Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 15:24
Static task
static1
General
-
Target
cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe
-
Size
1.8MB
-
MD5
1d13d83ba0b9e54307060da3ad2c16bf
-
SHA1
45fe957170c36b1704c25ff65d59dd8bbe6894cd
-
SHA256
cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0
-
SHA512
803e1b9587fc7aab36c96d52fe901fa6dbe0523aa46da23afb0bd50f7ebcbe5bfd9793ac61cbdd4d228159786d240d5161ff80a5e445eaa00fc77cdf455eb526
-
SSDEEP
24576:ujGFRFajDFCy++ZmOo3Ku3nMTpvvVxgjvS0CrhHnDvutPCisiQR5gCdcd3:ujeFmD/+Go3Ku3evVxquNrmPCwu
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
cryptbot
Extracted
lumma
https://tacitglibbr.biz/api
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection G7R9EN9TGL2SLQSRRYWJ4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" G7R9EN9TGL2SLQSRRYWJ4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" G7R9EN9TGL2SLQSRRYWJ4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" G7R9EN9TGL2SLQSRRYWJ4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" G7R9EN9TGL2SLQSRRYWJ4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" G7R9EN9TGL2SLQSRRYWJ4E.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2036 created 1728 2036 7c4097a750.exe 58 -
Xmrig family
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF b19b0de650.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF ec40513f8e.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2RZ27NKGC2NFI9OMRM0D3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FBAFIIJKJE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b19b0de650.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7c4097a750.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ec40513f8e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ G7R9EN9TGL2SLQSRRYWJ4E.exe -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral1/memory/1012-718-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-721-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-720-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-719-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-717-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-716-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-715-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-730-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-732-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/1012-733-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1172 chrome.exe 324 chrome.exe 2060 chrome.exe 784 chrome.exe 1664 chrome.exe 2268 chrome.exe 1640 chrome.exe 896 chrome.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2RZ27NKGC2NFI9OMRM0D3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FBAFIIJKJE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7c4097a750.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ec40513f8e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FBAFIIJKJE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b19b0de650.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b19b0de650.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ec40513f8e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion G7R9EN9TGL2SLQSRRYWJ4E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion G7R9EN9TGL2SLQSRRYWJ4E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2RZ27NKGC2NFI9OMRM0D3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7c4097a750.exe -
Executes dropped EXE 22 IoCs
pid Process 2620 G7R9EN9TGL2SLQSRRYWJ4E.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 1592 FBAFIIJKJE.exe 704 skotes.exe 528 ON7ZDqr.exe 404 3c723c3f6a.exe 2540 3c723c3f6a.exe 784 b19b0de650.exe 2036 7c4097a750.exe 2272 9c04026924.exe 1800 7z.exe 1664 7z.exe 2596 7z.exe 3032 7z.exe 1396 7z.exe 1648 7z.exe 2004 7z.exe 1708 7z.exe 2784 in.exe 1620 ec40513f8e.exe 2024 Intel_PTT_EK_Recertification.exe 2412 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine G7R9EN9TGL2SLQSRRYWJ4E.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 2RZ27NKGC2NFI9OMRM0D3.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine FBAFIIJKJE.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine b19b0de650.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 7c4097a750.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine ec40513f8e.exe -
Loads dropped DLL 41 IoCs
pid Process 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 2368 cmd.exe 2368 cmd.exe 1592 FBAFIIJKJE.exe 1592 FBAFIIJKJE.exe 704 skotes.exe 704 skotes.exe 704 skotes.exe 704 skotes.exe 404 3c723c3f6a.exe 704 skotes.exe 704 skotes.exe 704 skotes.exe 704 skotes.exe 2152 cmd.exe 1800 7z.exe 2152 cmd.exe 1664 7z.exe 2152 cmd.exe 2596 7z.exe 2152 cmd.exe 3032 7z.exe 2152 cmd.exe 1396 7z.exe 2152 cmd.exe 1648 7z.exe 2152 cmd.exe 2004 7z.exe 2152 cmd.exe 1708 7z.exe 2152 cmd.exe 2152 cmd.exe 704 skotes.exe 704 skotes.exe 316 taskeng.exe 316 taskeng.exe 316 taskeng.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features G7R9EN9TGL2SLQSRRYWJ4E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" G7R9EN9TGL2SLQSRRYWJ4E.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 2620 G7R9EN9TGL2SLQSRRYWJ4E.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 1592 FBAFIIJKJE.exe 704 skotes.exe 784 b19b0de650.exe 2036 7c4097a750.exe 1620 ec40513f8e.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 404 set thread context of 2540 404 3c723c3f6a.exe 68 PID 2024 set thread context of 1012 2024 Intel_PTT_EK_Recertification.exe 98 PID 2412 set thread context of 2432 2412 Intel_PTT_EK_Recertification.exe 103 -
resource yara_rule behavioral1/memory/2784-688-0x000000013FA00000-0x000000013FE90000-memory.dmp upx behavioral1/memory/2784-687-0x000000013FA00000-0x000000013FE90000-memory.dmp upx behavioral1/memory/2024-723-0x000000013F1D0000-0x000000013F660000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job FBAFIIJKJE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c723c3f6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language G7R9EN9TGL2SLQSRRYWJ4E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ON7ZDqr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c723c3f6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2RZ27NKGC2NFI9OMRM0D3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FBAFIIJKJE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b19b0de650.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec40513f8e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c4097a750.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9c04026924.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2604 powershell.exe 2208 PING.EXE 2680 powershell.exe 3064 PING.EXE 2840 powershell.exe 1064 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2RZ27NKGC2NFI9OMRM0D3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2RZ27NKGC2NFI9OMRM0D3.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2208 PING.EXE 3064 PING.EXE 1064 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 2620 G7R9EN9TGL2SLQSRRYWJ4E.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 2620 G7R9EN9TGL2SLQSRRYWJ4E.exe 2620 G7R9EN9TGL2SLQSRRYWJ4E.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 1664 chrome.exe 1664 chrome.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 1172 chrome.exe 1172 chrome.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 3052 2RZ27NKGC2NFI9OMRM0D3.exe 1592 FBAFIIJKJE.exe 704 skotes.exe 2540 3c723c3f6a.exe 2540 3c723c3f6a.exe 2540 3c723c3f6a.exe 2540 3c723c3f6a.exe 784 b19b0de650.exe 784 b19b0de650.exe 784 b19b0de650.exe 784 b19b0de650.exe 784 b19b0de650.exe 784 b19b0de650.exe 2036 7c4097a750.exe 2036 7c4097a750.exe 2036 7c4097a750.exe 2036 7c4097a750.exe 2036 7c4097a750.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe 2684 dialer.exe 2604 powershell.exe 1620 ec40513f8e.exe 1620 ec40513f8e.exe 1620 ec40513f8e.exe 1620 ec40513f8e.exe 1620 ec40513f8e.exe 1620 ec40513f8e.exe 2024 Intel_PTT_EK_Recertification.exe 2680 powershell.exe 2412 Intel_PTT_EK_Recertification.exe 2840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 2620 G7R9EN9TGL2SLQSRRYWJ4E.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1664 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeShutdownPrivilege 1172 chrome.exe Token: SeRestorePrivilege 1800 7z.exe Token: 35 1800 7z.exe Token: SeSecurityPrivilege 1800 7z.exe Token: SeSecurityPrivilege 1800 7z.exe Token: SeRestorePrivilege 1664 7z.exe Token: 35 1664 7z.exe Token: SeSecurityPrivilege 1664 7z.exe Token: SeSecurityPrivilege 1664 7z.exe Token: SeRestorePrivilege 2596 7z.exe Token: 35 2596 7z.exe Token: SeSecurityPrivilege 2596 7z.exe Token: SeSecurityPrivilege 2596 7z.exe Token: SeRestorePrivilege 3032 7z.exe Token: 35 3032 7z.exe Token: SeSecurityPrivilege 3032 7z.exe Token: SeSecurityPrivilege 3032 7z.exe Token: SeRestorePrivilege 1396 7z.exe Token: 35 1396 7z.exe Token: SeSecurityPrivilege 1396 7z.exe Token: SeSecurityPrivilege 1396 7z.exe Token: SeRestorePrivilege 1648 7z.exe Token: 35 1648 7z.exe Token: SeSecurityPrivilege 1648 7z.exe Token: SeSecurityPrivilege 1648 7z.exe Token: SeRestorePrivilege 2004 7z.exe Token: 35 2004 7z.exe Token: SeSecurityPrivilege 2004 7z.exe Token: SeSecurityPrivilege 2004 7z.exe Token: SeRestorePrivilege 1708 7z.exe Token: 35 1708 7z.exe Token: SeSecurityPrivilege 1708 7z.exe Token: SeSecurityPrivilege 1708 7z.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeLockMemoryPrivilege 1012 explorer.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeLockMemoryPrivilege 2432 explorer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1664 chrome.exe 1172 chrome.exe 1592 FBAFIIJKJE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2620 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 32 PID 1600 wrote to memory of 2620 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 32 PID 1600 wrote to memory of 2620 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 32 PID 1600 wrote to memory of 2620 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 32 PID 1600 wrote to memory of 3052 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 33 PID 1600 wrote to memory of 3052 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 33 PID 1600 wrote to memory of 3052 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 33 PID 1600 wrote to memory of 3052 1600 cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe 33 PID 3052 wrote to memory of 1664 3052 2RZ27NKGC2NFI9OMRM0D3.exe 35 PID 3052 wrote to memory of 1664 3052 2RZ27NKGC2NFI9OMRM0D3.exe 35 PID 3052 wrote to memory of 1664 3052 2RZ27NKGC2NFI9OMRM0D3.exe 35 PID 3052 wrote to memory of 1664 3052 2RZ27NKGC2NFI9OMRM0D3.exe 35 PID 1664 wrote to memory of 1964 1664 chrome.exe 36 PID 1664 wrote to memory of 1964 1664 chrome.exe 36 PID 1664 wrote to memory of 1964 1664 chrome.exe 36 PID 1664 wrote to memory of 2272 1664 chrome.exe 37 PID 1664 wrote to memory of 2272 1664 chrome.exe 37 PID 1664 wrote to memory of 2272 1664 chrome.exe 37 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 2160 1664 chrome.exe 38 PID 1664 wrote to memory of 1208 1664 chrome.exe 39 PID 1664 wrote to memory of 1208 1664 chrome.exe 39 PID 1664 wrote to memory of 1208 1664 chrome.exe 39 PID 1664 wrote to memory of 2036 1664 chrome.exe 40 PID 1664 wrote to memory of 2036 1664 chrome.exe 40 PID 1664 wrote to memory of 2036 1664 chrome.exe 40 PID 1664 wrote to memory of 2036 1664 chrome.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2276 attrib.exe 1532 attrib.exe 2608 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe"C:\Users\Admin\AppData\Local\Temp\cce6c6f51a01ff3662b263cd464e41b163db9590453603e2c8b5dee39d5f94d0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\G7R9EN9TGL2SLQSRRYWJ4E.exe"C:\Users\Admin\AppData\Local\Temp\G7R9EN9TGL2SLQSRRYWJ4E.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\2RZ27NKGC2NFI9OMRM0D3.exe"C:\Users\Admin\AppData\Local\Temp\2RZ27NKGC2NFI9OMRM0D3.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7459758,0x7fef7459768,0x7fef74597784⤵PID:1964
-
-
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:2272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=148 --field-trial-handle=1296,i,4319020192539647841,11015329603077147254,131072 /prefetch:24⤵PID:2160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1296,i,4319020192539647841,11015329603077147254,131072 /prefetch:84⤵PID:1208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1296,i,4319020192539647841,11015329603077147254,131072 /prefetch:84⤵PID:2036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1296,i,4319020192539647841,11015329603077147254,131072 /prefetch:14⤵
- Uses browser remote debugging
PID:2268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2548 --field-trial-handle=1296,i,4319020192539647841,11015329603077147254,131072 /prefetch:14⤵
- Uses browser remote debugging
PID:1640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2560 --field-trial-handle=1296,i,4319020192539647841,11015329603077147254,131072 /prefetch:14⤵
- Uses browser remote debugging
PID:896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=972 --field-trial-handle=1296,i,4319020192539647841,11015329603077147254,131072 /prefetch:24⤵PID:1668
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""3⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1172 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6749758,0x7fef6749768,0x7fef67497784⤵PID:2092
-
-
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:1932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 --field-trial-handle=1400,i,869923112353998243,13718368443360758031,131072 /prefetch:24⤵PID:2956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1400,i,869923112353998243,13718368443360758031,131072 /prefetch:84⤵PID:2796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1400,i,869923112353998243,13718368443360758031,131072 /prefetch:84⤵PID:2804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1400,i,869923112353998243,13718368443360758031,131072 /prefetch:14⤵
- Uses browser remote debugging
PID:324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2492 --field-trial-handle=1400,i,869923112353998243,13718368443360758031,131072 /prefetch:14⤵
- Uses browser remote debugging
PID:2060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2504 --field-trial-handle=1400,i,869923112353998243,13718368443360758031,131072 /prefetch:14⤵
- Uses browser remote debugging
PID:784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3548 --field-trial-handle=1400,i,869923112353998243,13718368443360758031,131072 /prefetch:24⤵PID:588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1400,i,869923112353998243,13718368443360758031,131072 /prefetch:84⤵PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\FBAFIIJKJE.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Users\Admin\Documents\FBAFIIJKJE.exe"C:\Users\Admin\Documents\FBAFIIJKJE.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:704 -
C:\Users\Admin\AppData\Local\Temp\1016655001\ON7ZDqr.exe"C:\Users\Admin\AppData\Local\Temp\1016655001\ON7ZDqr.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:528
-
-
C:\Users\Admin\AppData\Local\Temp\1016672001\3c723c3f6a.exe"C:\Users\Admin\AppData\Local\Temp\1016672001\3c723c3f6a.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:404 -
C:\Users\Admin\AppData\Local\Temp\1016672001\3c723c3f6a.exe"C:\Users\Admin\AppData\Local\Temp\1016672001\3c723c3f6a.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016673001\b19b0de650.exe"C:\Users\Admin\AppData\Local\Temp\1016673001\b19b0de650.exe"6⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:784
-
-
C:\Users\Admin\AppData\Local\Temp\1016674001\7c4097a750.exe"C:\Users\Admin\AppData\Local\Temp\1016674001\7c4097a750.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\1016675001\9c04026924.exe"C:\Users\Admin\AppData\Local\Temp\1016675001\9c04026924.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"7⤵
- Loads dropped DLL
PID:2152 -
C:\Windows\system32\mode.commode 65,108⤵PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"8⤵
- Views/modifies file attributes
PID:2276
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"8⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe9⤵
- Views/modifies file attributes
PID:1532
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe9⤵
- Views/modifies file attributes
PID:2608
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE9⤵
- Scheduled Task/Job: Scheduled Task
PID:1564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.110⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2208
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016676001\ec40513f8e.exe"C:\Users\Admin\AppData\Local\Temp\1016676001\ec40513f8e.exe"6⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2672
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1828
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2684
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CA6E0920-9F40-4C7C-90CA-0E50C3DE8741} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:316 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2024 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3064
-
-
-
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2412 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1064
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
5Credentials In Files
5Discovery
Browser Information Discovery
1Query Registry
8Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD51d6994c9e7456e30a9c2dcecdc184047
SHA1ad85ecf6f00da14dbde2b4b22e52809a02ad11cb
SHA25632d641a0b1a4d012ac26b4511e84b1ce3a0c129fccd4e85a78a31d46b14f1a8d
SHA51245820fc375361f0518efc53e283a5421a58ace75b2d4d94c9a190ac75a3b3717b9b797e8d27cec3014fcc9e9ea27f2ffc586777d8d658e0e24d379fe7604c607
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
32KB
MD569e3a8ecda716584cbd765e6a3ab429e
SHA1f0897f3fa98f6e4863b84f007092ab843a645803
SHA256e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487
SHA512bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5f93969c07216771e45265220b18e22c5
SHA1901fb6f036f70a436602750701ec8afb7aab6793
SHA256c08966c6b2bbd1f94aab4035d9a3a3337d4a26c2117bba295890935fecdee478
SHA512896da07e3f1e382be10a4be82ef573610a85b63bb661210dd99f299c105bce3b812cc53d56acc9f9383a014f4c19c7637780dfb45d3da3770669f631979a28d6
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Code Cache\wasm\index-dir\the-real-index
Filesize48B
MD56a313ea78cdb307e2d0583f212ec17df
SHA19c2711dbe66c381f293e1c52769733f08b5ccc85
SHA256cd4304069e4e18bdc42b4b376f4ee51224efdbd158b823f9ec9884fba97e9512
SHA512a0dc5f2a9d757ea944d969a2cd5bc7e66529da27ebae822ad25af845701f1a528444f3537bfa9262ac66a1055bd48ac92493285d7e249ffb1d664320e72276eb
-
Filesize
20KB
MD53eea0768ded221c9a6a17752a09c969b
SHA1d17d8086ed76ec503f06ddd0ac03d915aec5cdc7
SHA2566923fd51e36b8fe40d6d3dd132941c5a693b02f6ae4d4d22b32b5fedd0e7b512
SHA512fb5c51adf5a5095a81532e3634f48f5aedb56b7724221f1bf1ccb626cab40f87a3b07a66158179e460f1d0e14eeb48f0283b5df6471dd7a6297af6e8f3efb1f9
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Site Characteristics Database\LOG
Filesize204B
MD56d465af7e396e34873c892b77b7c9408
SHA1ba992670f2b46d36b84844604524160cecbe0e29
SHA256f8ffbe96d60f44d7518751f3d0799e4e40c044171ecc889921e838b3af768626
SHA512f083fe10d4635f6f43ae43f0dbdaefb73da0a9cb73a7b88b226116415eb4a9ee673959d6eadb99d9c0745bc948c9aac7e8145240af87943ec8a5f9448a79095c
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
192B
MD5a0945250d5dcfe82e7548b4574584106
SHA1800089a5f0263a9cb3fdcb689865ed8768d37569
SHA25609cde0f6df1f47272900952b5a50e877bb3339e3caa4a6bbf01a40cb348b40a4
SHA512b346f5f48a37364dc1ba37d6979b929b0c6c96b35cdf45f5cdc897ddc096c50b35a28c9220846652dbdc917587fae1c346d5015d31300bcacb5522c3b9a798da
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Guest Profile\Sync Data\LevelDB\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
128KB
MD54748e3600e76aeedb49c4374aeceed1a
SHA1b3a0c83a95197c55cfb0bc5ce8e8408f9fe6e0eb
SHA256335ee178b9ade96ce5218a7cdfbd38227230735569178af577385e7c3f28ed87
SHA5122842cd4e4dc45e1f020fb7cffaf8a70d188f33de1033085db60f62ff650419c1ad361d19f708046fd936aeef16747e0ac239f92be2f33abba8ac38f45f2b82e0
-
Filesize
92KB
MD5cabb7f5827d06fc83d3648cf79149765
SHA13299074d2faea8faa1431b43fd4fe8689988df7c
SHA25608762bec17389386d9f9c429233b04d2a6a0e0847a8963f90fd5486b088e39cd
SHA5121a75145a38116670a71985b65e2b3b2748539094ae386d78a7e95df11d760687bf15a949bad2a2973a6a033cbc79351357363e0261de672dcf438f7ebd9da228
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5b1dc3d73df4ddca17f20e510bcef72f1
SHA13671a6477d6c266ca5906e79ddff3a33049a0184
SHA256539f5a6fe7045c26e1004dfa207cca7cbdc7769e25c3c8e41f71965119a27191
SHA512d0006bb01e5568d735e27ae1cd0f5cdeb39c2e89c4730c4858f77068d5a3bfd6ee3a7d41acd24f01f38a7415e0eb826b088f1753950e206773129cb3d01af58d
-
Filesize
76B
MD5cc4a8cff19abf3dd35d63cff1503aa5f
SHA152af41b0d9c78afcc8e308db846c2b52a636be38
SHA256cc5dacf370f324b77b50dddf5d995fd3c7b7a587cb2f55ac9f24c929d0cd531a
SHA5120e9559cda992aa2174a7465745884f73b96755008384d21a0685941acf099c89c8203b13551de72a87b8e23cdaae3fa513bc700b38e1bf3b9026955d97920320
-
Filesize
193B
MD57e762d9c3e9a2673bc9a423622c69bb3
SHA11439d50f03df1d859711f3d429303d3b34fca462
SHA256b761908108cc17e9f31d4417b8ec772262c9d2c77c571748bf9664feb4895947
SHA512bdd43277b90ab3e0e848df2cfa901183898b1da5e969cfa3d17122f93bb5bf547f1bb726337fc07e19b758dac4c245a7875f8a7f7a2fd0744e061d49a499d8de
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\000003.log
Filesize40B
MD5148079685e25097536785f4536af014b
SHA1c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\LOG
Filesize205B
MD5f1db687addf050bfd1108af4ee824a2b
SHA199077bf74c31b7aa6d9e90687329a26f64491f9b
SHA256a4fbbfaa9d9351a8b912c85e21c9debf5aa285da2e7aac6748d1507ea5c2b09e
SHA512370abd2a92cdf1a73abf99024a9f1fd110a8201f02c4441baabeb90c8da32059b8d6dc768a1f891e8f6f41c5992b86c434fb9feab903f193fd201eda57a91f0b
-
Filesize
46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
193B
MD562292ed1ecf7c398533fdd3f26998f64
SHA105fb8df9b428880f57622f1ded048e357ed74737
SHA25630633f32250b51bf3373b15c7ab70510e726ccc41bf286bc14af71da961a6738
SHA51210535c403c9ebaefd64b98e0190e4dafd07cdb266172d8285344f8bdfa14075286cac5843debfb6d6d0fcf57e56972d5006907aa2db0e96af453b4db6e8a4d21
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\MANIFEST-000002
Filesize50B
MD522bf0e81636b1b45051b138f48b3d148
SHA156755d203579ab356e5620ce7e85519ad69d614a
SHA256e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0
-
Filesize
128KB
MD5c0b40c89a4e152ff184fe52db7f1ed01
SHA1697bb5c85d71ee4ed18f2ac772f552d85831da94
SHA256a6af5416b4d2f44bd338691be0fb14845ab5d499439dd6ffeb3b5da8e3a200dd
SHA51264bf257ddd65d8a4f6cb97bb3a86af306a05fce9ac2c013175b4e4f119e5eb7ec05498a07a2ee0dfabf53e988f1012cca51d0fc0c4485e404f23a5c1733fc6c4
-
Filesize
200B
MD5c64035ed766be242ddec1b37ed24eee7
SHA1c8a830763f3d4aac55b49eb1d423439d0c8b456f
SHA256acfeee5b82ae90fafa1d32751d4d16d3d0ffbb0a310969b0bb15f99dd5f8903d
SHA5122f2c51f02615742701c2940f14881850f6f2f6afc6151f6ea4d3354665a1c6510717f347deee8d5696a8c9af7102dc08928a572d02218be52d9e96b4d709f5c3
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
295KB
MD53fd3550db5a93086bbff8d0ba8e62dd8
SHA13ac4fc26073ae82bce294b184b689d22a745191b
SHA256c2ab516bb3a39832d963770d813ab77027d454a087ad9fae8ce24336a78f9073
SHA512dc57658e7f38643ba99d3c5ff48af493f6ad88ae40720f571879416f45d4d47c4372d829a3829578c72e5a27316220431c239e85c904a9f0f84e1a2851ddfffa
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
4.3MB
MD5eac15673f4e20ec549adb1e79166124a
SHA1b5e8a8768f90ff2e19031008b36309d4ba207a3c
SHA25604bd9f0802c45b8affa1969006e78af4e12e991cc7e683df10bd370b5979e134
SHA5128e7666be51e08f33fd787cbf34cedfa402250abf50f527d81ec2a8df1084b36822c24e10ed1c16e6ee4c4b29ff947dfa21eb7c85d36953140cb62c156ab40d56
-
Filesize
1.9MB
MD5010ba3e0536ab31ac1636bd9ae8b3845
SHA1fd4b9fcb2eb6e7713cc6cf5bb37ea96d5c288ff1
SHA2561b49d4e0d0677f08de1dd66f3477d26a7336c463266b3280d75e43142d0b3eb4
SHA5126733e9cfcad54a587a540edd9502b66daf10deb34d33a8aaa8e252e16c0cdc02d6be91ea6253715ed8d89b618011cfd00c5b9c067ca320a70a6ae53ebf81727f
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
4.2MB
MD5022d6400fce5286db976b004d2e6ca6d
SHA1a5b6aa5e1d75d36eb9f319a4a37988bbcd565ec3
SHA256b02634b17908d8ee52c2d11a50572b7227b2510a6c25ab3847b979808b0aa50c
SHA512610de3e59c987288f504a3e6061be5cfa6b257882d3113b1c244275d5f1c38cc1e3b5383e1e473813ccb0e95737177b894b616ec416fcb014b5f0f0083a69b6a
-
Filesize
2.8MB
MD5cf5e2786d67540f9f21a9b3e7d7ea1eb
SHA194aa08096e89a7bd47756e39f4c600949dfb3af2
SHA256332a2d017c3d0383b1807469bd7e01ab0a1d84859676e81495af148b2cb26f65
SHA512d991328c5ac00ec87a5ad96f66b2acc644e9d6a60986a126ed034b19009511f9730a28a78218627a26f3eae3e31c71c9293075aadb174f808aa50292be69581b
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\044A61QFGIEKYM13W8P4.temp
Filesize7KB
MD516c76194bcfffe61b7188f0972523117
SHA1322a24adb35172d77746a3b30e28b6b2b37c5dc7
SHA25641a44197d8d323fe72bae9b8fd883b987bc2a5929e1b7ecdabd7574f2640a6e2
SHA5120ffae697daf801ac8bfda6c0f43453b23701d45a358c59fba9f53c67bf9366895657ddf8b7a1ce584f3539e5dd2ca18f6785ae7ae8db502a68653931ea3d122a
-
Filesize
2.8MB
MD584061ff2b02888f350dd0d0ede0479d7
SHA19d59578251487b20994b35fa711cb5e672de47b1
SHA256b5607eabc939ebf86a0efd6d4fa534bcd9f275a350a137079cf2e298c1751911
SHA5121e24c7bd9390aee22e017bef0e07e2d9e4291f8cef0508afaed2b6347fca0f9cf8752c76a4531b81a20c011d8b57345c3ace6e6b3c05b2099fef4e7a74f467e1
-
Filesize
1.7MB
MD5f2cf677babadbcf66be5b6925d970476
SHA1e0a0af7b241ec576068d796336c4c6e7717981a0
SHA25607e62cbe2492d263158762c413cfe0dc1ff7e9da26074c4b28c6a506c9253ff1
SHA5127264dc65b8522f3bf43083aeb2faf684424a73eb1b030be44314982abe34ec9f23f168cb326054508a9dbff87f11a849578bab9b65c832c47adff438bb979def