fdb587ad0
SHA1e536fd875d69ade63cbb9ffb6d62afb63b8c2cd2
SHA2561ffd058b04921ff439aef925b15c9dfe9c066cdabe412a626c3fbf91fd8625a2
SHA5128f50d86d46b0d7066bdcb0a6239671565f8928e84a4c837c5485c172f38a385e6b34fb022274a33bb1daee352143f99cfc0b0f326030df02405b26059f8b291f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a842d2cc07f045bfebc52586e120e20c
SHA1f07ee74dbe9709d303fce259fb757b6c9cdcc7cd
SHA256fbe3da3896ac45724f8014eb4c79cf54a518486828bb01eb5fba70e01b6fee32
SHA51229bbb5efb8660506b8a08da3d8c9c8d442cd072f11e48657e479955f1b43cbb02f40096a62115eab690c871e5c35e58612d8d0920aaf9316d4a7cfbb4f942c67
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f3f9d1942b4a5b08e783aa4c3be6888
SHA12beb8284ea2dabd3906018a0d28a675fce739875
SHA256a908f5722c3213140e141afa4512a680cfa0fcf09981717218f73234cc92c6fc
SHA5125a60da146ebb9676d467c949b93f4a6c8e43edde1f354fbea3efc71cb8657bd6ca0d025215067f6266a287882bfd9b9311041e566c94b9dfb5f3521c2c6ac3a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD53459e538be69677caf1b58338c848e17
SHA1b43b33e6b89b1aeadf37b83eb65fbb0154d5ee52
SHA2560f6621217b619cfb22ce08d2cfe6c9c154731911ff117c6714e756ad644a2285
SHA5121e5134f34be4b5925a6d9b6453807ba164039d786fcaff26e71c1e331962716717bb23861ba85d7761f7c8643d43c409031a86794e447aaf959c03b38c90c805
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD574b9bad106889871574c4d392e4be916
SHA1a88d5b8143e23f9743b459951edaa635c17ab8f9
SHA256d61fd002574d72095034d68bcab9a09282515eea50d11aa1a039630918168f90
SHA5129faad8c063d93ca01d8f6eeeb442cccaac099334c9dd13d6392976c4f2e3ed06cab1d569142e1e855adca31269a518fba0b5288a89a3d337fafb6f548bb7ddbd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000009.dbtmp
Filesize16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Extension Scripts\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000002.dbtmp
Filesize16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000004.dbtmp
Filesize16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD52e21cd7c8bed328117016fc69995cb6d
SHA1348422b136febd8fdea26d3f09e3aa16d1868514
SHA256b91a4a268e61ed44d2730ece23a836a5b14b39edc1f0ddd48079175256713895
SHA512b7c3726d618e16ad860d9cbd3db6d9c2c975d9d74b2f22e5e6383236eadebccd3fd6209c8c9b70ab816be16eeaa984218a96d1d3d275bb88f2c46a37d9af7601
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1009pdhg.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.1MB
MD542a8588cc82773cd223c42f8fe4be91a
SHA1e2ed3cda00140ecd445f5f742729d34f2c452c8c
SHA256d4521c34f489f4a6065dea15634df9bb700c84741f476bde1084d9cdfb373a7b
SHA512681e4b155ce1015723469bd819618b292844aa00f7dab447d9557e244792efcef5614f753283efe9dd76ea77b838af78a3e69008c380482a4412b1cea75c535d
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
1.9MB
MD57cc027e8f950db5ae7d8f7db7c8fb6ea
SHA118de17766afec56c1bc2696a5f60152a6abc4211
SHA25633e1798571044045de11b18b53109870f221e8ec94a21ba4389b558198c61c10
SHA5129d73f16e9e15dae391e503b3d5f952019e0a0eb079a9e9c5dbe41beea014928516163e3bc07bdc0c5ff5fb7af4a80f28ccabc5d1d4d9fe50b1b122ca900ed242
-
Filesize
949KB
MD5bc5ad03db5df646afff1a49f5b577ec1
SHA13a8d37bd848deecf451d87bc7244f781d7c2eed3
SHA256381d2b1895e7fee64a9f8708fc68e3ac12f04bebf16e686ac57cdb24ec7a3656
SHA512db158216970e686399487362b5f02138881ff9c307f1ffcd0113c9156dd807239f002a5b3a182c875dbcef94cd53226e20ebb0c4fe47eba4d98f67b458830edb
-
Filesize
1.7MB
MD5797ff7aaf097fc8cf9d6c8f4af823693
SHA1acd8322029a37ce398bae41064a90c7fc930ea04
SHA25687b39184c8e610e7ef784651d735a6fb4d419516375b1b5beef4fec992426399
SHA5121438ef9890bc96a767055641764473848b8b8cc3c777efe5a1fd3ed8f0dd53bbfcc4f320e0203a5760d746f7a43affad3dfcbac6ec4f4b6c5e34149bf17fbc1d
-
Filesize
2.6MB
MD576dadbeb0cad33c4f85133bc35f9993c
SHA1c5d2c63a1f506b1bd264cedfe4e677ced1df03e9
SHA256ac600703275a0440671ae53c02c43167bcdc94e557c06d880ac8e311181f5510
SHA51223adb2d5e33ed5a834eb382e0f92aa924cf7fe31de204d5abddb3f622e389a37e6055118a870c9bf5a453e971754790b54640ac7295a68d75b40b5928618b31a
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
3.2MB
MD5acf48e01c1d4d71dbfde9e5a4b52c38c
SHA16950a4271a4e357e3309f553673849ff0d26e3c5
SHA2561d43eaa2b566d2111d938ef9617a65304db66158c4499d8b3a37db3d6607daa9
SHA5122013170dc32e9f9e9cc1dbbbc2e3f425a61511635eef161d56815d592537ecc7f0b11209e8d777f3d43cd5db548339d4dcae8d6e6c35ac2046e5936be4fc8299
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OP6W6K54O7M2FGTKM44U.temp
Filesize7KB
MD54a961d42952d6cdaed22947e6c9c481a
SHA159f27b5411b6e2008ae2393ad45eac699980a1da
SHA2568f1b6b67613e1e158e1bc85171b2f170862998314f7c5741be083e59d56a2aff
SHA512f9f33392b5caf5863070bc77ab251fbbfd012b149429e302a1fd39e9ad217871bf80a0df32948e9a0b16bc20af333e4539e8f0847749162bfc0fb41546039836
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5dad3f86d9e1c576a11637db8ac249e6f
SHA1178cac3c04f6a4300c946af238367a344252da86
SHA256d4e5c6022a1abde1a543d2dfda8a1aaded7268387d984d8cf7a5f827af0b30d0
SHA512b5a08b75aefe256a05e74fd3c10395e9a49088e1c164f7456e98659efb50c1322e1ce77a3fe993bdac519bdad5399ea4389f96ad36c420d0988a7e82532aae93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\41468be0-da59-43c0-8e01-0cfb71b6ca54
Filesize745B
MD5df8b236e8bf77446dda14275fd9ec4c7
SHA1c8b4300bbef2dd608f28b7beb403a8e047c5e444
SHA256df42a54610e76eb57219a4ed57955e2f56774d3ec8803b3046910647a057ced0
SHA512196e2bb54977e6ef124cc2aedcb6a8f496e1d7c79de5e8881cd721dc6fd45a20e7f369370d95e264636b5a2062520dac0fffd45abb2f01f2ab657b714d24a3d7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\datareporting\glean\pending_pings\c77ffa76-cc0c-4ce8-b7bb-3dc2a538b118
Filesize11KB
MD52e932761d36aa2f38dad2a8545db7d85
SHA1031b36d41f1e7924867db1f020d9fe23de5b96b1
SHA256ca28d3d77564c2ab275176d6bd319c93943e6d0d875bb7a3b02cc14130d532a8
SHA5123ae0072c50071955a873e8b1b55a5b2d7800eca39113b5c1f9d4d8b413aedde6bacae8171e1e7fbd4321834fdf9dd28942a2dc7412b4142915cb107382f74e1c
-
Filesize
6KB
MD5797665d00d0cadd42d9250a60e51bff7
SHA1576b71034cbcc9b381415d27ed2b579298e17aa4
SHA2562cdbf7f7706f9b9b4deeb371f2b62dde21981a54d04a3376a6f3d6673afd4316
SHA5124e98981562a83491f9000980fbee2add81a2b911e4033d4900ce3f37a0372df93c2eaf9ce368ec4847e60c42aecf73110b5c40e111f93a0d3e2597693a07b10d
-
Filesize
6KB
MD55aaa9c39c5390b1f6eb7c1c8ed7732fa
SHA120b8e82e7cf061c5eb5c253321994a06dd15adb8
SHA256dec7e8122287c4548e7a68d2fe4c13f18eee79bf72788e2ef5f3085e0d31f204
SHA51287bcf483c7170b8fabd3d25aca489458cc707a7ce5308c2f947fbb54349b05287175e8d3c10cbbc3bf05d1cb2393e1860aed1b9ca9599b744b630705379eb8b3
-
Filesize
6KB
MD5b4da89d52c4ff6cbc0d194c202eab972
SHA1f87a9969ce4cbe47f6bb837d146d57a23c06b8df
SHA256251920a97f2decc2c73f4d71e6c07b64e6c368425308133f8bff94a3198ba399
SHA512e6a61c03e8af547fdcdb1f252170168970cc5fff86431ab5b9c5a30541b231454994ce6e12194671da23c9795af2cda93e3cb3ea58f715f7eaf27f2bda8dc809
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD576639955e8a15d1ac0c0ed71fbf24b0b
SHA150f877825ef17d09dcd2534c7ef83f23bf7c153e
SHA256afed828eb02b4a34a5f2375e92ac72d768a456ff78453ab41d2e4a1d2270f3c5
SHA5121a3f4ec1551818e59086fb0c4e15cc57356757814bba26f7b9babbf004b7dc7295b0180333b49d821ba021e3d730073eb01eef0887f68c49f7b9a7d5f67dd2e4