Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 04:16
Static task
static1
Behavioral task
behavioral1
Sample
ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Resource
win7-20240903-en
General
-
Target
ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
-
Size
2.8MB
-
MD5
bf03b982421c50b3c232a902eed53e31
-
SHA1
5f1bdec3bf5ef51e982ebd35ef62d4ab461891bd
-
SHA256
ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249
-
SHA512
dd77759327f5bac2cbb935de95e4d9c57931a548715fb7de041d8367b4e98a0ef2476577d399ef2c84a9b2f26516abf579575949bfd7917bd83ce2f9f91fdfd1
-
SSDEEP
49152:nvzSPYPGhM06DbXnnIMgFsXK5vQxw6oO:n7SPYPG206DcMCsa5vQKPO
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://drive-connect.cyou/api
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
Extracted
cryptbot
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection O7PH1EFECH3UYMMAO5RY0Y210MA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" O7PH1EFECH3UYMMAO5RY0Y210MA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ca2dbee6a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ca2dbee6a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ca2dbee6a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" O7PH1EFECH3UYMMAO5RY0Y210MA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" O7PH1EFECH3UYMMAO5RY0Y210MA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" O7PH1EFECH3UYMMAO5RY0Y210MA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" O7PH1EFECH3UYMMAO5RY0Y210MA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ca2dbee6a2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ca2dbee6a2.exe -
Stealc family
-
Xmrig family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 2625dae0eb.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5cf241b818.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b3ae574b4d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 89004cb58b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ O7PH1EFECH3UYMMAO5RY0Y210MA.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ab7de77645.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8U3PXBCMBWLTXQFLACU.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e7529dbac2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GIIIIJDHJE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2625dae0eb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ca2dbee6a2.exe -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral2/memory/5320-3372-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3373-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3375-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3374-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3376-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3377-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3378-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3381-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3383-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/5320-3386-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1224 chrome.exe 3212 msedge.exe 5604 msedge.exe 5612 msedge.exe 2888 chrome.exe 3732 chrome.exe 4864 chrome.exe 5748 msedge.exe 1428 msedge.exe -
Checks BIOS information in registry 2 TTPs 28 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2625dae0eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5cf241b818.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e7529dbac2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ca2dbee6a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e7529dbac2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GIIIIJDHJE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b3ae574b4d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion O7PH1EFECH3UYMMAO5RY0Y210MA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8U3PXBCMBWLTXQFLACU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b3ae574b4d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ab7de77645.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion O7PH1EFECH3UYMMAO5RY0Y210MA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2625dae0eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 89004cb58b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5cf241b818.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion GIIIIJDHJE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8U3PXBCMBWLTXQFLACU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ca2dbee6a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 89004cb58b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ab7de77645.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 5cf241b818.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 210d8d4641.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation b3ae574b4d.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3ae574b4d.lnk b3ae574b4d.exe -
Executes dropped EXE 27 IoCs
pid Process 232 skotes.exe 2620 9487686fbc.exe 1648 9487686fbc.exe 1448 2625dae0eb.exe 1932 89004cb58b.exe 5036 ab7de77645.exe 3724 5cf241b818.exe 2892 O7PH1EFECH3UYMMAO5RY0Y210MA.exe 1648 8U3PXBCMBWLTXQFLACU.exe 4664 9dee9f7554.exe 852 ca2dbee6a2.exe 2304 skotes.exe 5260 e7529dbac2.exe 5800 210d8d4641.exe 5724 GIIIIJDHJE.exe 4568 7z.exe 1340 7z.exe 6020 7z.exe 6088 7z.exe 6112 7z.exe 2936 7z.exe 4432 7z.exe 5612 7z.exe 5792 in.exe 6096 b3ae574b4d.exe 1428 skotes.exe 1860 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 14 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine ca2dbee6a2.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 2625dae0eb.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine ab7de77645.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 5cf241b818.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine O7PH1EFECH3UYMMAO5RY0Y210MA.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 8U3PXBCMBWLTXQFLACU.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine b3ae574b4d.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine e7529dbac2.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 89004cb58b.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine GIIIIJDHJE.exe -
Loads dropped DLL 10 IoCs
pid Process 3724 5cf241b818.exe 3724 5cf241b818.exe 4568 7z.exe 1340 7z.exe 6020 7z.exe 6088 7z.exe 6112 7z.exe 2936 7z.exe 4432 7z.exe 5612 7z.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ca2dbee6a2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features O7PH1EFECH3UYMMAO5RY0Y210MA.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" O7PH1EFECH3UYMMAO5RY0Y210MA.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab7de77645.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016473001\\ab7de77645.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cf241b818.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016474001\\5cf241b818.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9dee9f7554.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016475001\\9dee9f7554.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ca2dbee6a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016476001\\ca2dbee6a2.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023c8e-148.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 1936 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 232 skotes.exe 1448 2625dae0eb.exe 1932 89004cb58b.exe 5036 ab7de77645.exe 3724 5cf241b818.exe 2892 O7PH1EFECH3UYMMAO5RY0Y210MA.exe 1648 8U3PXBCMBWLTXQFLACU.exe 852 ca2dbee6a2.exe 2304 skotes.exe 5260 e7529dbac2.exe 5724 GIIIIJDHJE.exe 6096 b3ae574b4d.exe 1428 skotes.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2620 set thread context of 1648 2620 9487686fbc.exe 87 PID 1860 set thread context of 5320 1860 Intel_PTT_EK_Recertification.exe 200 -
resource yara_rule behavioral2/memory/5792-1179-0x00007FF7B4740000-0x00007FF7B4BD0000-memory.dmp upx behavioral2/memory/5792-1173-0x00007FF7B4740000-0x00007FF7B4BD0000-memory.dmp upx behavioral2/memory/1860-3370-0x00007FF6416B0000-0x00007FF641B40000-memory.dmp upx behavioral2/memory/1860-3380-0x00007FF6416B0000-0x00007FF641B40000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8U3PXBCMBWLTXQFLACU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dee9f7554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 210d8d4641.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab7de77645.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 9dee9f7554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 9dee9f7554.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3ae574b4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9487686fbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89004cb58b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e7529dbac2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GIIIIJDHJE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cf241b818.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca2dbee6a2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9487686fbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2625dae0eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language O7PH1EFECH3UYMMAO5RY0Y210MA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6012 PING.EXE 5268 powershell.exe 6076 PING.EXE 3560 powershell.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5cf241b818.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5cf241b818.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 368 taskkill.exe 1824 taskkill.exe 3428 taskkill.exe 3980 taskkill.exe 5088 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings firefox.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 6076 PING.EXE 6012 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5300 schtasks.exe 1340 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1936 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 1936 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 232 skotes.exe 232 skotes.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1448 2625dae0eb.exe 1932 89004cb58b.exe 1932 89004cb58b.exe 5036 ab7de77645.exe 5036 ab7de77645.exe 5036 ab7de77645.exe 5036 ab7de77645.exe 5036 ab7de77645.exe 5036 ab7de77645.exe 3724 5cf241b818.exe 3724 5cf241b818.exe 2892 O7PH1EFECH3UYMMAO5RY0Y210MA.exe 2892 O7PH1EFECH3UYMMAO5RY0Y210MA.exe 3724 5cf241b818.exe 3724 5cf241b818.exe 3724 5cf241b818.exe 3724 5cf241b818.exe 1648 8U3PXBCMBWLTXQFLACU.exe 1648 8U3PXBCMBWLTXQFLACU.exe 2892 O7PH1EFECH3UYMMAO5RY0Y210MA.exe 2892 O7PH1EFECH3UYMMAO5RY0Y210MA.exe 2892 O7PH1EFECH3UYMMAO5RY0Y210MA.exe 1224 chrome.exe 1224 chrome.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 852 ca2dbee6a2.exe 852 ca2dbee6a2.exe 2304 skotes.exe 2304 skotes.exe 852 ca2dbee6a2.exe 852 ca2dbee6a2.exe 852 ca2dbee6a2.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 3724 5cf241b818.exe 3724 5cf241b818.exe 5732 msedge.exe 5732 msedge.exe 5732 msedge.exe 5732 msedge.exe 6112 msedge.exe 6112 msedge.exe 5748 msedge.exe 5748 msedge.exe 5260 e7529dbac2.exe 5260 e7529dbac2.exe 5732 msedge.exe 5732 msedge.exe 5732 msedge.exe 5732 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 5748 msedge.exe 5748 msedge.exe 5748 msedge.exe 5748 msedge.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 2892 O7PH1EFECH3UYMMAO5RY0Y210MA.exe Token: SeShutdownPrivilege 1224 chrome.exe Token: SeCreatePagefilePrivilege 1224 chrome.exe Token: SeDebugPrivilege 3980 taskkill.exe Token: SeShutdownPrivilege 1224 chrome.exe Token: SeCreatePagefilePrivilege 1224 chrome.exe Token: SeShutdownPrivilege 1224 chrome.exe Token: SeCreatePagefilePrivilege 1224 chrome.exe Token: SeDebugPrivilege 5088 taskkill.exe Token: SeDebugPrivilege 368 taskkill.exe Token: SeDebugPrivilege 1824 taskkill.exe Token: SeDebugPrivilege 3428 taskkill.exe Token: SeDebugPrivilege 3448 firefox.exe Token: SeDebugPrivilege 3448 firefox.exe Token: SeDebugPrivilege 852 ca2dbee6a2.exe Token: SeRestorePrivilege 4568 7z.exe Token: 35 4568 7z.exe Token: SeSecurityPrivilege 4568 7z.exe Token: SeSecurityPrivilege 4568 7z.exe Token: SeRestorePrivilege 1340 7z.exe Token: 35 1340 7z.exe Token: SeSecurityPrivilege 1340 7z.exe Token: SeSecurityPrivilege 1340 7z.exe Token: SeRestorePrivilege 6020 7z.exe Token: 35 6020 7z.exe Token: SeSecurityPrivilege 6020 7z.exe Token: SeSecurityPrivilege 6020 7z.exe Token: SeRestorePrivilege 6088 7z.exe Token: 35 6088 7z.exe Token: SeSecurityPrivilege 6088 7z.exe Token: SeSecurityPrivilege 6088 7z.exe Token: SeRestorePrivilege 6112 7z.exe Token: 35 6112 7z.exe Token: SeSecurityPrivilege 6112 7z.exe Token: SeSecurityPrivilege 6112 7z.exe Token: SeRestorePrivilege 2936 7z.exe Token: 35 2936 7z.exe Token: SeSecurityPrivilege 2936 7z.exe Token: SeSecurityPrivilege 2936 7z.exe Token: SeRestorePrivilege 4432 7z.exe Token: 35 4432 7z.exe Token: SeSecurityPrivilege 4432 7z.exe Token: SeSecurityPrivilege 4432 7z.exe Token: SeRestorePrivilege 5612 7z.exe Token: 35 5612 7z.exe Token: SeSecurityPrivilege 5612 7z.exe Token: SeSecurityPrivilege 5612 7z.exe Token: SeDebugPrivilege 5268 powershell.exe Token: SeLockMemoryPrivilege 5320 explorer.exe Token: SeDebugPrivilege 3560 powershell.exe Token: SeDebugPrivilege 6096 b3ae574b4d.exe Token: SeDebugPrivilege 6096 b3ae574b4d.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1936 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 4664 9dee9f7554.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 4664 9dee9f7554.exe 1224 chrome.exe 1224 chrome.exe 1224 chrome.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 5748 msedge.exe 5748 msedge.exe 5748 msedge.exe 5748 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 3448 firefox.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe 4664 9dee9f7554.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3448 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 232 1936 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 83 PID 1936 wrote to memory of 232 1936 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 83 PID 1936 wrote to memory of 232 1936 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 83 PID 232 wrote to memory of 2620 232 skotes.exe 85 PID 232 wrote to memory of 2620 232 skotes.exe 85 PID 232 wrote to memory of 2620 232 skotes.exe 85 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 2620 wrote to memory of 1648 2620 9487686fbc.exe 87 PID 232 wrote to memory of 1448 232 skotes.exe 89 PID 232 wrote to memory of 1448 232 skotes.exe 89 PID 232 wrote to memory of 1448 232 skotes.exe 89 PID 232 wrote to memory of 1932 232 skotes.exe 98 PID 232 wrote to memory of 1932 232 skotes.exe 98 PID 232 wrote to memory of 1932 232 skotes.exe 98 PID 232 wrote to memory of 5036 232 skotes.exe 103 PID 232 wrote to memory of 5036 232 skotes.exe 103 PID 232 wrote to memory of 5036 232 skotes.exe 103 PID 232 wrote to memory of 3724 232 skotes.exe 105 PID 232 wrote to memory of 3724 232 skotes.exe 105 PID 232 wrote to memory of 3724 232 skotes.exe 105 PID 5036 wrote to memory of 2892 5036 ab7de77645.exe 106 PID 5036 wrote to memory of 2892 5036 ab7de77645.exe 106 PID 5036 wrote to memory of 2892 5036 ab7de77645.exe 106 PID 5036 wrote to memory of 1648 5036 ab7de77645.exe 107 PID 5036 wrote to memory of 1648 5036 ab7de77645.exe 107 PID 5036 wrote to memory of 1648 5036 ab7de77645.exe 107 PID 3724 wrote to memory of 1224 3724 5cf241b818.exe 109 PID 3724 wrote to memory of 1224 3724 5cf241b818.exe 109 PID 1224 wrote to memory of 1340 1224 chrome.exe 110 PID 1224 wrote to memory of 1340 1224 chrome.exe 110 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 PID 1224 wrote to memory of 2356 1224 chrome.exe 111 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 5712 attrib.exe 1560 attrib.exe 5516 attrib.exe 5880 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe"C:\Users\Admin\AppData\Local\Temp\ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\1016470001\9487686fbc.exe"C:\Users\Admin\AppData\Local\Temp\1016470001\9487686fbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\1016470001\9487686fbc.exe"C:\Users\Admin\AppData\Local\Temp\1016470001\9487686fbc.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016471001\2625dae0eb.exe"C:\Users\Admin\AppData\Local\Temp\1016471001\2625dae0eb.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\1016472001\89004cb58b.exe"C:\Users\Admin\AppData\Local\Temp\1016472001\89004cb58b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\1016473001\ab7de77645.exe"C:\Users\Admin\AppData\Local\Temp\1016473001\ab7de77645.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\O7PH1EFECH3UYMMAO5RY0Y210MA.exe"C:\Users\Admin\AppData\Local\Temp\O7PH1EFECH3UYMMAO5RY0Y210MA.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\8U3PXBCMBWLTXQFLACU.exe"C:\Users\Admin\AppData\Local\Temp\8U3PXBCMBWLTXQFLACU.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016474001\5cf241b818.exe"C:\Users\Admin\AppData\Local\Temp\1016474001\5cf241b818.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff98badcc40,0x7ff98badcc4c,0x7ff98badcc585⤵PID:1340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,5061330258287175453,12116017882060625919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:25⤵PID:2356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,5061330258287175453,12116017882060625919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:35⤵PID:2932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,5061330258287175453,12116017882060625919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:85⤵PID:756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,5061330258287175453,12116017882060625919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:15⤵
- Uses browser remote debugging
PID:2888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,5061330258287175453,12116017882060625919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:15⤵
- Uses browser remote debugging
PID:3732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,5061330258287175453,12116017882060625919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:15⤵
- Uses browser remote debugging
PID:4864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,5061330258287175453,12116017882060625919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4768 /prefetch:85⤵PID:2944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,5061330258287175453,12116017882060625919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:85⤵PID:3984
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5748 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98c4946f8,0x7ff98c494708,0x7ff98c4947185⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:25⤵PID:6108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:6112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:85⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:15⤵
- Uses browser remote debugging
PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:15⤵
- Uses browser remote debugging
PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:15⤵
- Uses browser remote debugging
PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:15⤵
- Uses browser remote debugging
PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:25⤵PID:5780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2600 /prefetch:25⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2592 /prefetch:25⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2168 /prefetch:25⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3632 /prefetch:25⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3656 /prefetch:25⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12677417964149764551,1868533642341747526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3608 /prefetch:25⤵PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\GIIIIJDHJE.exe"4⤵
- System Location Discovery: System Language Discovery
PID:5360 -
C:\Users\Admin\Documents\GIIIIJDHJE.exe"C:\Users\Admin\Documents\GIIIIJDHJE.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5724
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016475001\9dee9f7554.exe"C:\Users\Admin\AppData\Local\Temp\1016475001\9dee9f7554.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4664 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:368
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:4792
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3448 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99c923d5-263d-4649-bd73-810108f67008} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" gpu6⤵PID:3768
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6adca37a-ca00-4cc7-bafe-e371c6e4c1b2} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" socket6⤵PID:4416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3220 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4362e9d6-e2fb-40f3-8a73-a3c9f457277e} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab6⤵PID:3160
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4228 -childID 2 -isForBrowser -prefsHandle 4220 -prefMapHandle 4216 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa97759e-4dee-4d95-ac74-f6a34f6ead00} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab6⤵PID:4676
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 4892 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37858e9a-a0ac-41b4-83c5-a81e80fb1915} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" utility6⤵
- Checks processor information in registry
PID:5536
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -childID 3 -isForBrowser -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {834a1cbb-1691-4dde-aa28-cae72a98de03} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab6⤵PID:6004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5420 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {632dba57-f041-402a-9a1c-24fe67ea5570} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab6⤵PID:6036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5468 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5efb4a5d-fd1c-4688-a8cb-6a4b81db91ed} 3448 "\\.\pipe\gecko-crash-server-pipe.3448" tab6⤵PID:6048
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016476001\ca2dbee6a2.exe"C:\Users\Admin\AppData\Local\Temp\1016476001\ca2dbee6a2.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Users\Admin\AppData\Local\Temp\1016478001\e7529dbac2.exe"C:\Users\Admin\AppData\Local\Temp\1016478001\e7529dbac2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5260
-
-
C:\Users\Admin\AppData\Local\Temp\1016479001\210d8d4641.exe"C:\Users\Admin\AppData\Local\Temp\1016479001\210d8d4641.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5800 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵PID:5716
-
C:\Windows\system32\mode.commode 65,105⤵PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6020
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6088
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6112
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5612
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:5712
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:5792 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:5880
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:5516
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:5300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5268 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6076
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016480001\b3ae574b4d.exe"C:\Users\Admin\AppData\Local\Temp\1016480001\b3ae574b4d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6096 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /Query /TN "b3ae574b4d"4⤵
- System Location Discovery: System Language Discovery
PID:5064
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc onlogon /tn "b3ae574b4d" /tr "C:\Users\Admin\AppData\Local\Temp\1016480001\b3ae574b4d.exe"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1340
-
-
C:\Windows\SysWOW64\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\1016480001\b3ae574b4d.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1560
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1428
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1860 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3560 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6012
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Query Registry
9Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD54acac8586de73b944a5d73f5ce8857e9
SHA1b92bb18bd544399318e3fe124211a40006452c92
SHA256d47dd2c203ae4454c0ead17f18a6a966b39b439f61b0c60da484b679247e5533
SHA51227ece33c051a24502bed213f3be6931aa2416d65e04980a565d1800ee5ee97c27372dcd12fcd69e9c24cc3161fea497708c94839a70ac2945ed714cdd1591c1c
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD591c9d9475b2f0b8afe1de6c35b90aedd
SHA1332bfe5add37ed3d6b1d4f6cbe0dd221cc28c4d2
SHA25645b629a2111d38d70db8929e331827b46404bed435349ccdda84407affb8e4c7
SHA512fe190148e63d47f6ddb8644b3891f142573fa5e116dc53e517a088712ce1d5f07045f8cd13aa8304c126d2269c1b7c7aa11778f07be011beca612434152a8f01
-
Filesize
284B
MD550d754fc90e0cc4ebadcef43827183be
SHA11e33bf7bd68cfa66627348fdb7689cfcf43cb42e
SHA256e2aa359302802bf29d22252dbf00f148c715d6bff7cf0de9ba83d880e27e98ad
SHA5125c530f492f6d1f0ca3a66505d73e95d1ca1215d3348984bad35ae87a1dc22eaf0dc47ed1a2f41f411f09fb69ab32df0aeda9592ed9a844e8a11d2276647e2d80
-
Filesize
954B
MD5788d7fb30130362fd36816ad39b2194a
SHA1768f5af8052c5ffcb3c5d81f62f710f044724b9e
SHA256063edf817c4baccde9a5603aac7ad8cf8fbd8c44417c6dbb97f54941e708854f
SHA512f63601e597ac5c192d19533d3832dfe9b7bb7bcd4a7179ccbd45fcf7d8f635969578b91a682239ab68d75b69203518a4726f85ad3f5bd28ab8df239054672f1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\3149dac7-a929-4047-81cf-f19e3a016e3c.dmp
Filesize838KB
MD571716fbe4b1cd0d227a91c42f05673fd
SHA1b47f7b9ac658b41e4719bf090548566b4f068ba5
SHA256d883b94568154dd0e07b35f4930b6757dbc784acdf06846ca99641511a498439
SHA512f8db6e8bc6f15003c6c7e75438b42548b2824071aa658aa1b4d39156c0e6fd1950657ed1dc085dc3dbf045302f61284fd023c981193c238dfcb7e5c35f737234
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\44490e0a-4faa-44af-bd18-c36c0f832112.dmp
Filesize838KB
MD56a49155c16b1d48e2bdb458a67c29875
SHA1568bffc479be95df64daa1238398eeb411a63080
SHA2563c9981102a8e0b4bcfaffaf46afea549e1d1b24fec99ee494878c6cfe5bb4782
SHA51230eb5ff5f7c365e39eb628f62ed6d8b54aff918981bafab93c0510859be1938c3fd7b597e1bbfee170cf396e64ae21825aafe93293a70c601e601616dd0f1614
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\5c30db2f-c91f-407b-baea-c3f5ec05b8ef.dmp
Filesize826KB
MD5840aef7905c3aaa74e2d708a2b15923e
SHA13fdf06e78ac7ca74f98b454dd5fc5f08bba6759d
SHA25643c737b2364e083be89259eb5b8809d30100989d5221f2db2c726dd7ca2540fc
SHA512a11579d7d45b2e8394d386d74b2aea2a36cabedf51182b413e6ac6ee30e2fdceed8a61cbedc7e40af123a71aa6eee8284c47243aa51cac43dd9bceb83eb38616
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\a5734bf1-c060-40d9-9998-66e3f5147ec5.dmp
Filesize838KB
MD5442dc91f94ad3f3b1665f9d189fa7d06
SHA16ea4c966c1568b5e80d6e6aca405686402a6b6a6
SHA256d7bdb68e2c2a70772de0ad174e3364b1d63a3adf4cc81a5397a283a611ed2092
SHA512c51f1c8cffc38ff62d9cf9105a519e96f17d4774b940383e26c3c7aa35accb762efed5ec231e532e42e38a69b2ec4d7eeb400f834ab9055dd87b7701832e311b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\baa45817-c4ae-40b8-b68a-904e6e01cc1e.dmp
Filesize826KB
MD5a42274a2d74910f9a0f9871b6f352b1b
SHA1a28ad844fc211a9340f1ac2ebf19d6db18cf4289
SHA256d625245902e234266b8b94768ff25d74040bc2802e532b51f7b480ef1a76666e
SHA512efaae5ed2fa268047bd266535eba1b72a4c9648849350f02a6b3d6f4ce5d8638cdc903c1bd936a589c1732e20699a0ee160327226745e1bf81a5ab893493a3c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\c85d6216-8faf-45c7-a8ba-2352a40ff55e.dmp
Filesize826KB
MD5d847a71a6a7e6744b7b57cf32b172f75
SHA1da9b5ec5fb339bf7f406fbc1e3795ff98d48fc36
SHA256174ccf8da12765d9aa1971e6b5120d53226c7e3fc50e3ad17377d266ec398c82
SHA51260bb3f33f49df9f941b96e02f3dace987057a7c80097b3bf44bc9c3a87b413806b91f15f709d3cf500ce4c65723a32032d5688618d52c22221d9f3bd8365907f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e59f8255-0061-4964-b4ee-b976ed2034d6.dmp
Filesize830KB
MD5b4c8046138424aebf53a2de93a9ef9a6
SHA1e4c69d0f6f745f1cf3ff82aa5341ef11c2ec1663
SHA2563369982106ba52d4e62146406e8df5e5b6e7376058efb147bd69046e4af26d8e
SHA5125178d0adb9a7202a9afc632d2dc6596f473ae20192220ad61517318aef98ae01f985ba5c36cf5e75a316af79ce44510795ba18a9a14270d5dba4c883a5d559f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f793b567-9eff-4763-b461-9e697f8c456a.dmp
Filesize830KB
MD52affde6589efcd80731175ffe3a7be21
SHA1b25eb62251a45d759be079ebd1cfbc3f7e9680b9
SHA25658f57a6658c1d1a7d223ce5e378930258f4d705d49467782cdeff0d6670f9ccf
SHA5125d3cb595b8b65152c19a1a162fe67e90bb070bb4814b6ff40316083bb45d4ce6a7362724e7c22fbd3ff3ce917ba151194b3a2fa65a9c12d4e90a4a3e3e976ab1
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD5604e048aa810d0294f40ae9307e3ceb1
SHA132171cdbbb252b3eb31f5d816d90d7daaa36719b
SHA25661103af175952cbc0f38118eea32e430e75c4427ff4491d53ece6614a23ccae0
SHA512bfb4d2ba0327e0162099da6395caf977269884e4bd1aea393adf1f24a031fdcac848ac0346d98b523aa2430b8725a14a836148655e2dfdfb760e6c96f2350006
-
Filesize
152B
MD5185db5c6073f0b7a1088c65e572eae60
SHA10549c48193251416bd100ee70d65fe1f8393bc10
SHA256ebda0c3ad9a4215bdf31a63718f3a7c1be54d53c4cc2a0a13ca837c4dbc98ad8
SHA512c485abdf4ece3bab308e660453dcc4cd21521935f623ea0a003d025746bd4f66ff32cc30615d4caf8687fba9c29adcfa596186ffc9196484ad7b39dadac47bd6
-
Filesize
5KB
MD5c3440f752a9def6f1d8eb2eefa4bd376
SHA1d3c020ce71a6703d1544759585a7fa1d4f9e46de
SHA256a4a882c0c71f44ae2200eed8322e4b028aa7bd3759141f09df61b0f13b7ad0da
SHA512e74a13038aa50f9559023ccde28c57f469235c315aa81ba65e20dce0edabd638a98ac972cad5961c11f36d5573b3a8fccf8dcd00ea991c5b183879bb70e417b6
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
Filesize28KB
MD578d6f9b1c90b3db4c4ad4f4d5b7c7c01
SHA164227728fc642a6d373bc0106eadd66baa8b916f
SHA25684ca9d4b4ccfc67684a5c6a862278e0a72dc88610e2b9645ea65dccf8e8efebe
SHA5121e05a1c3033839cc0c28aecdba4a58d7307c08dad434c3c64c5dc6aebc8636a24254fe604691e5b83956919c41394da9f10e3a26bd5d7fae7431b81145286557
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD52152c9b5018d47b30f7c0436af97f32e
SHA172b459281a103174f60038518c0b36292b2665c2
SHA2565678e36417cefa3ea5c27e283b70a6ac3b52d8e7217aed301c50a72c0d950c32
SHA5123cf7c65aada9f2761e68cdb9a5671d36b1effa7e325cffce02a7dce42629149672977c271f7712ae4bd8c3ce376a37c87bab507bdbbc2a4ecd96486620adfd2f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
4.2MB
MD5119e98d812d67faad4c9243ece8ffb66
SHA14441daede8ed2d75ec7eb542954d8de9e19e3eaa
SHA2566984c73c46b1321d7959c40296af14493a161fde2173ebb961261a1a6354d68a
SHA512b9d3f56f395a44407b7d58d72df2825cdaa8d0fb26e6ec29ebd0e94e464d0f9d0abecb6774865a348cd513fd2e8a7fc2d7abafec8139626ca371fd396656fccd
-
Filesize
4.2MB
MD5b7059ed787c629bf9628918701d0dd8d
SHA1a440fcad46a8f3bcfd4d05b3e338d69ec1e19880
SHA25600cf370f14f9ed51911659746be9f5598748ad3ef74383eb79be79f57f46dd32
SHA512ac10114afdf8244d39e817e3bf977b44542d75c40a74a969b52b9f751590c563ad9aa40de442bb652559cdcf5f2e63a93102ea2ee5be601d7d89ab0d0edfcc0c
-
Filesize
1.8MB
MD5f9e2b46c1601d8ba03f09fd5a21eea62
SHA122acdaa948de36b4adfae67a19dd73bdcbd1dc22
SHA25661d3f383cdc2638b5fd5a07de512b41a38f24ed994ad2ab1f44a1e079e59b6aa
SHA51281a5db548f6829cf1a4e514e9f2b1e8f685d21cd0eed43edbe98321a1423ef06f849847769e4d8c8185f602087fe5dd27912a78255d6ee08af1daf65ed89a528
-
Filesize
2.8MB
MD57d8e297d9b2cdcb4bfc19cb761f0abf8
SHA17c41c6737ebc85cee2b5f61fdc515606356ed262
SHA2568a988b1b507d489e9627de9f397353e9713e8bdd8125686d3fbcba852ca77bf6
SHA512e937f013c613a5b5ad6df0ceb78b97711328c767bb353ecdc61f29e72e64bced3dde757c5a77ae1516d902e5099f10c9b2455381610f4827d52c2b44e6d4fd41
-
Filesize
948KB
MD5ec7eeeafe31013ea199ec6c028bde806
SHA1ad4422171edd1854aa3cc6b496c78e928fc6bd34
SHA256b27343664431118c8c368d529d13b2ab2604f6f98ac60a5c71481270d2939132
SHA5122cfc64a814af7f7132c833ab494a61312ec3b80113e78233de6d7c9e56edaa97ed7c02e82cf1c3ab282b1698094655b57a04bafeb12febe5b73d07ac7ada71c1
-
Filesize
1.8MB
MD5fd17d712c627b434e99749cfc82c7d51
SHA1bf00a1fe4d9efc63e963751201a383bf9df7d25e
SHA256af8729a17698880e54e9f23b48e6b68d73672179f58868c201c8cf54d1a578bc
SHA512b3f56a4457df967d9355f42316e8332813c46003b4d2e216fbabded7edcddcbefc72ee01fd706722cf81e2fb3e0986c31358a22270f7b36106e77a88b6c25c85
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.7MB
MD5d37dab4c59e707f632bb0b91eaa87ff9
SHA10e153debcf54805a0543646620511b57865d6fc9
SHA256375a067be10250dc045ea14025444ad7ec0662cf189abbbd393e6f7ffe85b35d
SHA5120ae81abbe56f0a20c8066c52672d969c962a20b19c7e7165b12c7b16a4f0681c4f96ce2cedde50ade5975ced262d581fc99d0947c188cec847c8a82eb85bc0ae
-
Filesize
1.7MB
MD52bd7be5558ce4203112063f6b2c45454
SHA1c0aa5acecc953e6cab2482b12c9e31ee9ce2804c
SHA256be4d98eb32b36999f88fa786b3ee8d77abf2177421c04984c27e16aa8153e4aa
SHA51269e472d56b45a8ce6df10725f80e20738327a4d9037894e8da910747081ce9496e5c4c59cf23a128088cea1c62a514ddf457680854a37cdcf27c22eeffe546f2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.8MB
MD5bf03b982421c50b3c232a902eed53e31
SHA15f1bdec3bf5ef51e982ebd35ef62d4ab461891bd
SHA256ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249
SHA512dd77759327f5bac2cbb935de95e4d9c57931a548715fb7de041d8367b4e98a0ef2476577d399ef2c84a9b2f26516abf579575949bfd7917bd83ce2f9f91fdfd1
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize18KB
MD5c243c396fbd229bf6776ffc76888345e
SHA1fc0b5ed4daf1cfd2c879f39a378d1245c13bdbef
SHA256af299fa2cdceb96170cdb2aec5f2da332085b40bcf651258b2c8362126190d8c
SHA512d4377e3a7be7ea3b6f00c355018f05f4892b348a326c13c312be83fd96c71204cbbe88c5ca67e1eee2d918caa0e6303cc3975a42f245a747d810ac5bbdb797c5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize8KB
MD5a7a7fa1de11f43a452ddebbd33ab2e33
SHA1cdcb20cae4bcbd5302973ace583c72e58eb036c2
SHA2569fd466536bf26519653997bdc80698d525b1c6672eb0189751679172e3f81e83
SHA5126c46cf741ca39f5f10ef7b27048d53ccd2c561f81f758ef5b86f31b96e99e4e238da15e152ed3fe1f3908b9506905f42c3e210670d3e33f126baa3600fbba08b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize10KB
MD5880ef7009a7946d5d6e60adf62204d8a
SHA1a57811e61459d5772d9ec5fdec3fd758d0b6e2e0
SHA2567e99274ab4e33e0fadcf3eab3645d831dc20b178f98a77ce2f97d0bff9531035
SHA5129c813e3849c0fbaa4781351208c89bbff12520800334679ecc64a8156c3f73733f742215ae02a0daf64decbf813d8e187936869443a43f563bcae78f8ac64597
-
Filesize
256KB
MD5dcd898813d4783fa38e3d8a963b8e85f
SHA1a3e1e712326f832074970cefb53000e0dc692044
SHA256480b3352b5d3a8a6f795fc5e3450dd9ef36e17ba8080de6989cfae5e184e0594
SHA512841ae39cfb5d155d3bfd45d7419d31523401feaceb444c3503ace7b110f2aba67fe6efb639818cb8fe95b2c0c8bebe49b60d7b124b21fc2b3d7ea4bd3dff0ef9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c843de7f8494a8a2487cd6f33eb02df4
SHA1efae2960bb95a55cff6a2ae4b0f4ac597c4c084c
SHA256997fcf33a29498e35e3474403ce4d39dac11178a94b510f098f2316afa37bbfe
SHA512f9a6f75789961877a410e3c758239997a5e664d0ce748ad43749bae6eb8c097e23c8180bccceb24750087541ba56f663c7e24cc45289e7f87ed24ddfa1c1cc8f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c2cbc05e7268e526130118818dcf8517
SHA16d2baf06bebdfe41e299a3ef86bcdc5ab718517e
SHA256e1a62f12fa508131e8e451f32946a351199bce67a0a3ea69feccc14d0b9633a6
SHA512325d7b397efc59c9b0a6bd773f082cad09d1116ddb9c6936658f26e9de61dea47f7eda0994315a8101d7b6362373bb7015857713e014b615798d55167f085177
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD50d252662516b12e95d3bc7bae12aefc6
SHA16be16f710e5a090f5ac218d34aa33a35fe4632b0
SHA2569b68ec75b5015cb9acef33da671d9d5ce8abf9f299ca6bd88575e6eb33a65e26
SHA512626bd25f4311a77a852b9c70fac370dd4c4cfc06d4d99def2e574341cb870a24ca169e4b00a0e94c1d7b0b9e17733b0a52ba293f492adcb6f9eca96294fb2252
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\44a1b719-c32c-4871-8248-8052a711d42d
Filesize982B
MD58e7bb38ec3a23c2ad529db1753af6bbe
SHA185fcb4c53600a0149e4fa114fcbaa3f62735fcf1
SHA256b653d913ac14eb66757df3b6fb1e32c63283e7a7c3f24d46d35d82f36ce35d9d
SHA51231cd69834b873b783b758200f8828aa0ca12e9015e64cb58615f1f38f540120ec42967020a94a245fcd6b77a91b4a29026f9047f7a97f8a774bea014cff4c978
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\ccbf333a-8718-415e-b484-c5ab53e60417
Filesize26KB
MD529f785dcef054e0380d8209c7e1210cc
SHA19f1c1e7574e6b203f9d37b6757a3c0515da78134
SHA25682b762c7bbb9cc7ce84b1c40dcd3ddb0553beaf040b425c405317221ea26a5fe
SHA512a0f1f92c1a41ad44a6ba7305cacb19575a15fb2af4aebc1c5b4973ef06ba01f059e783d6640ba25a51389182de5a7071d0d7a690ba69c1aca09c99b38ea049b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\fbecc15a-ec1c-4a19-9259-4b71c8703d01
Filesize671B
MD5339077d2bb98e0c2e4e9ea6cc02c831d
SHA1cc42d64099513b83fe75eeae048bb0b2eb66b145
SHA256537a9a8a88a0f8a976b932b657b6bc77d70a4c9634b358076838d6f8c6800d10
SHA51233a17e62d22242580de2bb9f725873b866fd08d082ef86b1163ca6f19f509f16d110d9ca08a538a4a036a2610c8030eb322d1ce18c7de280d26c728d143d8dae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
1.4MB
MD5cd6108c62454331cc2623a2b94a6a203
SHA1d9ba49fd396803d074c926e2ce17a87eef73eeee
SHA2569cade7df57dd4ee7da55bb2e751a2b54a680b2b9a0f7ab09865f1ea7b7d7dd02
SHA5123b8a2a14623f3f73c268cc7ebbd83ce5b3e81175e4d778fa9882f2eaec391d3e4a038b57340965f8cb5243efe484df6a5c164b4118dca13ec3e857aa60f953bd
-
Filesize
11KB
MD518fa715365188adba5f4b3c02ac92f41
SHA142e24fd1e991033c7c0426b043f07852e2e199d9
SHA2563e042209dae214d303a9034deddf6ad9dfc315bc64ce5ce3612a82a8df7f61e1
SHA51234705876e7578bc4406ae88bbb33380d9ee79a58be845986b2aca392f2f6962131172c65028a3e82bcbcca896dcffd7e04e0819aa2e02e15c666224f495abd9d
-
Filesize
11KB
MD58d13be2fd6391ab188e0b9855d84139a
SHA14cbaa62196e085253f8932a3d9039fd150b81da0
SHA256ebf13d5b1b5cfa9f6372edfce1d434548f17ae68a611ff220756171c6ca3f1be
SHA512a6f32eebc20d232904d341f6a749bc01b783ad1470e09ba74358af2d33773f872da768a689de1613c0d09d76ec8320d32d4affd2a9586c44644b96aaf88477f2
-
Filesize
15KB
MD538b5c31144f67025a51912531084e4b5
SHA18871f5b2f1471341fbf090df524ca42c37822263
SHA256715c397cbcbb8c50d0a7173800097395ced0b820042f6bbdeed98d155512c629
SHA512ee6806d01dc524558a185fbfd1f744990b08c4cd2b1e1101114b4f0d5f72a2f7b928f365f4ac834183c0a034f7f82115a2eab014f81ae11ea69693f08d664d55
-
Filesize
2.9MB
MD5ac3fb6ccf448856a497c5437b9d879dc
SHA1c1f289b718a14ddd0b8f24b7f82c0b9ab47a3865
SHA256b4f316cd1d15ac4e0c7d182937031e9b4d1a66a0a8bc962bda36129d4c6024a5
SHA51222f7fa26006bc3435c8776f43f10e726332107dbaba5e68acd5148e2a50e320b191a1f9bf0fcf32df92641cb2df8519c0029b4cbbc000e8cf51a5d6402a75737