Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 17:55
Static task
static1
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
f401f240c068bac2c47c4beb9446d2a0
-
SHA1
2e659821c32f600fe2715814e5d96ff0eac09eb4
-
SHA256
3ca467dad80a62f640093dcf65b29e413820c24288e3ac5dbfb4ca7639dd55d4
-
SHA512
aa400b23501496f81ae5e695ddc2ebf261750696ca141a884f783563138c0dbded303f3d095ebb9a2b1f458ef3c1facafb15729bb5353a8500c7e932e94dd608
-
SSDEEP
49152:DcKkpLBKiQ85dPY67Y3YwboNMxkaWNWtJ5jYh/:DcKkpLwhgdP4BMNMxkaWNWtJdY5
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://drive-connect.cyou/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 235f1b15ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 235f1b15ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 235f1b15ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 235f1b15ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 235f1b15ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 235f1b15ef.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9b502beb85.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0a3b60119a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 235f1b15ef.exe -
Renames multiple (8134) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9b502beb85.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0a3b60119a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 235f1b15ef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9b502beb85.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0a3b60119a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 235f1b15ef.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vmwin.vbs BlueMail.exe -
Executes dropped EXE 22 IoCs
pid Process 2860 skotes.exe 1636 4ZD5C3i.exe 2520 BlueMail.exe 5040 00b94efba0.exe 4028 9b502beb85.exe 4920 43113a0210.exe 4780 735fc0de56.exe 6100 0a3b60119a.exe 4360 235f1b15ef.exe 3568 fceb3fbcd0.exe 2872 7z.exe 6320 7z.exe 6492 7z.exe 6592 7z.exe 6864 7z.exe 7020 7z.exe 7148 7z.exe 6884 7z.exe 6992 in.exe 7544 42b1160850.exe 7860 42b1160850.exe 1976 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine 9b502beb85.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine 0a3b60119a.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine 235f1b15ef.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine file.exe -
Loads dropped DLL 43 IoCs
pid Process 2516 file.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 2860 skotes.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 1712 WerFault.exe 2860 skotes.exe 5108 cmd.exe 2872 7z.exe 5108 cmd.exe 6320 7z.exe 5108 cmd.exe 6492 7z.exe 5108 cmd.exe 6592 7z.exe 5108 cmd.exe 6864 7z.exe 5108 cmd.exe 7020 7z.exe 5108 cmd.exe 7148 7z.exe 5108 cmd.exe 6884 7z.exe 5108 cmd.exe 5108 cmd.exe 2860 skotes.exe 2860 skotes.exe 7544 42b1160850.exe 4028 9b502beb85.exe 5752 taskeng.exe 5752 taskeng.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 235f1b15ef.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 235f1b15ef.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\735fc0de56.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014882001\\735fc0de56.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\0a3b60119a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014883001\\0a3b60119a.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\235f1b15ef.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014884001\\235f1b15ef.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 4ZD5C3i.exe File opened (read-only) \??\Z: 4ZD5C3i.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000b000000020499-12465.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2516 file.exe 2860 skotes.exe 4028 9b502beb85.exe 6100 0a3b60119a.exe 4360 235f1b15ef.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 7544 set thread context of 7860 7544 42b1160850.exe 109 PID 1976 set thread context of 4792 1976 Intel_PTT_EK_Recertification.exe 117 -
resource yara_rule behavioral1/memory/6992-18945-0x000000013F8A0000-0x000000013FD30000-memory.dmp upx behavioral1/memory/1976-19214-0x000000013FD80000-0x0000000140210000-memory.dmp upx behavioral1/memory/1976-19225-0x000000013FD80000-0x0000000140210000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx 4ZD5C3i.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar 4ZD5C3i.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBTRAP.DLL 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00734_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR28F.GIF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css 4ZD5C3i.exe File created C:\Program Files\VideoLAN\VLC\locale\gl\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14565_.GIF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Amman 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7ge.kic 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvdummy_plugin.dll 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\amd64\jvm.cfg 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\1100.accdt 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll 4ZD5C3i.exe File created C:\Program Files\Microsoft Games\Minesweeper\ja-JP\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.DLL.IDX_DLL 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00172_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.DLL 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00542_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143752.GIF 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js 4ZD5C3i.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zx______.pfm 4ZD5C3i.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\README.TXT 4ZD5C3i.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.gpd 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297229.WMF 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png 4ZD5C3i.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\README.TXT 4ZD5C3i.exe File opened for modification C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui 4ZD5C3i.exe File opened for modification C:\Program Files\Java\jre7\lib\tzmappings 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEAWSDC.DLL 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02373_.WMF 4ZD5C3i.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYERHM.POC 4ZD5C3i.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1712 2520 WerFault.exe 37 -
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42b1160850.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 735fc0de56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 235f1b15ef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b502beb85.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fceb3fbcd0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a3b60119a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ZD5C3i.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 735fc0de56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlueMail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 735fc0de56.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00b94efba0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42b1160850.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43113a0210.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7080 powershell.exe 4052 PING.EXE 4924 powershell.exe 5248 PING.EXE -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 00b94efba0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 00b94efba0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5628 timeout.exe -
Kills process with taskkill 10 IoCs
pid Process 2276 taskkill.exe 5016 taskkill.exe 5720 taskkill.exe 4972 taskkill.exe 2396 taskkill.exe 3288 taskkill.exe 2208 taskkill.exe 3412 taskkill.exe 6236 taskkill.exe 4404 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 00b94efba0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 00b94efba0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 42b1160850.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 42b1160850.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 00b94efba0.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4052 PING.EXE 5248 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7060 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 file.exe 2860 skotes.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe 1636 4ZD5C3i.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1636 4ZD5C3i.exe Token: SeBackupPrivilege 764 vssvc.exe Token: SeRestorePrivilege 764 vssvc.exe Token: SeAuditPrivilege 764 vssvc.exe Token: SeDebugPrivilege 2520 BlueMail.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 4404 taskkill.exe Token: SeDebugPrivilege 2396 taskkill.exe Token: SeDebugPrivilege 2276 taskkill.exe Token: SeDebugPrivilege 3288 taskkill.exe Token: SeDebugPrivilege 2520 BlueMail.exe Token: SeDebugPrivilege 4360 235f1b15ef.exe Token: SeDebugPrivilege 5052 firefox.exe Token: SeDebugPrivilege 5052 firefox.exe Token: SeDebugPrivilege 2208 taskkill.exe Token: SeDebugPrivilege 5016 taskkill.exe Token: SeDebugPrivilege 5720 taskkill.exe Token: SeDebugPrivilege 3412 taskkill.exe Token: SeRestorePrivilege 2872 7z.exe Token: 35 2872 7z.exe Token: SeSecurityPrivilege 2872 7z.exe Token: SeSecurityPrivilege 2872 7z.exe Token: SeDebugPrivilege 6236 taskkill.exe Token: SeRestorePrivilege 6320 7z.exe Token: 35 6320 7z.exe Token: SeSecurityPrivilege 6320 7z.exe Token: SeSecurityPrivilege 6320 7z.exe Token: SeRestorePrivilege 6492 7z.exe Token: 35 6492 7z.exe Token: SeSecurityPrivilege 6492 7z.exe Token: SeSecurityPrivilege 6492 7z.exe Token: SeRestorePrivilege 6592 7z.exe Token: 35 6592 7z.exe Token: SeSecurityPrivilege 6592 7z.exe Token: SeSecurityPrivilege 6592 7z.exe Token: SeRestorePrivilege 6864 7z.exe Token: 35 6864 7z.exe Token: SeSecurityPrivilege 6864 7z.exe Token: SeSecurityPrivilege 6864 7z.exe Token: SeRestorePrivilege 7020 7z.exe Token: 35 7020 7z.exe Token: SeSecurityPrivilege 7020 7z.exe Token: SeSecurityPrivilege 7020 7z.exe Token: SeRestorePrivilege 7148 7z.exe Token: 35 7148 7z.exe Token: SeSecurityPrivilege 7148 7z.exe Token: SeSecurityPrivilege 7148 7z.exe Token: SeRestorePrivilege 6884 7z.exe Token: 35 6884 7z.exe Token: SeSecurityPrivilege 6884 7z.exe Token: SeSecurityPrivilege 6884 7z.exe Token: SeDebugPrivilege 6480 firefox.exe Token: SeDebugPrivilege 6480 firefox.exe Token: SeDebugPrivilege 7080 powershell.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeLockMemoryPrivilege 4792 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 2516 file.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 6480 firefox.exe 6480 firefox.exe 6480 firefox.exe 6480 firefox.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 5052 firefox.exe 5052 firefox.exe 5052 firefox.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 6480 firefox.exe 6480 firefox.exe 6480 firefox.exe 4780 735fc0de56.exe 4780 735fc0de56.exe 4780 735fc0de56.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 2860 2516 file.exe 30 PID 2516 wrote to memory of 2860 2516 file.exe 30 PID 2516 wrote to memory of 2860 2516 file.exe 30 PID 2516 wrote to memory of 2860 2516 file.exe 30 PID 2860 wrote to memory of 1636 2860 skotes.exe 32 PID 2860 wrote to memory of 1636 2860 skotes.exe 32 PID 2860 wrote to memory of 1636 2860 skotes.exe 32 PID 2860 wrote to memory of 1636 2860 skotes.exe 32 PID 2860 wrote to memory of 2520 2860 skotes.exe 37 PID 2860 wrote to memory of 2520 2860 skotes.exe 37 PID 2860 wrote to memory of 2520 2860 skotes.exe 37 PID 2860 wrote to memory of 2520 2860 skotes.exe 37 PID 2860 wrote to memory of 5040 2860 skotes.exe 39 PID 2860 wrote to memory of 5040 2860 skotes.exe 39 PID 2860 wrote to memory of 5040 2860 skotes.exe 39 PID 2860 wrote to memory of 5040 2860 skotes.exe 39 PID 2860 wrote to memory of 4028 2860 skotes.exe 40 PID 2860 wrote to memory of 4028 2860 skotes.exe 40 PID 2860 wrote to memory of 4028 2860 skotes.exe 40 PID 2860 wrote to memory of 4028 2860 skotes.exe 40 PID 2860 wrote to memory of 4920 2860 skotes.exe 41 PID 2860 wrote to memory of 4920 2860 skotes.exe 41 PID 2860 wrote to memory of 4920 2860 skotes.exe 41 PID 2860 wrote to memory of 4920 2860 skotes.exe 41 PID 2860 wrote to memory of 4780 2860 skotes.exe 42 PID 2860 wrote to memory of 4780 2860 skotes.exe 42 PID 2860 wrote to memory of 4780 2860 skotes.exe 42 PID 2860 wrote to memory of 4780 2860 skotes.exe 42 PID 5040 wrote to memory of 3280 5040 00b94efba0.exe 43 PID 5040 wrote to memory of 3280 5040 00b94efba0.exe 43 PID 5040 wrote to memory of 3280 5040 00b94efba0.exe 43 PID 5040 wrote to memory of 3280 5040 00b94efba0.exe 43 PID 4780 wrote to memory of 4972 4780 735fc0de56.exe 45 PID 4780 wrote to memory of 4972 4780 735fc0de56.exe 45 PID 4780 wrote to memory of 4972 4780 735fc0de56.exe 45 PID 4780 wrote to memory of 4972 4780 735fc0de56.exe 45 PID 3280 wrote to memory of 5628 3280 cmd.exe 47 PID 3280 wrote to memory of 5628 3280 cmd.exe 47 PID 3280 wrote to memory of 5628 3280 cmd.exe 47 PID 3280 wrote to memory of 5628 3280 cmd.exe 47 PID 2860 wrote to memory of 6100 2860 skotes.exe 48 PID 2860 wrote to memory of 6100 2860 skotes.exe 48 PID 2860 wrote to memory of 6100 2860 skotes.exe 48 PID 2860 wrote to memory of 6100 2860 skotes.exe 48 PID 4780 wrote to memory of 4404 4780 735fc0de56.exe 49 PID 4780 wrote to memory of 4404 4780 735fc0de56.exe 49 PID 4780 wrote to memory of 4404 4780 735fc0de56.exe 49 PID 4780 wrote to memory of 4404 4780 735fc0de56.exe 49 PID 4780 wrote to memory of 2396 4780 735fc0de56.exe 52 PID 4780 wrote to memory of 2396 4780 735fc0de56.exe 52 PID 4780 wrote to memory of 2396 4780 735fc0de56.exe 52 PID 4780 wrote to memory of 2396 4780 735fc0de56.exe 52 PID 4780 wrote to memory of 2276 4780 735fc0de56.exe 54 PID 4780 wrote to memory of 2276 4780 735fc0de56.exe 54 PID 4780 wrote to memory of 2276 4780 735fc0de56.exe 54 PID 4780 wrote to memory of 2276 4780 735fc0de56.exe 54 PID 4780 wrote to memory of 3288 4780 735fc0de56.exe 56 PID 4780 wrote to memory of 3288 4780 735fc0de56.exe 56 PID 4780 wrote to memory of 3288 4780 735fc0de56.exe 56 PID 4780 wrote to memory of 3288 4780 735fc0de56.exe 56 PID 4780 wrote to memory of 4828 4780 735fc0de56.exe 58 PID 4780 wrote to memory of 4828 4780 735fc0de56.exe 58 PID 4780 wrote to memory of 4828 4780 735fc0de56.exe 58 PID 4780 wrote to memory of 4828 4780 735fc0de56.exe 58 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 7028 attrib.exe 7044 attrib.exe 6976 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\1014798001\4ZD5C3i.exe"C:\Users\Admin\AppData\Local\Temp\1014798001\4ZD5C3i.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\1014844001\BlueMail.exe"C:\Users\Admin\AppData\Local\Temp\1014844001\BlueMail.exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 6124⤵
- Loads dropped DLL
- Program crash
PID:1712
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014879001\00b94efba0.exe"C:\Users\Admin\AppData\Local\Temp\1014879001\00b94efba0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1014879001\00b94efba0.exe" & rd /s /q "C:\ProgramData\FCBAAIW47GVA" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:5628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014880001\9b502beb85.exe"C:\Users\Admin\AppData\Local\Temp\1014880001\9b502beb85.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4028
-
-
C:\Users\Admin\AppData\Local\Temp\1014881001\43113a0210.exe"C:\Users\Admin\AppData\Local\Temp\1014881001\43113a0210.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4920
-
-
C:\Users\Admin\AppData\Local\Temp\1014882001\735fc0de56.exe"C:\Users\Admin\AppData\Local\Temp\1014882001\735fc0de56.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:4828
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5052 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.0.1120961704\992631518" -parentBuildID 20221007134813 -prefsHandle 1264 -prefMapHandle 1256 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9798b69f-57bb-406f-9134-aa8c6d0e9867} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 1340 108dbe58 gpu6⤵PID:5452
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.1.1580182857\642417612" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3b6e65b-2c0c-43e2-aa92-95fc0304f129} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 1552 f5ebb58 socket6⤵PID:5264
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.2.1728248641\1071162819" -childID 1 -isForBrowser -prefsHandle 1812 -prefMapHandle 2152 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a709e5c-ca6e-4a54-b09f-3cbfda589b32} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 2188 1a217758 tab6⤵PID:4020
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.3.2040230931\1842816527" -childID 2 -isForBrowser -prefsHandle 2780 -prefMapHandle 2776 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dea2026b-0cf4-4407-8f9d-52d244031ac6} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 2792 1d953358 tab6⤵PID:3564
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.4.1477204521\1947847612" -childID 3 -isForBrowser -prefsHandle 1752 -prefMapHandle 3532 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2d4c69c-1ffa-4598-a3a9-24919e73efd4} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 3784 1da61058 tab6⤵PID:5848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.5.494547762\1019541256" -childID 4 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d10c7d41-5a63-4f90-bafa-30aa89ece507} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 3932 1da61658 tab6⤵PID:4328
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5052.6.1969840631\1076749206" -childID 5 -isForBrowser -prefsHandle 4112 -prefMapHandle 4116 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 572 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cd1f5b5-058e-4453-983c-ea5509b9f300} 5052 "\\.\pipe\gecko-crash-server-pipe.5052" 4100 1fcc8258 tab6⤵PID:1880
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3412
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6236
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:6424
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6480 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6480.0.1588579021\1663470216" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e648ca28-3860-4175-8ab3-6b0da7b2eb9e} 6480 "\\.\pipe\gecko-crash-server-pipe.6480" 1316 13cf8c58 gpu6⤵PID:7268
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6480.1.890865600\1045612239" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 21708 -prefMapSize 233496 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f534b59b-c34a-4662-9aa1-8fb3467ba9f3} 6480 "\\.\pipe\gecko-crash-server-pipe.6480" 1476 f2dd258 socket6⤵PID:2704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6480.2.244009678\530935150" -childID 1 -isForBrowser -prefsHandle 2220 -prefMapHandle 2216 -prefsLen 21746 -prefMapSize 233496 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c494303-e8bf-4bb9-89bd-cfdf70a39b0d} 6480 "\\.\pipe\gecko-crash-server-pipe.6480" 2232 196c6258 tab6⤵PID:5892
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6480.3.153447810\1104908444" -childID 2 -isForBrowser -prefsHandle 2712 -prefMapHandle 2708 -prefsLen 26216 -prefMapSize 233496 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef010fb6-215e-46dc-8848-17925cd0cb3f} 6480 "\\.\pipe\gecko-crash-server-pipe.6480" 2724 1c2c5558 tab6⤵PID:7688
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6480.4.996962515\943688808" -childID 3 -isForBrowser -prefsHandle 3792 -prefMapHandle 3808 -prefsLen 26275 -prefMapSize 233496 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6e226d2-6f30-42b3-b3c4-248564b3c8ee} 6480 "\\.\pipe\gecko-crash-server-pipe.6480" 3796 21a9b458 tab6⤵PID:3784
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6480.5.1998277273\963734298" -childID 4 -isForBrowser -prefsHandle 3928 -prefMapHandle 3932 -prefsLen 26275 -prefMapSize 233496 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d1b49e4-31df-4f1f-8c43-6b372950db11} 6480 "\\.\pipe\gecko-crash-server-pipe.6480" 3916 21ccfa58 tab6⤵PID:3952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6480.6.1035241437\727210689" -childID 5 -isForBrowser -prefsHandle 4100 -prefMapHandle 4104 -prefsLen 26275 -prefMapSize 233496 -jsInitHandle 636 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31088645-67db-48c8-a611-61c69e2309e4} 6480 "\\.\pipe\gecko-crash-server-pipe.6480" 4084 21ccf158 tab6⤵PID:4012
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014883001\0a3b60119a.exe"C:\Users\Admin\AppData\Local\Temp\1014883001\0a3b60119a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:6100
-
-
C:\Users\Admin\AppData\Local\Temp\1014884001\235f1b15ef.exe"C:\Users\Admin\AppData\Local\Temp\1014884001\235f1b15ef.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Users\Admin\AppData\Local\Temp\1014885001\fceb3fbcd0.exe"C:\Users\Admin\AppData\Local\Temp\1014885001\fceb3fbcd0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3568 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
PID:5108 -
C:\Windows\system32\mode.commode 65,105⤵PID:6108
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6320
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6492
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6592
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6864
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:7020
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:7148
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6884
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:6976
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:6992 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:7028
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:7044
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:7060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7080 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4052
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1014886001\42b1160850.exe"C:\Users\Admin\AppData\Local\Temp\1014886001\42b1160850.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:7544 -
C:\Users\Admin\AppData\Local\Temp\1014886001\42b1160850.exe"C:\Users\Admin\AppData\Local\Temp\1014886001\42b1160850.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:7860
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
-
C:\Windows\system32\taskeng.exetaskeng.exe {10327B50-5AEF-4A6A-A577-8E56054C4DB4} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:5752 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1976 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4924 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5248
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Discovery
Peripheral Device Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533B
MD581d185495b4e6430a87dfd37789bb872
SHA1b5da653f81a548c74205c7ae3d19f30af1a14271
SHA256838d654b9cb0360d8b3bb767db8fc1954fc41ba0a56fc34688aad9b50f5ddb40
SHA5121106c9c2245cbd44effb42e4e1365eb796d3b2390b011fb97205550bf183b097c489194aa001f97f949e9d1ed1c970eea6cbb0477da47511e5bc18e88bf2dfa5
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5fe623f43907589dba2f5e2623a1f506d
SHA110584085cf5bbbbf1baa846664da63ec3b85f0e8
SHA256c5cfc19891a02f8c67fe41bd5646dd491295b02af8ae8883afa3dd3e41f7d898
SHA512e1a9a3123d9a0d9d73ffbb77eb9b5936a07f2900927d9e240b6d6449b9c9544990229bffd6d9be38795c1bbbe72a2f002bc17232635bc13ed3dc79d022fbe775
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54915912d7bf56307d23c8862d3302db7
SHA1368a39ddb3d6814c74ab3c81ddc11b5702588a8f
SHA256cc84df7706d92ca951e9d847712398e877efd1b1d54fdd9c0be2fb245e1610e7
SHA5123c604170cd2e4d505212b508ae7b01b021039181675de0c343a59898ddd39fac6efa00209bb687e7e559f19eb25425ed1804b04c099e0d0e531f06297d6b6870
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD51f73e42a5a518e4e61c7c2babeba7c92
SHA1f4da4dd207b48f8798082bd9f9f69410abe6eee8
SHA2566b51257bc83b83c829ab23519e2a3825b3ac9bd342390f97fc26162974762859
SHA512168b7f4b6d14f8482239a5b0f81df46a073f97e741dfff9d1586fbe6c9db559455e3f94c1ea56fe87bdc14af2bf08eda52984b8cf360ee9ee422ee89b35a0b67
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD54d0aa0ec41e38488237b66d568012a3b
SHA1f63eba0946507427c6868b89cd78b66e6bfa9c86
SHA2568709256c67ea57e3d8593b9e738e1d1cb2948febdc69c5dcab4373ee93f3eedf
SHA512afc9703407543ea0521188ca76db5bbc94f2e5973b99ed28528db0d3b7c949b7ab45f2ed578b3436de8e6d3e4fed414baae4357f846703b9b81cc0b7aa1163e6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\o97f221x.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
39B
MD5c2b1385b0ee636444a82abcfa02045b8
SHA10a00ba03a8762da0bbddb1c07b1670c3fd1f0e56
SHA25612221f5ea418cc152bc1f78e46748989707271b97154a84bbe3503537e95c772
SHA512b8fbc6d60ed1ceb1c25b3c5a666a94ad253be8b57d5d7bda045e618e2ec1d3883c6dbd33caa89dfe563b9f32e4f39b08c3409851777578ac2f0d6b8da07e0b8d
-
Filesize
1.1MB
MD542a8588cc82773cd223c42f8fe4be91a
SHA1e2ed3cda00140ecd445f5f742729d34f2c452c8c
SHA256d4521c34f489f4a6065dea15634df9bb700c84741f476bde1084d9cdfb373a7b
SHA512681e4b155ce1015723469bd819618b292844aa00f7dab447d9557e244792efcef5614f753283efe9dd76ea77b838af78a3e69008c380482a4412b1cea75c535d
-
Filesize
1.1MB
MD5d39986c91ee9d1291e85711894112178
SHA14e7926c5a6e837d4570427d324a151f7b39be88f
SHA256654a1585788a10801ec1ee583fe7cb1cb33d6d83d9a270ac03de4b3a03cb4c39
SHA5128c81bd154fe8ebccb2e15b97344110efc6e464828cb373c2b5c22f85b3eace3bbe9ed7a35e3039ff0d4b1c6c56e2bd44f559cdc515c599e2bf8cb322f8b64aad
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
1.8MB
MD5fe4e63699f62090a1bc0006ab3f7856c
SHA1c261667ac64fc9a2ce23a2aaff464052b781c0c5
SHA256c890656f9cdacb46f581181e6d80374a50c3c9bd5c82c88e8b497db40b9a8df4
SHA5120368067215a986ecde5c076c6c95b43aeb1b096cd4b8a904a015c80e3ddb0c129dfac7ba4b47a2ba7bac238f233e08d989dad6a60800126f8d2d6c484dceae17
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
943KB
MD5d99f0062878ea8743875ac2f12feb7d6
SHA16542d80c673484256410dde989845a36332fcc36
SHA256aa630a2548d2f2f3da9894ca88ffa6dad61536e9e8b4c6f2705e233d77601d11
SHA512126292fa98e5338258993b2440aec4a788eb12ca6034dffdd93fb1f26e0d1b0a4870fc257b5b6847850d0813c79a8a10da97d4dd6bdad0fa04c940e26e47a1d0
-
Filesize
1.7MB
MD5106c3e2370747ef310e8952fd337895c
SHA1aca138539a7db570756509b1133cc41dcb377e7d
SHA256dd031a3622218fba8626c8f91f82be355957e7913c55d296d8a5665bbdac9758
SHA512e2819d79d8ba23c5379129da2209be853585a75ba9737bbe3f15bfa106ade6ae2b52e87a69756d7d1d7cd2d6ff2fe2b5682a8ef87d5cc31d9b7d61624d8ec5fc
-
Filesize
2.7MB
MD5cfead48773e054892ca4ab92932c7c51
SHA144b4b44f27e3e39dbc3dfb5f97a4a50a4542fa84
SHA256f839c77e75c4e0b634f5d6f0e6b4e9cce39968a705469d986e62c65cf9e1fc6f
SHA512feab50774b88f29373cafaa721fb161efd32d958560c7e2d3d5007083776d63ecc5e89642c875b369aad19e469966a0a20eb883ebd6df0281909f8e4fbe923d8
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
1.7MB
MD57187cc2643affab4ca29d92251c96dee
SHA1ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA51227985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S8MCHNBQQ322B8VRME1M.temp
Filesize7KB
MD50dca9555160db88bb0b0fa7e4c655331
SHA165af55493de98131bff0a17d453878ac020a252f
SHA256ee2ee731a7b0ce4f9aad26e6b8d0537597fbbe3f024af73f6b731a6e6a6d7be7
SHA51242c383e9263bd6ee857f92b87c8b79802a5de5528f2faeb1a4bd83857f0942331b045c3b477d771565db64b0fe4820133a16cba6ef86b0666d9b33121e0918ef
-
Filesize
192KB
MD5a081504255607becff7c2164b201bb62
SHA12592c689de71c23f6927d1515eb9f190e17ee39d
SHA25656f33c5b7ce1902ee2546ea3342673ef192c5132778f13bccce198b83f3a22aa
SHA512a490bdf700bae5de0e6e6370ec70736e68de8b3a87c6e0d0fd84ba6c7865e287f9c9b4506648b98d415860f43f1eddbbd9dc04f9b9ef76ac2119f3a2bacb9787
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5b26c21381e40108d4ebe71d8f5afb1c2
SHA1678993f546ac6698c8690c3649ee2168c394766a
SHA256f4804214b27b56771d2e771dcf2cc8fe17ae01f1b6553a6bea98598011037ebb
SHA512f3eed984a4e2152d0d3fea5030897ffdee38acff2b670a75e8803d60469efeb8f9f9e56792dc24d0a1476836fbd00fb7a85ce3985adba8c522dbc765cc969cbb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD53d3a848184c82f0f6d918c6c98a1102e
SHA1390c92b18aa2af75febb0821451f8af8fb60f317
SHA25653b035a4a782adf9283b742667d3ae0012907768c8005847fe16d7e996463968
SHA512710bd90cbc8c81fda2be5bdc846903ddecad6100a045da902f1195d2e543aab9701b983809cb087748bc81659554a04716c098c09b0d5bcd25c37c946237a131
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\0576dcf2-22ca-4d1e-8211-43fad4a5f8a4
Filesize593B
MD5fe816b1c759856ffbb8c697f4ac3dcc6
SHA1dee26e8383c68e072289d6363c942a2c111da1da
SHA256ea0b3f4f3916fde74bcf95350248d2f29495b818b72ab12e14864f2b75143ab2
SHA512beecc260827b09bb865279745efa9309062b9a17f37e11374175b2a93a62f96183bd34e3be07a70d655b2ee1a2fd0fd7b4ae4f563fb5771b97f8295372a5bc9e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\8a2b2967-cb6b-427a-8ca2-ba4acc0acd81
Filesize3KB
MD514cc60c26ff61b81a9f392505c70a702
SHA13b8a0cbc6c85bd73762b074f44e5394564949fb6
SHA25624c197c51ca413a629472a2fd798e9298154e3d47949c226a663b90b5b3b88b3
SHA5128768de669672a36641aa3954c97b7530af18a88bbbb2af6b59e25d74585fdc0a0fe38e9c2ea7699b2bc342cbd8dc8d9054683b51a26cc766aeb3aa85cd8f19a2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\9b3b2890-0692-4e87-a32a-3da94b36dc66
Filesize656B
MD57f984446150c59728a461f17ada9fdf6
SHA160e4327f2099cb82661804de20b14804508becaa
SHA256256493fdb3be0aae22853ec8b4eace0585f88c732b56f61aad10d6d33ddfe93a
SHA5123a264ded9332d9f9ff93dc959db9812b2e9beb29ca6d1c8b78d3fe063ae082a3a043b9a626b259e3c629594fd58ff4f3237a8ac5b3c8a2be9fce9403191adee0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\datareporting\glean\pending_pings\dc1566ae-a4a5-4d30-b6e5-16109b8d6879
Filesize745B
MD521a7036e640e0007e9e369800ff5001d
SHA141306784e15cdc76483dc58e452cf00b4481c3f2
SHA256fa90845a487e39e6632ee63df7a537604972fbede9eb9305d75ca5d946eb1bae
SHA51214597fdb2c3f0d7a7071ec4477aa8cb6f1ef8175164844892a7c7f08640481e1237acae04c05ce75afe7bc5ac66f875a098e4c382f2734599ee7d7b2bfbc00e8
-
Filesize
6KB
MD519e04046c5917eaf97a6889d81a4a963
SHA149a9ab13fffe774132d58e057544919cc98a25b0
SHA256f2ae639cfe663f731f41f09adfc9f314c8595255b1a77c8b93c81e50b6dbb8f5
SHA512db0b89bfbf72178a9efdc796b844f2b0074800897b02579521762532b15673dae19187e0fea669ab118578ba4dfd0e33fe960cd432512ababf295612a85a4597
-
Filesize
6KB
MD5200186a92c6015eba8b994194c820982
SHA1a1a58ccccf3f2001592ca808829dfa39bec2c394
SHA2565cb9cf12814e19ad0387cdb78de615ffe14fae122b313f92f8e2b1be4a0e0d50
SHA512ca05d46117d7063d898d2bf96076f3905139ebf06fa251ce186e142754e9ca0fa6ca944bc0a9470365c49b1ba8eb5d2041fc4315c8a95fcac11244b0c7ce84b3
-
Filesize
6KB
MD504afed81ae068754c0aebd48a28f47e8
SHA10afc4754af8cd56ff322e4f002a3ba97324d2f00
SHA256c5afaa65a8add5fdda05ed36d9eb10c193483b4a244bdd1795d272754013dbe1
SHA512e8e960c474cf73eadc84d799ca8de8a82fe8e0899a17215fdb3407047834e4b940e528f9da5397c3595a60383a0c3f48dd98c90c96a52670cb68fcb5173ea2e3
-
Filesize
6KB
MD57ca01355a2c0f4a44ed45f2d74a29a3c
SHA11e46afea727478bd6d06afb5fd4a2b820434da67
SHA256213ff02a21fa55ff4172b413037e3e94375791bf0bea343af306f4e7c283db44
SHA512e17dc05323860e718ddb9874ea2dae7e8d6c270f3f4e957d630374761b90680d7f769393107f2b907585e4c48384cebedce828bd4892b7939ffcdbdb82c47879
-
Filesize
6KB
MD5a639bc6e892cb902e892681841a3c359
SHA181bda964d3822628e7adb671d14cbd52cfb1340c
SHA25628a4784a9a1e055b360f1187199be8d2c82bc9bba0488805db2484631d779c21
SHA51292b81e7899cd3ad58a4da3de07159281cfe16966213e0ead5e677d87146fe186a2dc11ef0b05c98a84975e06b3e6dbba1558cec1b8e192dfb44b175d273a8c60
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionCheckpoints.json.tmp
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionCheckpoints.json.tmp
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD507c6bd443bf2768bfb919152f06628ee
SHA1c7245435f7b78d82da61e69b039a8e3c0c3081ae
SHA2569248926795e64f6a7901bb088c2d396d178859465a37d15a00811361d86420fc
SHA512560e9f34b8998575d19c237497cf215da3afd0f6e2ded511eb9a441103c8acde4b0b18bfdaebcd93e51fed1dedb61dcb5b0335cba23a430a93b356a3062983d6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o97f221x.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD544895910dc7b07ca9be5682300271ea7
SHA13125923dc8d1d74b4c1b5c98c70b87dccc94b284
SHA256026ebadc64bb10cbb13e4565c92bfb18a35078b35cab106094be0122a865248b
SHA51253e19ed78c4d5195ae2946ad6b6261fd5ff17d1b4bf8c5279ee9f99c3c2643bc24cf74508fa5a5114f3799d161baa646c412ea7cdc9798c0b8623a6f25a55592
-
Filesize
3.1MB
MD5f401f240c068bac2c47c4beb9446d2a0
SHA12e659821c32f600fe2715814e5d96ff0eac09eb4
SHA2563ca467dad80a62f640093dcf65b29e413820c24288e3ac5dbfb4ca7639dd55d4
SHA512aa400b23501496f81ae5e695ddc2ebf261750696ca141a884f783563138c0dbded303f3d095ebb9a2b1f458ef3c1facafb15729bb5353a8500c7e932e94dd608
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628