Overview

overview

10

Static

static

3

14caca276f...1a.exe

windows7-x64

10

14caca276f...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14caca276f869dcc33a065b67a826a79c27cb0ec54407da220ed26cd045d941a.exe

  • Size

    2.9MB

  • MD5

    842e251ca1e3a812356248ebe8154f16

  • SHA1

    efb511d328cf0a7690e62cbb89adeebc07dddb3c

  • SHA256

    14caca276f869dcc33a065b67a826a79c27cb0ec54407da220ed26cd045d941a

  • SHA512

    2eaf72c87cda80fcc64463eda29ad62e21818bac52105af0b95c5504c935e7f480cba518575fad8f80d0748e11e41641063cb8b6e61da8584271e1068d7f3b74

  • SSDEEP

    49152:FfD0T39ZF8R21uPbS2fH/F9xcThPDf0x:FfD0TfFsquPbSQH/FncZI

Score
10/10
amadeylummastealc9c9aa5stokcredential_accessdiscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://drive-connect.cyou/api

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
    evasion
  • Downloads MZ/PE file
  • Uses browser remote debugging 2 TTPs 9 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks BIOS information in registry 2 TTPs 28 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 27 IoCs
  • Identifies Wine through registry keys 2 TTPs 14 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 10 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 13 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:3028
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:5692
    • C:\Users\Admin\AppData\Local\Temp\14caca276f869dcc33a065b67a826a79c27cb0ec54407da220ed26cd045d941a.exe
      "C:\Users\Admin\AppData\Local\Temp\14caca276f869dcc33a065b67a826a79c27cb0ec54407da220ed26cd045d941a.exe"
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Users\Admin\AppData\Local\Temp\1016419001\74fa48058c.exe
          "C:\Users\Admin\AppData\Local\Temp\1016419001\74fa48058c.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3392
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /Query /TN "74fa48058c"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:6720
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "74fa48058c" /tr "C:\Users\Admin\AppData\Local\Temp\1016419001\74fa48058c.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:6784
          • C:\Windows\SysWOW64\attrib.exe
            "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\1016419001\74fa48058c.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:7012
        • C:\Users\Admin\AppData\Local\Temp\1016421001\d13c340ca8.exe
          "C:\Users\Admin\AppData\Local\Temp\1016421001\d13c340ca8.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Users\Admin\AppData\Local\Temp\5FJ2OSNE57ERDOWNGN4RLX5L4R.exe
            "C:\Users\Admin\AppData\Local\Temp\5FJ2OSNE57ERDOWNGN4RLX5L4R.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Windows security modification
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1864
          • C:\Users\Admin\AppData\Local\Temp\FQ35KQ4XQ20DXPX1V6RD8JTOZ1SA9E9.exe
            "C:\Users\Admin\AppData\Local\Temp\FQ35KQ4XQ20DXPX1V6RD8JTOZ1SA9E9.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:5328
        • C:\Users\Admin\AppData\Local\Temp\1016422001\b508674291.exe
          "C:\Users\Admin\AppData\Local\Temp\1016422001\b508674291.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
            4⤵
            • Uses browser remote debugging
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:1600
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff8aeccc40,0x7fff8aeccc4c,0x7fff8aeccc58
              5⤵
                PID:3828
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,15317040072809942458,3394730497276011238,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1656 /prefetch:2
                5⤵
                  PID:4996
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,15317040072809942458,3394730497276011238,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
                  5⤵
                    PID:2840
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,15317040072809942458,3394730497276011238,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2252 /prefetch:8
                    5⤵
                      PID:3664
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,15317040072809942458,3394730497276011238,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
                      5⤵
                      • Uses browser remote debugging
                      PID:2768
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,15317040072809942458,3394730497276011238,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
                      5⤵
                      • Uses browser remote debugging
                      PID:3776
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,15317040072809942458,3394730497276011238,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
                      5⤵
                      • Uses browser remote debugging
                      PID:872
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,15317040072809942458,3394730497276011238,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
                      5⤵
                        PID:5264
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,15317040072809942458,3394730497276011238,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:8
                        5⤵
                          PID:5568
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"
                        4⤵
                        • Uses browser remote debugging
                        • Enumerates system info in registry
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                        • Suspicious use of FindShellTrayWindow
                        PID:2700
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff885646f8,0x7fff88564708,0x7fff88564718
                          5⤵
                          • Checks processor information in registry
                          • Enumerates system info in registry
                          • Suspicious behavior: EnumeratesProcesses
                          PID:6080
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
                          5⤵
                            PID:2348
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
                            5⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3772
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
                            5⤵
                              PID:1564
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:1676
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:3600
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:5688
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:3640
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
                              5⤵
                                PID:1724
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
                                5⤵
                                  PID:5856
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2636 /prefetch:2
                                  5⤵
                                    PID:5800
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3468 /prefetch:2
                                    5⤵
                                      PID:3420
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2200 /prefetch:2
                                      5⤵
                                        PID:3984
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3416 /prefetch:2
                                        5⤵
                                          PID:3432
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15433766494620231515,9116880127133766522,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3448 /prefetch:2
                                          5⤵
                                            PID:6416
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\BAECFCAAEC.exe"
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:7072
                                          • C:\Users\Admin\Documents\BAECFCAAEC.exe
                                            "C:\Users\Admin\Documents\BAECFCAAEC.exe"
                                            5⤵
                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                            • Checks BIOS information in registry
                                            • Executes dropped EXE
                                            • Identifies Wine through registry keys
                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                            • System Location Discovery: System Language Discovery
                                            PID:6820
                                      • C:\Users\Admin\AppData\Local\Temp\1016423001\329356ee69.exe
                                        "C:\Users\Admin\AppData\Local\Temp\1016423001\329356ee69.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:4280
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM firefox.exe /T
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5160
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM chrome.exe /T
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5652
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM msedge.exe /T
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5716
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM opera.exe /T
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5784
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /F /IM brave.exe /T
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5848
                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                          "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                          4⤵
                                            PID:5912
                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                              "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                              5⤵
                                              • Checks processor information in registry
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              • Suspicious use of SetWindowsHookEx
                                              PID:5928
                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cfc0edb-e282-4907-91a0-ebe1ca58e434} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" gpu
                                                6⤵
                                                  PID:6100
                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {264a90f6-e35e-4869-8685-22ce0468c7d2} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" socket
                                                  6⤵
                                                    PID:5152
                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 3244 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b042414b-8891-4f69-ae4d-5bb2efaaf3e5} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" tab
                                                    6⤵
                                                      PID:5368
                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3956 -childID 2 -isForBrowser -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b908d96f-03bb-44b4-b870-c1e39dff445d} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" tab
                                                      6⤵
                                                        PID:5636
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4684 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4704 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {459c58ab-2063-468f-ad45-390f71bfa8f5} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" utility
                                                        6⤵
                                                        • Checks processor information in registry
                                                        PID:5824
                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -childID 3 -isForBrowser -prefsHandle 5308 -prefMapHandle 5304 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b952e5d-52f0-4c16-9f16-82e4a3bfe0b4} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" tab
                                                        6⤵
                                                          PID:5000
                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5544 -prefMapHandle 5320 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f4904a-dfce-4502-899b-32d52399afb6} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" tab
                                                          6⤵
                                                            PID:1304
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91f35c02-4436-4f9c-9747-7352306917d6} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" tab
                                                            6⤵
                                                              PID:2240
                                                      • C:\Users\Admin\AppData\Local\Temp\1016424001\80aadd622e.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1016424001\80aadd622e.exe"
                                                        3⤵
                                                        • Modifies Windows Defender Real-time Protection settings
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Windows security modification
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1004
                                                      • C:\Users\Admin\AppData\Local\Temp\1016425001\ee530e70ac.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1016425001\ee530e70ac.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1948
                                                        • C:\Users\Admin\AppData\Local\Temp\1016425001\ee530e70ac.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\1016425001\ee530e70ac.exe"
                                                          4⤵
                                                          • Executes dropped EXE
                                                          PID:6512
                                                        • C:\Users\Admin\AppData\Local\Temp\1016425001\ee530e70ac.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\1016425001\ee530e70ac.exe"
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          PID:6524
                                                      • C:\Users\Admin\AppData\Local\Temp\1016426001\6d565d51f4.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1016426001\6d565d51f4.exe"
                                                        3⤵
                                                        • Enumerates VirtualBox registry keys
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        PID:6756
                                                      • C:\Users\Admin\AppData\Local\Temp\1016427001\4f9b7e23f8.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1016427001\4f9b7e23f8.exe"
                                                        3⤵
                                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        PID:6168
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 6168 -s 568
                                                          4⤵
                                                          • Program crash
                                                          PID:5456
                                                      • C:\Users\Admin\AppData\Local\Temp\1016428001\9d4b67f2d2.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1016428001\9d4b67f2d2.exe"
                                                        3⤵
                                                        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                        • Checks BIOS information in registry
                                                        • Executes dropped EXE
                                                        • Identifies Wine through registry keys
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • System Location Discovery: System Language Discovery
                                                        PID:6836
                                                      • C:\Users\Admin\AppData\Local\Temp\1016429001\829fe6d5c8.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\1016429001\829fe6d5c8.exe"
                                                        3⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        PID:6392
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
                                                          4⤵
                                                            PID:1992
                                                            • C:\Windows\system32\mode.com
                                                              mode 65,10
                                                              5⤵
                                                                PID:4512
                                                              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                7z.exe e file.zip -p24291711423417250691697322505 -oextracted
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1668
                                                              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                7z.exe e extracted/file_7.zip -oextracted
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3544
                                                              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                7z.exe e extracted/file_6.zip -oextracted
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5088
                                                              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                7z.exe e extracted/file_5.zip -oextracted
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4836
                                                              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                7z.exe e extracted/file_4.zip -oextracted
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5700
                                                              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                7z.exe e extracted/file_3.zip -oextracted
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5072
                                                              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                7z.exe e extracted/file_2.zip -oextracted
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5420
                                                              • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                                7z.exe e extracted/file_1.zip -oextracted
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5376
                                                              • C:\Windows\system32\attrib.exe
                                                                attrib +H "in.exe"
                                                                5⤵
                                                                • Views/modifies file attributes
                                                                PID:5372
                                                              • C:\Users\Admin\AppData\Local\Temp\main\in.exe
                                                                "in.exe"
                                                                5⤵
                                                                • Executes dropped EXE
                                                                PID:5452
                                                                • C:\Windows\SYSTEM32\attrib.exe
                                                                  attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                  6⤵
                                                                  • Views/modifies file attributes
                                                                  PID:5480
                                                                • C:\Windows\SYSTEM32\attrib.exe
                                                                  attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
                                                                  6⤵
                                                                  • Views/modifies file attributes
                                                                  PID:5488
                                                                • C:\Windows\SYSTEM32\schtasks.exe
                                                                  schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
                                                                  6⤵
                                                                  • Scheduled Task/Job: Scheduled Task
                                                                  PID:5464
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell ping 127.0.0.1; del in.exe
                                                                  6⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:6208
                                                                  • C:\Windows\system32\PING.EXE
                                                                    "C:\Windows\system32\PING.EXE" 127.0.0.1
                                                                    7⤵
                                                                    • System Network Configuration Discovery: Internet Connection Discovery
                                                                    • Runs ping.exe
                                                                    PID:2404
                                                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                                                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                                                        1⤵
                                                          PID:3408
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                                                          1⤵
                                                            PID:5336
                                                          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                            C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                            1⤵
                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                            • Checks BIOS information in registry
                                                            • Executes dropped EXE
                                                            • Identifies Wine through registry keys
                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            PID:5816
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6168 -ip 6168
                                                            1⤵
                                                              PID:2176
                                                            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                              C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                              1⤵
                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                              • Checks BIOS information in registry
                                                              • Executes dropped EXE
                                                              • Identifies Wine through registry keys
                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                              PID:5584

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Reconnaissance

                                                            Resource Development

                                                            Initial Access

                                                            Execution

                                                            Scheduled Task/Job

                                                            1
                                                            T1053

                                                            Scheduled Task

                                                            1
                                                            T1053.005

                                                            Persistence

                                                            Boot or Logon Autostart Execution

                                                            1
                                                            T1547

                                                            Registry Run Keys / Startup Folder

                                                            1
                                                            T1547.001

                                                            Create or Modify System Process

                                                            1
                                                            T1543

                                                            Windows Service

                                                            1
                                                            T1543.003

                                                            Modify Authentication Process

                                                            1
                                                            T1556

                                                            Scheduled Task/Job

                                                            1
                                                            T1053

                                                            Scheduled Task

                                                            1
                                                            T1053.005

                                                            Privilege Escalation

                                                            Boot or Logon Autostart Execution

                                                            1
                                                            T1547

                                                            Registry Run Keys / Startup Folder

                                                            1
                                                            T1547.001

                                                            Create or Modify System Process

                                                            1
                                                            T1543

                                                            Windows Service

                                                            1
                                                            T1543.003

                                                            Scheduled Task/Job

                                                            1
                                                            T1053

                                                            Scheduled Task

                                                            1
                                                            T1053.005

                                                            Defense Evasion

                                                            Hide Artifacts

                                                            1
                                                            T1564

                                                            Hidden Files and Directories

                                                            1
                                                            T1564.001

                                                            Impair Defenses

                                                            2
                                                            T1562

                                                            Disable or Modify Tools

                                                            2
                                                            T1562.001

                                                            Modify Authentication Process

                                                            1
                                                            T1556

                                                            Modify Registry

                                                            3
                                                            T1112

                                                            Virtualization/Sandbox Evasion

                                                            3
                                                            T1497

                                                            Credential Access

                                                            Credentials from Password Stores

                                                            1
                                                            T1555

                                                            Credentials from Web Browsers

                                                            1
                                                            T1555.003

                                                            Modify Authentication Process

                                                            1
                                                            T1556

                                                            Steal Web Session Cookie

                                                            1
                                                            T1539

                                                            Unsecured Credentials

                                                            5
                                                            T1552

                                                            Credentials In Files

                                                            5
                                                            T1552.001

                                                            Discovery

                                                            Browser Information Discovery

                                                            1
                                                            T1217

                                                            Query Registry

                                                            9
                                                            T1012

                                                            Remote System Discovery

                                                            1
                                                            T1018

                                                            System Information Discovery

                                                            5
                                                            T1082

                                                            System Location Discovery

                                                            1
                                                            T1614

                                                            System Language Discovery

                                                            1
                                                            T1614.001

                                                            System Network Configuration Discovery

                                                            1
                                                            T1016

                                                            Internet Connection Discovery

                                                            1
                                                            T1016.001

                                                            Virtualization/Sandbox Evasion

                                                            3
                                                            T1497

                                                            Lateral Movement

                                                            Collection

                                                            Data from Local System

                                                            4
                                                            T1005

                                                            Command and Control

                                                            Exfiltration

                                                            Impact

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\ProgramData\mozglue.dll
                                                              Filesize

                                                              593KB

                                                              MD5

                                                              c8fd9be83bc728cc04beffafc2907fe9

                                                              SHA1

                                                              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

                                                              SHA256

                                                              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

                                                              SHA512

                                                              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

                                                              Download Submit

                                                            • C:\ProgramData\nss3.dll
                                                              Filesize

                                                              2.0MB

                                                              MD5

                                                              1cc453cdf74f31e4d913ff9c10acdde2

                                                              SHA1

                                                              6e85eae544d6e965f15fa5c39700fa7202f3aafe

                                                              SHA256

                                                              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

                                                              SHA512

                                                              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                              Filesize

                                                              2B

                                                              MD5

                                                              d751713988987e9331980363e24189ce

                                                              SHA1

                                                              97d170e1550eee4afc0af065b78cda302a97674c

                                                              SHA256

                                                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                              SHA512

                                                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
                                                              Filesize

                                                              686B

                                                              MD5

                                                              11ba66350db94bb12244203833aeaee3

                                                              SHA1

                                                              505bf04147a5f9ae50870ea80f93b0ed74b36ce0

                                                              SHA256

                                                              c8ec43a4c86bdf852ed0962ff3c9e2ac86769845089a221cad4f10c2381c353f

                                                              SHA512

                                                              b8c0cce65738340008de591843fd6521ed4c71a1218c75650e9c9a493fbe1c676ef67ed8a23117d8c5e5f8970c9c2ef6e4527573415e86c2e2737c5ef53b764d

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
                                                              Filesize

                                                              954B

                                                              MD5

                                                              1bb81e4195586e742f75c2a52338c645

                                                              SHA1

                                                              211df7b88a0099b4fee1c68b43ca3250b92f3098

                                                              SHA256

                                                              4e2b2c5c2bc765754d48d3d05dd8a299b274f82beb2efb6f8c97bed8256d367b

                                                              SHA512

                                                              e989511eaf6eb616a08ac89c9fefe44826119e3361d315127167734cd25ad5db8a3f253b7527292da38fb30539f2bc61a53537d000c82fdbf698ef44b2b7ea7e

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\29602c40-8195-4d96-8acd-3fe428aa003b.dmp
                                                              Filesize

                                                              838KB

                                                              MD5

                                                              9f9cee8b953a8565fd05fe446f739164

                                                              SHA1

                                                              53f413d52039d0c331da5aebfa129e5d548baf6c

                                                              SHA256

                                                              1a36a8cbfcf4b9c8a0d7247029e2b47c3e26eb92250963c6bd333f76de3b090b

                                                              SHA512

                                                              d9fc54dfefd27de3a96228ae3a2a70efbb74da8528f2ef052ba62c343422a216631ab97be03a77fdb33d548863055dd9ea7c3a4c17db2fb0d3c8c6fc00421982

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\3f1f9e96-e147-4501-835f-7acb9271f5b3.dmp
                                                              Filesize

                                                              830KB

                                                              MD5

                                                              9f15c36c66657d63c233ce33a1545c5a

                                                              SHA1

                                                              d2db2ae301ae017e0d32fb528bc718bb157a0492

                                                              SHA256

                                                              6a87c3dc1d409ff950f68b1967505d4e211abe8e64381d2dc0a917217cf6144e

                                                              SHA512

                                                              2bad1398260fd62153b98ff1ddaa38e9b78ffdd30b326d1428bbf07278394ae95f34a5598ac1cbad3125cf346260af2bd90ebbbb8c814fe09abf21f179b0296a

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7aef6733-7a66-4a3d-9b87-5be86c54bb41.dmp
                                                              Filesize

                                                              838KB

                                                              MD5

                                                              6a475cc38a634b76d3aa426dde5e562c

                                                              SHA1

                                                              128f503f8c54d1a7af567478b1207284752eeeb9

                                                              SHA256

                                                              d7e2ff074a8fa6ba0a70d218ce8c3004ab1a30a0608219f5f18ff5e5e1d5c940

                                                              SHA512

                                                              79e04be9e1ce1507f7ab2298e48f9457145ba1a8f1e7c4ef4996c3291cdbd09dc6064beb34a6679050eff0abeab28253b9d63fbce8800269bb641fc18ad04492

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\831d9428-1640-4c47-af80-804247b88811.dmp
                                                              Filesize

                                                              839KB

                                                              MD5

                                                              50d285ac2e74d0bd726e07510ad2582e

                                                              SHA1

                                                              e653e16473fc744531f0a001a11227eeaaaaf672

                                                              SHA256

                                                              a38d8bba69de52c06d0ce6b98b77cff02371fe5c02c0d830094fb54fb6d2e715

                                                              SHA512

                                                              c639028529a094a4bb4d383e10fb057483f5bce6f9092a7a19af7640e13b7274c1e8a9e0522af6e18c70d7a0d01e049ff29cf56a3692b7b0d016b5543681f855

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\8cbc634e-6f99-423b-aa1d-2916d07d9750.dmp
                                                              Filesize

                                                              826KB

                                                              MD5

                                                              be89ec4f877821e5d320d1f983519523

                                                              SHA1

                                                              de4246e6ff5b09a27898c14b721da561c9b11947

                                                              SHA256

                                                              cb3c4f22072318e3c4e818a4caa568150f38685157342c629173d7a0801730fe

                                                              SHA512

                                                              93be0343ae0cea66302b9e52739e34e0cd72222dd4e324f93935619e4c39eb1568af8d4a162eaeabc47741c6a13c1a83960164bef1f35d92c38e8c99e0e08804

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ce6c538a-9e98-4991-b312-bdb17d7798fd.dmp
                                                              Filesize

                                                              826KB

                                                              MD5

                                                              1898f056c002bcf979d46bb17c356faf

                                                              SHA1

                                                              5efca8b57597d2b84a3ef61a0e5754bcb311b546

                                                              SHA256

                                                              fa77fcad9cbcb32de396eee0f224c24f39ffe3d847986444649cfd708752210d

                                                              SHA512

                                                              1dc3742995e060d4b6c0e6a4bd9aedc210eca07009e5bd840f2a28fcec86dce7ab81a6bc242de39aa1543ec9f74cf8633e6307ead6990f3787eba0f9739796f2

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d54a5968-0cfa-467a-99c6-c40f8b40d6ab.dmp
                                                              Filesize

                                                              830KB

                                                              MD5

                                                              3fa65833cb1fcc707bb08df44f915f24

                                                              SHA1

                                                              2057e8910e6d0fbfbe0f31f248b61257102a1701

                                                              SHA256

                                                              f4b55a2b3592e30f13c5120fd034e463fe616c3e3825c233356a23582e4db924

                                                              SHA512

                                                              519e163c15e88da554f811c27fb6d66d0a15f4338e045ca0ba8e95495c9b32a39e227073a0f3d9e7e84b44ada297f4d8f4495422f9496e7609dcb555b05aae01

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              7de1bbdc1f9cf1a58ae1de4951ce8cb9

                                                              SHA1

                                                              010da169e15457c25bd80ef02d76a940c1210301

                                                              SHA256

                                                              6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

                                                              SHA512

                                                              e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              85ba073d7015b6ce7da19235a275f6da

                                                              SHA1

                                                              a23c8c2125e45a0788bac14423ae1f3eab92cf00

                                                              SHA256

                                                              5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

                                                              SHA512

                                                              eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              ea1e405421aa99f90783f2d59b9da33f

                                                              SHA1

                                                              a3d97e741902ba4f780ecf9ab6119f7ee3e2ae7b

                                                              SHA256

                                                              c93010290e704079caea4730c192bc58759c772514236b676b0d0f5dd7641a43

                                                              SHA512

                                                              fd996e85217c99e7fa6ca8cebabc25ac275dccc67d40a5af3c149b3b06a1b556aba50abedf5087b738f54ff7b6cb016a3f5c6dbb74a5405abab886c47d0f6de3

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              cd2563e5f48acd1fb28a90fd369a3512

                                                              SHA1

                                                              915503ac583c0727bb305837b9be8d2f85c7ff07

                                                              SHA256

                                                              418cf1efab4f0b044fa6827d01ff7aa1c2c3ba6c8146e54189dfbfe1505003be

                                                              SHA512

                                                              f52c6edd31c780d1bc315fe76bb07b932ebab6ab7609ef8e4df33b9c08b489b4bc115ea70a08f6b175492a2767bec9e156b1e56972ddab42601ad4a3f0be1439

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                              Filesize

                                                              152B

                                                              MD5

                                                              b58c5ee2192f99210ca9a1dc8eb6b07a

                                                              SHA1

                                                              bc01a981a3ab6d62ea6c76f066bb8cbd7e133e81

                                                              SHA256

                                                              4e59cebc1abfecb11676074674002da43f3b42af4a888d6f20fc14aacd4a50b1

                                                              SHA512

                                                              8a879700e9d7bd321713a3dc5028ecd6a1f5556db75a8b82cd58e9c66ea4114159b13d92f366a598fb2312932a6a076b2ea3c7b02e73b5a069df11ae8897693e

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                              Filesize

                                                              5KB

                                                              MD5

                                                              9ac6cd43f6c12a44a02204d30ae6f0e9

                                                              SHA1

                                                              dfba35254f2d35c99f32ec074aad2c7a499da957

                                                              SHA256

                                                              374f865beaca2d6ca1a77e3931c46c6a870643182ff15c405732467cc031ad92

                                                              SHA512

                                                              7f0e4575174e2512a0a3070d67fd4fe879df9f6ef501f38c66c4010bb42291f632fb0b50416d5d1e21b66a30324cba3fb12a0dfbf35df08215e76bbac9815b03

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                                              Filesize

                                                              264KB

                                                              MD5

                                                              f50f89a0a91564d0b8a211f8921aa7de

                                                              SHA1

                                                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                              SHA256

                                                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                              SHA512

                                                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
                                                              Filesize

                                                              27KB

                                                              MD5

                                                              acde5b1a3972909ade44f722c047ac03

                                                              SHA1

                                                              ccc0e2f55dc961bc04025eca0c32537d629dd652

                                                              SHA256

                                                              6b6d834fab0f981d55e75432655f3622ad0f37d5952a2c49bbca2ac210cb3c29

                                                              SHA512

                                                              903171a953486dbb24c63c875ea0382a7a40a1da903e8852c749ab83bda5a6f14dfcd10912930e1d3e0ee9130f8912150643690c31df37e81c91a20b96fc8e8b

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
                                                              Filesize

                                                              13KB

                                                              MD5

                                                              30e1a33fd34693da9b48f2298cc0acc9

                                                              SHA1

                                                              c4200feac3887e8adc8829de5b1e614188a4328c

                                                              SHA256

                                                              b87645c073e012d0f209972e29b93d96d27558375ee203befd350363dd912bb0

                                                              SHA512

                                                              48b450727fd54a4e2788b814acac1dfe5671b05dec000d42fe53a78ec5a8f3d787f20c7339a69d659ddebbf0c71d0f8099f6eef9f6b70a68772583ef9381fd0f

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                                                              Filesize

                                                              15KB

                                                              MD5

                                                              96c542dec016d9ec1ecc4dddfcbaac66

                                                              SHA1

                                                              6199f7648bb744efa58acf7b96fee85d938389e4

                                                              SHA256

                                                              7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                                                              SHA512

                                                              cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016419001\74fa48058c.exe
                                                              Filesize

                                                              1.7MB

                                                              MD5

                                                              d37dab4c59e707f632bb0b91eaa87ff9

                                                              SHA1

                                                              0e153debcf54805a0543646620511b57865d6fc9

                                                              SHA256

                                                              375a067be10250dc045ea14025444ad7ec0662cf189abbbd393e6f7ffe85b35d

                                                              SHA512

                                                              0ae81abbe56f0a20c8066c52672d969c962a20b19c7e7165b12c7b16a4f0681c4f96ce2cedde50ade5975ced262d581fc99d0947c188cec847c8a82eb85bc0ae

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016421001\d13c340ca8.exe
                                                              Filesize

                                                              1.8MB

                                                              MD5

                                                              d073c81fa7efa78361d0f880f49031a2

                                                              SHA1

                                                              88e81f5078cb78a81fa8d6a0acb4854a365eda25

                                                              SHA256

                                                              14887424606b4bca301a295257743f66d9f9a0dd10ca87649ab98e9e4451a16e

                                                              SHA512

                                                              a7bd5a0d57b1c86302b1e1c5eb84b47a5b6c5762153637f97c064a8055652197050c31f53b2848df1983310494ebd0755878eb25d46cf8df2a8562791582f272

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016422001\b508674291.exe
                                                              Filesize

                                                              2.7MB

                                                              MD5

                                                              1eb268dfe52d4541037838207c51d19f

                                                              SHA1

                                                              35264d064730fa9d7d4b53183a5fb9e97912a8a7

                                                              SHA256

                                                              bfa216d2edc6a8b5230cf4d89231f3ee36decad422a7b8b8565fa232dc3bf89b

                                                              SHA512

                                                              ed2e878a5cf58e0ec74d3bf8b20a35531cc7dea31a590737f40a6fef1aea8f7903d592fb25a870482110f10d225051e8724bcb57a9d3aca388c8bde5f0fa6146

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016423001\329356ee69.exe
                                                              Filesize

                                                              942KB

                                                              MD5

                                                              c002c0ba34cf15a5c360f69f556746c2

                                                              SHA1

                                                              70270b55c0826fd7c83b985bb15523514fac1a3f

                                                              SHA256

                                                              a369a5e6353c652f40338d8112b61d4360c2791b93aa974c83307bf73fe4d642

                                                              SHA512

                                                              75bd5235e0f9fe3ab8409a7dd7468ac2eeb22c057ea859d8db6630b018710a9f33ca41dc2d7f255deba5e96bbfe14625a95942c0d2f63ea36afb06b59b6168a6

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016425001\ee530e70ac.exe
                                                              Filesize

                                                              710KB

                                                              MD5

                                                              28e568616a7b792cac1726deb77d9039

                                                              SHA1

                                                              39890a418fb391b823ed5084533e2e24dff021e1

                                                              SHA256

                                                              9597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2

                                                              SHA512

                                                              85048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016426001\6d565d51f4.exe
                                                              Filesize

                                                              4.3MB

                                                              MD5

                                                              9bd5b9ceba49c19a9c2f80c23279d441

                                                              SHA1

                                                              58f855a1fd2fba52a9dab57da4b762e9620e437d

                                                              SHA256

                                                              ede017ad6960a447c0f2337c5bee277d1ce62ee31fb9685e5a2a4628f0e6b31f

                                                              SHA512

                                                              5a643d4afcd9eed9b2423256871c9d2859e14f5e8a36f6c8641efd95dfab5f86b82cbf2c1be32b85a954ce84c970e792759a5d29b7bb5d6bcdaa8a9e30a73f9a

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016427001\4f9b7e23f8.exe
                                                              Filesize

                                                              1.9MB

                                                              MD5

                                                              129e9d731c27f28d25a824fecd066e54

                                                              SHA1

                                                              c42fb09e9dbbb309db3a30deecf9a0edd285e7a1

                                                              SHA256

                                                              0186a9725d8a17443751c82eee6683e68637fe4fd6f041f5d5855e6d8bd5ec47

                                                              SHA512

                                                              a243cc3e7fd661bc37f90165f8494d45edb1a038e2e56513c256d1666d901298992d42390baed8c18f1ea68ac5400a8d2da9c25e49fc89315b6a2ae07e96f6fb

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016428001\9d4b67f2d2.exe
                                                              Filesize

                                                              1.8MB

                                                              MD5

                                                              fd17d712c627b434e99749cfc82c7d51

                                                              SHA1

                                                              bf00a1fe4d9efc63e963751201a383bf9df7d25e

                                                              SHA256

                                                              af8729a17698880e54e9f23b48e6b68d73672179f58868c201c8cf54d1a578bc

                                                              SHA512

                                                              b3f56a4457df967d9355f42316e8332813c46003b4d2e216fbabded7edcddcbefc72ee01fd706722cf81e2fb3e0986c31358a22270f7b36106e77a88b6c25c85

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\1016429001\829fe6d5c8.exe
                                                              Filesize

                                                              4.2MB

                                                              MD5

                                                              3a425626cbd40345f5b8dddd6b2b9efa

                                                              SHA1

                                                              7b50e108e293e54c15dce816552356f424eea97a

                                                              SHA256

                                                              ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1

                                                              SHA512

                                                              a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\5FJ2OSNE57ERDOWNGN4RLX5L4R.exe
                                                              Filesize

                                                              1.6MB

                                                              MD5

                                                              a78f80e6511f7c2763128897866f9c9d

                                                              SHA1

                                                              dfce44230a08bf7bc983dbca64d0630cbc6ff9ca

                                                              SHA256

                                                              6066b498bce43d72cdc0a3a3850001653a74fb3c5d5b92377e9f2798e6e15257

                                                              SHA512

                                                              bbcfc834836306282d85831d5192ba09f8db55d94e2b7f167971b0530d156626b1c6f7c90c1a4dc2863870ed9064a18987b22f6b23f737f6575e5a1f7a34e7e6

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zavqa0vb.vyw.ps1
                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                                                              Filesize

                                                              2.9MB

                                                              MD5

                                                              842e251ca1e3a812356248ebe8154f16

                                                              SHA1

                                                              efb511d328cf0a7690e62cbb89adeebc07dddb3c

                                                              SHA256

                                                              14caca276f869dcc33a065b67a826a79c27cb0ec54407da220ed26cd045d941a

                                                              SHA512

                                                              2eaf72c87cda80fcc64463eda29ad62e21818bac52105af0b95c5504c935e7f480cba518575fad8f80d0748e11e41641063cb8b6e61da8584271e1068d7f3b74

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\main\7z.dll
                                                              Filesize

                                                              1.6MB

                                                              MD5

                                                              72491c7b87a7c2dd350b727444f13bb4

                                                              SHA1

                                                              1e9338d56db7ded386878eab7bb44b8934ab1bc7

                                                              SHA256

                                                              34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

                                                              SHA512

                                                              583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
                                                              Filesize

                                                              458KB

                                                              MD5

                                                              619f7135621b50fd1900ff24aade1524

                                                              SHA1

                                                              6c7ea8bbd435163ae3945cbef30ef6b9872a4591

                                                              SHA256

                                                              344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

                                                              SHA512

                                                              2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\main\file.bin
                                                              Filesize

                                                              3.3MB

                                                              MD5

                                                              045b0a3d5be6f10ddf19ae6d92dfdd70

                                                              SHA1

                                                              0387715b6681d7097d372cd0005b664f76c933c7

                                                              SHA256

                                                              94b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d

                                                              SHA512

                                                              58255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\main\main.bat
                                                              Filesize

                                                              440B

                                                              MD5

                                                              3626532127e3066df98e34c3d56a1869

                                                              SHA1

                                                              5fa7102f02615afde4efd4ed091744e842c63f78

                                                              SHA256

                                                              2a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca

                                                              SHA512

                                                              dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                                                              Filesize

                                                              479KB

                                                              MD5

                                                              09372174e83dbbf696ee732fd2e875bb

                                                              SHA1

                                                              ba360186ba650a769f9303f48b7200fb5eaccee1

                                                              SHA256

                                                              c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                                                              SHA512

                                                              b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                                                              Filesize

                                                              13.8MB

                                                              MD5

                                                              0a8747a2ac9ac08ae9508f36c6d75692

                                                              SHA1

                                                              b287a96fd6cc12433adb42193dfe06111c38eaf0

                                                              SHA256

                                                              32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                                                              SHA512

                                                              59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
                                                              Filesize

                                                              18KB

                                                              MD5

                                                              d743315c3468963f4382acb9998a70f6

                                                              SHA1

                                                              6c1be6ca369b5c74668a6078df6186970b22c887

                                                              SHA256

                                                              0bb4ab62b7096f811c6e0284650e10384d7a1a8dfecb6b8bdc54b167e9414523

                                                              SHA512

                                                              b5aecaff52db1e2b4a41c3d5badf42918d08acbad670cf782d034383b3db201db4f4ce50a955dedb72aadbb468c09466143e42deefe448236fe9479858410432

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
                                                              Filesize

                                                              10KB

                                                              MD5

                                                              b78dbe78f94c4fb2150efac42c5c81e5

                                                              SHA1

                                                              b355f7c79602226b1b35ac0801e8adce7d94d262

                                                              SHA256

                                                              5685daa3aa3a57bdf4e9078539733183b4ef88fe5f8f6be67f4cc22d6656896a

                                                              SHA512

                                                              0a7fb1ff9d2de04b35ce0951b2a3c6a74e60bc9b1a1d4b570a0d5480955344ffac2ed86d04b70502c5cd6c73e0365bacc5ce164dc3deebbe9c4ead81f41931c1

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\cookies.sqlite-wal
                                                              Filesize

                                                              256KB

                                                              MD5

                                                              17a2848d9573de100289b3a0276258aa

                                                              SHA1

                                                              82513dc8b437838c2e517bb57d7d2d0cf83fe891

                                                              SHA256

                                                              18ec3f48bee4aca36a6a0041030ac16199c99f3572e3b3302efe434576cf5bfc

                                                              SHA512

                                                              ac9994d40219cfe9aee5f71ac54e5dae1d18e4cf8bd47a2ee8b59e127ed484a9b1cd324c208daf5696bfce03fa5323ddec96d47e67b512f062a9e5639ca7d474

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                                                              Filesize

                                                              21KB

                                                              MD5

                                                              6c6a219b388d24fda1c2358012a19680

                                                              SHA1

                                                              bb6837629694e7fa0ad90747a56eb16f9f2e3dfc

                                                              SHA256

                                                              af34bf6bfd54246473f3c654f0a20a4dccd888f528113113529d55dbe0ca6235

                                                              SHA512

                                                              98b475b96014e8a8efb0268aef316540f91744d2083df0d11c529d699514e52d3b6f891799f5c70829891559e20752520ca12d192f0961a9c3c798ecca72e333

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                                                              Filesize

                                                              21KB

                                                              MD5

                                                              18a05a6f16a1a65b5e126b9a1036501b

                                                              SHA1

                                                              b62a4c583df14efaab5c2d1a6ea2c2cc1b9f1e85

                                                              SHA256

                                                              14b26ee42d0013848d550bfb48393384029feee1df1bd4c990252c95186f3e46

                                                              SHA512

                                                              974abe66a295f52b805641ee648a45089bc07f547384d91e6dba8aa08128010269b5f612ff1af818ed0bbf88ee715c83f98442113a58c59d1e8052a9628e9257

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                                                              Filesize

                                                              22KB

                                                              MD5

                                                              62151001f9829c845ef58712498b0512

                                                              SHA1

                                                              aa355a0dbaadf056385cea1d8423fdf3f0520a12

                                                              SHA256

                                                              0cc4aa94de25c8815eff0a84d15b94afbe8af326c3600e922344d59134f7ff47

                                                              SHA512

                                                              23bc6aadf00be3e72c99bb200a960e73625633dc6d6f5b47558a35c4c0e04dff57d22f3603c3eed720b73cd6e303f02d676ae5ce5b7150f708ab3dea1c1f2c08

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                                                              Filesize

                                                              24KB

                                                              MD5

                                                              11176c8317b2206cbc02b34a25625489

                                                              SHA1

                                                              63f3830543e916a62521d91890f1f36d622cda68

                                                              SHA256

                                                              de0d2c355932fe7c5f35cbae365c61dff34c35006249f587b68bc5d7ef6fe459

                                                              SHA512

                                                              c444f5bac32d108f74a28142c7643f0d754931f65453d41c6ac826b271232a7f9d0186b7b5fcf5434cb7e0ff6f6db0b10a510bbdc2ca4c14fc0cedb963df4e39

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
                                                              Filesize

                                                              24KB

                                                              MD5

                                                              9b1a3dccf883745a85833a29baa7711c

                                                              SHA1

                                                              206599e8780ba6b57b08b6d80a952edc1da5dcda

                                                              SHA256

                                                              94670d30c86580c35e23d6205785f240cbee03eadf10ff9898006606c3ebafd1

                                                              SHA512

                                                              540c9aed6626f80634d7dd378bb211de130e03af982950774e2cfb69e6dafa78374c7891197611fa6c411af2060dcde8025926e554786c2008e7a5f74c59fed4

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\92f11415-1bef-46aa-ac2d-fa1eb259416c
                                                              Filesize

                                                              982B

                                                              MD5

                                                              6f15a4f6b6154909b68a1fd81424f31f

                                                              SHA1

                                                              c427d6820aaca3964660e1f329ed6a1f49e8736c

                                                              SHA256

                                                              911d76742a96f1c86c08c1bda7f08e88a28084313559824a2133f1279ce2e684

                                                              SHA512

                                                              8bc035a673832a371757ddc62ec66782b002bbc4f7fe6a96dcffc8c403a15e4886832ee924763138f51eb3d0c4a47a674e8ac0de5520f47a7e61ffbfb7db8056

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\fddba605-f629-4a01-ab4f-f8c2cbab30c7
                                                              Filesize

                                                              659B

                                                              MD5

                                                              4606c083e5c6403f2231ef3c4e085753

                                                              SHA1

                                                              1e3b15670663ab9a3dd0ac6c9e5c38663d302626

                                                              SHA256

                                                              11eb45dedd50c01dbe0ea6a973f933c5d4d96f4bd3a7d3fd4d5fdb8c2247bc32

                                                              SHA512

                                                              99a04b810e2c5cce21149302f607dfa6f80c6b0173a49c524f6254a579a4e0746801f56e0cc0b1334e47845b14f37c8939cb00981ca98f24a62588b046f2ae77

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                                                              Filesize

                                                              1.1MB

                                                              MD5

                                                              842039753bf41fa5e11b3a1383061a87

                                                              SHA1

                                                              3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                                                              SHA256

                                                              d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                                                              SHA512

                                                              d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                                                              Filesize

                                                              116B

                                                              MD5

                                                              2a461e9eb87fd1955cea740a3444ee7a

                                                              SHA1

                                                              b10755914c713f5a4677494dbe8a686ed458c3c5

                                                              SHA256

                                                              4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                                                              SHA512

                                                              34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                                                              Filesize

                                                              372B

                                                              MD5

                                                              bf957ad58b55f64219ab3f793e374316

                                                              SHA1

                                                              a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                                                              SHA256

                                                              bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                                                              SHA512

                                                              79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                                                              Filesize

                                                              17.8MB

                                                              MD5

                                                              daf7ef3acccab478aaa7d6dc1c60f865

                                                              SHA1

                                                              f8246162b97ce4a945feced27b6ea114366ff2ad

                                                              SHA256

                                                              bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                                                              SHA512

                                                              5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\places.sqlite-wal
                                                              Filesize

                                                              1.4MB

                                                              MD5

                                                              b5589c5f3bfb89bf4d65f176c5884493

                                                              SHA1

                                                              f4c15723f6fdb125658794bac8ca3b13ca14dc0c

                                                              SHA256

                                                              f903e40c5c19a13cae7daf7b81a7da9d11deff520b02889e5adc8ac6e7f68fc9

                                                              SHA512

                                                              fe935774d65c5b88102fad171b9e86bf78374d3c202730a30559cbb75eaf0402601863ae0d6f4f5d10adfdcae775e256fffd4137fb6c02da6d1573d4ea0bbd92

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js
                                                              Filesize

                                                              11KB

                                                              MD5

                                                              04731a29913f2503eb25860359811c20

                                                              SHA1

                                                              f0ab4ea5be8b0ff611c82caffaef246b287470fd

                                                              SHA256

                                                              a9c6d559757d1f8e7a262b19da3ac558b2ac63f98ead0da2e78ec2e8534685ff

                                                              SHA512

                                                              410a304a9be5ca12b7ea11ad03bc4bc58aa9036dc7273e7392001e536a808e41c88dcb52613e2a60a507dbe006f9f74966715c6f9198176b0dfd4b3fe9ed9764

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js
                                                              Filesize

                                                              15KB

                                                              MD5

                                                              8d434a9387d8d1b45a791c8031adfa09

                                                              SHA1

                                                              0d7d6bde3491f7fea0533c0081b53d92e9e1add3

                                                              SHA256

                                                              b23a43fec67242f086ec8397b5ad175e4b55984766eeb83fbb053107d8abf255

                                                              SHA512

                                                              2eade3bf3efca4e7499af676e4327f7b9262fd44d581e1ff4d2e789b476cee5ac14749a3f90d808d702f07fbb37e5643e140aa69f3148f803b590737989730af

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js
                                                              Filesize

                                                              10KB

                                                              MD5

                                                              e66f0fe6d9c0153321926ca62751bf45

                                                              SHA1

                                                              03074be76295066174fd24018f666023ef453721

                                                              SHA256

                                                              95307acb66b919fb790511696013e8438563feb2d20d43991ad1100309176dde

                                                              SHA512

                                                              baa7b05a8f2ae3bb51ae28360fea58ade586c8be22d28dea5623c4e27ff20a1a75f108fafac79be18370a7e96f0780790fd846fbf30a476e1fe0c794af3d5858

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js
                                                              Filesize

                                                              12KB

                                                              MD5

                                                              872b014042b6ff4c6e4a5e529a4da740

                                                              SHA1

                                                              7cf1bc16973dd1456d4585f4bd24673270189f45

                                                              SHA256

                                                              ead9ae3330bae9c1a2978b5518eb63cd05ea9c1dfd399a866410d28bea647b9a

                                                              SHA512

                                                              4b40c79f710a92db6aae37e2547e0ecffec20c761b3544d1350666754245bf0fe01e9432966cab0ca0b4d2b3d48223e90521feeb661fcce375183544ac923bdf

                                                              Download Submit

                                                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js
                                                              Filesize

                                                              10KB

                                                              MD5

                                                              bc6237f86326cf97b9b61c6d1dc58fe5

                                                              SHA1

                                                              6f77a0380d423d10bb03d9fcbaa9a56a9be12317

                                                              SHA256

                                                              51fdd7c2098a8485d8496a3f1bea02024c0bfed5eef198b63e705ff3a6649cc3

                                                              SHA512

                                                              a724c2556ff4f4b80b3e34e096b58f163949aceefee4defa18d0c846ddb1da2aa83b47df142050dde06baf67d9d208eb06a42d5e0ddb98806c2d85ab3a71fdcb

                                                              Download Submit

                                                            • C:\Users\Admin\Documents\BAECFCAAEC.exe
                                                              Filesize

                                                              2.9MB

                                                              MD5

                                                              98836224f32527d455cf011bb2325b6a

                                                              SHA1

                                                              b42545aa396db9f04f6081bb227c456b27526785

                                                              SHA256

                                                              4131bd01e2e23761ec48b6248ab2869488e2d809085cd4180d1d8416bdf3c56a

                                                              SHA512

                                                              e02fa8a8634a46f5fe7ed7c6adf88bcd6df8aee042cfa89c97e65591cf57c1ee6060c0df0c7a26c6f49e07d052870590dc838a9871d7e1c6b9e92cd5819fb545

                                                              Download Submit

                                                            • memory/948-1307-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-3750-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-47-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-585-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-25-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-24-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-23-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-22-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-21-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-4174-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-20-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-19-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-3947-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-16-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-3988-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-4062-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-157-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-3518-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-2508-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-48-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-959-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-4136-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/948-67-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/1004-575-0x0000000000DC0000-0x0000000001206000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1004-958-0x0000000000DC0000-0x0000000001206000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1004-955-0x0000000000DC0000-0x0000000001206000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1004-577-0x0000000000DC0000-0x0000000001206000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1004-578-0x0000000000DC0000-0x0000000001206000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1864-89-0x0000000000670000-0x0000000000AB6000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1864-490-0x0000000000670000-0x0000000000AB6000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1864-91-0x0000000000670000-0x0000000000AB6000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1864-92-0x0000000000670000-0x0000000000AB6000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/1864-351-0x0000000000670000-0x0000000000AB6000-memory.dmp

                                                              Filesize

                                                              4.3MB

                                                              Download

                                                            • memory/2388-155-0x0000000000690000-0x0000000000B41000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                              Download

                                                            • memory/2388-64-0x0000000000690000-0x0000000000B41000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                              Download

                                                            • memory/2388-88-0x0000000000690000-0x0000000000B41000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                              Download

                                                            • memory/2388-84-0x0000000000690000-0x0000000000B41000-memory.dmp

                                                              Filesize

                                                              4.7MB

                                                              Download

                                                            • memory/3392-46-0x0000000000A50000-0x0000000000EAE000-memory.dmp

                                                              Filesize

                                                              4.4MB

                                                              Download

                                                            • memory/3392-44-0x0000000000A50000-0x0000000000EAE000-memory.dmp

                                                              Filesize

                                                              4.4MB

                                                              Download

                                                            • memory/3392-962-0x00000000089C0000-0x00000000089DE000-memory.dmp

                                                              Filesize

                                                              120KB

                                                              Download

                                                            • memory/3392-987-0x0000000009AB0000-0x0000000009B16000-memory.dmp

                                                              Filesize

                                                              408KB

                                                              Download

                                                            • memory/3392-66-0x0000000000A50000-0x0000000000EAE000-memory.dmp

                                                              Filesize

                                                              4.4MB

                                                              Download

                                                            • memory/3392-961-0x0000000008180000-0x00000000081F6000-memory.dmp

                                                              Filesize

                                                              472KB

                                                              Download

                                                            • memory/3392-45-0x0000000000A50000-0x0000000000EAE000-memory.dmp

                                                              Filesize

                                                              4.4MB

                                                              Download

                                                            • memory/4548-3-0x00000000003B0000-0x00000000006CB000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/4548-1-0x0000000077084000-0x0000000077086000-memory.dmp

                                                              Filesize

                                                              8KB

                                                              Download

                                                            • memory/4548-4-0x00000000003B0000-0x00000000006CB000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/4548-18-0x00000000003B0000-0x00000000006CB000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/4548-2-0x00000000003B1000-0x00000000003DF000-memory.dmp

                                                              Filesize

                                                              184KB

                                                              Download

                                                            • memory/4548-0-0x00000000003B0000-0x00000000006CB000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/5052-740-0x0000000000270000-0x0000000000763000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5052-161-0x0000000000270000-0x0000000000763000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5052-93-0x0000000061E00000-0x0000000061EF3000-memory.dmp

                                                              Filesize

                                                              972KB

                                                              Download

                                                            • memory/5052-968-0x0000000000270000-0x0000000000763000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5052-2262-0x0000000000270000-0x0000000000763000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5052-159-0x0000000000270000-0x0000000000763000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5052-83-0x0000000000270000-0x0000000000763000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5052-1433-0x0000000000270000-0x0000000000763000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5328-574-0x00000000006B0000-0x0000000000BA3000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5328-153-0x00000000006B0000-0x0000000000BA3000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5328-1308-0x00000000006B0000-0x0000000000BA3000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5328-2775-0x00000000006B0000-0x0000000000BA3000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5328-960-0x00000000006B0000-0x0000000000BA3000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5328-2419-0x00000000006B0000-0x0000000000BA3000-memory.dmp

                                                              Filesize

                                                              4.9MB

                                                              Download

                                                            • memory/5452-3894-0x00007FF697C50000-0x00007FF6980E0000-memory.dmp

                                                              Filesize

                                                              4.6MB

                                                              Download

                                                            • memory/5452-3898-0x00007FF697C50000-0x00007FF6980E0000-memory.dmp

                                                              Filesize

                                                              4.6MB

                                                              Download

                                                            • memory/5584-3850-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/5584-3848-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/5692-3146-0x0000000001000000-0x0000000001400000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                              Download

                                                            • memory/5692-3149-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                              Download

                                                            • memory/5692-3138-0x00000000007A0000-0x00000000007AA000-memory.dmp

                                                              Filesize

                                                              40KB

                                                              Download

                                                            • memory/5692-3159-0x0000000075110000-0x0000000075325000-memory.dmp

                                                              Filesize

                                                              2.1MB

                                                              Download

                                                            • memory/5816-546-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/5816-545-0x0000000000250000-0x000000000056B000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/6168-3126-0x0000000004F10000-0x0000000005310000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                              Download

                                                            • memory/6168-3137-0x0000000075110000-0x0000000075325000-memory.dmp

                                                              Filesize

                                                              2.1MB

                                                              Download

                                                            • memory/6168-3134-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

                                                              Filesize

                                                              2.0MB

                                                              Download

                                                            • memory/6168-3118-0x0000000004F10000-0x0000000005310000-memory.dmp

                                                              Filesize

                                                              4.0MB

                                                              Download

                                                            • memory/6168-2999-0x0000000000660000-0x0000000000B28000-memory.dmp

                                                              Filesize

                                                              4.8MB

                                                              Download

                                                            • memory/6168-3169-0x0000000000660000-0x0000000000B28000-memory.dmp

                                                              Filesize

                                                              4.8MB

                                                              Download

                                                            • memory/6208-3900-0x0000015D548C0000-0x0000015D548E2000-memory.dmp

                                                              Filesize

                                                              136KB

                                                              Download

                                                            • memory/6524-943-0x0000000000400000-0x0000000000457000-memory.dmp

                                                              Filesize

                                                              348KB

                                                              Download

                                                            • memory/6524-941-0x0000000000400000-0x0000000000457000-memory.dmp

                                                              Filesize

                                                              348KB

                                                              Download

                                                            • memory/6756-3256-0x0000000000540000-0x0000000001180000-memory.dmp

                                                              Filesize

                                                              12.2MB

                                                              Download

                                                            • memory/6756-3693-0x0000000000540000-0x0000000001180000-memory.dmp

                                                              Filesize

                                                              12.2MB

                                                              Download

                                                            • memory/6756-3092-0x0000000000540000-0x0000000001180000-memory.dmp

                                                              Filesize

                                                              12.2MB

                                                              Download

                                                            • memory/6756-2149-0x0000000000540000-0x0000000001180000-memory.dmp

                                                              Filesize

                                                              12.2MB

                                                              Download

                                                            • memory/6820-2260-0x0000000000EE0000-0x00000000011FA000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/6820-2223-0x0000000000EE0000-0x00000000011FA000-memory.dmp

                                                              Filesize

                                                              3.1MB

                                                              Download

                                                            • memory/6836-3745-0x0000000000FD0000-0x000000000146D000-memory.dmp

                                                              Filesize

                                                              4.6MB

                                                              Download

                                                            • memory/6836-3748-0x0000000000FD0000-0x000000000146D000-memory.dmp

                                                              Filesize

                                                              4.6MB

                                                              Download