Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 16:10
Static task
static1
Behavioral task
behavioral1
Sample
65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe
Resource
win10v2004-20241007-en
General
-
Target
65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe
-
Size
2.8MB
-
MD5
d9f807e1722578cedc93b978f21093cb
-
SHA1
7c78ede2ffe2681575f73359d6b2dbc409106e74
-
SHA256
65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63
-
SHA512
9a4cefebf1ce31919abdbfe4d904cec897fc2c31481246d04c1a32369a87c8dec8d306a13932c95e651059f22556323a4e8b97e2ff05896d3a4f58b96cc11b94
-
SSDEEP
49152:iB49+IycD31w2DM1B4+6Uxa7ZAcomjZuC2nBNgyHtgrRrCAx:iB4gIycjbDM1B5ZOAcdNx2B+yHtgdl
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
cryptbot
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Amadey family
-
Cryptbot family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 71fc4f9178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 71fc4f9178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 71fc4f9178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 71fc4f9178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 71fc4f9178.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 71fc4f9178.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 6028 created 2500 6028 3c8775dd75.exe 42 PID 5972 created 2500 5972 699de6dcca.exe 42 -
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 9415fc812f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 94c056e9a3.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 15 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 71fc4f9178.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 94c056e9a3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9415fc812f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 71df9e725b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5796a13bed.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 699de6dcca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 699de6dcca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 216fdcf432.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3c8775dd75.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\revoflt.sys rundll32.exe File opened for modification C:\Windows\system32\DRIVERS\SET4A91.tmp rundll32.exe File created C:\Windows\system32\DRIVERS\SET4A91.tmp rundll32.exe -
Checks BIOS information in registry 2 TTPs 30 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3c8775dd75.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5796a13bed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5796a13bed.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 699de6dcca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 94c056e9a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 71df9e725b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 71fc4f9178.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 71df9e725b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3c8775dd75.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 699de6dcca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9415fc812f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 216fdcf432.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 71fc4f9178.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 94c056e9a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9415fc812f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 216fdcf432.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 699de6dcca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 699de6dcca.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ruplp.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation de32729128.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 71df9e725b.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 45 IoCs
pid Process 2144 skotes.exe 1148 Cq6Id6x.exe 1548 x0qQ2DH.exe 3780 NordVPNSetup.exe 3996 NordVPNSetup.tmp 916 18a0fdcf28.exe 2688 Cq6Id6x.exe 1116 9415fc812f.exe 2828 216fdcf432.exe 1960 c42e877180.exe 2492 skotes.exe 4676 ruplp.exe 4356 RevoUninPro.exe 3236 71fc4f9178.exe 5040 b337b847e1.exe 5328 RevoUninPro.exe 5568 b337b847e1.exe 5604 b337b847e1.exe 5760 ruplp.exe 6028 3c8775dd75.exe 5260 18a0fdcf28.exe 5216 18a0fdcf28.exe 5692 3cc41ea41d.exe 5880 3cc41ea41d.exe 3532 de32729128.exe 916 7z.exe 1960 7z.exe 5196 7z.exe 3996 7z.exe 5504 7z.exe 5548 7z.exe 4832 7z.exe 5940 7z.exe 4424 in.exe 1956 71df9e725b.exe 5856 axplong.exe 5152 trunk.exe 5652 trunk.exe 5724 5796a13bed.exe 5972 699de6dcca.exe 2932 699de6dcca.exe 5288 94c056e9a3.exe 6076 skotes.exe 5336 axplong.exe 3768 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 15 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 9415fc812f.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 3c8775dd75.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 5796a13bed.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 71df9e725b.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 699de6dcca.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 699de6dcca.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 216fdcf432.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 71fc4f9178.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 94c056e9a3.exe -
Loads dropped DLL 56 IoCs
pid Process 3996 NordVPNSetup.tmp 3996 NordVPNSetup.tmp 3996 NordVPNSetup.tmp 3996 NordVPNSetup.tmp 4144 regsvr32.exe 916 7z.exe 1960 7z.exe 5196 7z.exe 3996 7z.exe 5504 7z.exe 5548 7z.exe 4832 7z.exe 5940 7z.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe 5652 trunk.exe -
Modifies system executable filetype association 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 71fc4f9178.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 71fc4f9178.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\699de6dcca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007237001\\699de6dcca.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\216fdcf432.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016967001\\216fdcf432.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c42e877180.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016968001\\c42e877180.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71fc4f9178.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016969001\\71fc4f9178.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5796a13bed.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007235001\\5796a13bed.exe" axplong.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023c7a-389.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
pid Process 3204 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe 2144 skotes.exe 1116 9415fc812f.exe 2828 216fdcf432.exe 2492 skotes.exe 3236 71fc4f9178.exe 6028 3c8775dd75.exe 1956 71df9e725b.exe 5856 axplong.exe 5724 5796a13bed.exe 5972 699de6dcca.exe 2932 699de6dcca.exe 5288 94c056e9a3.exe 5336 axplong.exe 6076 skotes.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1148 set thread context of 2688 1148 Cq6Id6x.exe 105 PID 5040 set thread context of 5604 5040 b337b847e1.exe 145 PID 916 set thread context of 5216 916 18a0fdcf28.exe 150 PID 5692 set thread context of 5880 5692 3cc41ea41d.exe 159 PID 3768 set thread context of 4340 3768 Intel_PTT_EK_Recertification.exe 199 -
resource yara_rule behavioral2/memory/4424-974-0x00007FF7108E0000-0x00007FF710D70000-memory.dmp upx behavioral2/memory/4424-976-0x00007FF7108E0000-0x00007FF710D70000-memory.dmp upx behavioral2/memory/3768-3317-0x00007FF6609F0000-0x00007FF660E80000-memory.dmp upx behavioral2/memory/3768-3331-0x00007FF6609F0000-0x00007FF660E80000-memory.dmp upx -
Drops file in Program Files directory 63 IoCs
description ioc Process File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-FE9L7.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-24ABH.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P83L8.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-O07E4.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-CNN7K.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-K4639.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-ALLS8.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2RJ7G.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-COFSA.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SGV6D.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-LT6EP.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-69AOS.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-6EDP3.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-AG3US.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-P813P.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-NLJKC.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-IA3E1.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-87O4E.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-ASAVG.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-940SF.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KS14M.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-E74LS.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-FEM9P.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-RGHJ0.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-USVCV.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8J7TH.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-STL08.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-TJP3N.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-FUGAO.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5T3CT.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-B3O2O.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D7DEI.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-S6P88.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6P5HO.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KOB4O.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8DPV1.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-6BGF7.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SB1HS.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-J2P7G.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-IK7BG.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-52S8I.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-55BJ1.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-E5CJ1.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BQJAA.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-98VOD.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-CN6IK.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-QRHLO.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-SVMEN.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-8101P.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2RLHN.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-9V2JN.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-BITSJ.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-POGFS.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JLF4D.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-Q27B4.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-1NU9R.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat NordVPNSetup.tmp -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe File created C:\Windows\Tasks\axplong.job 71df9e725b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5552 6028 WerFault.exe 147 5504 5972 WerFault.exe 190 -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71fc4f9178.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5796a13bed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b337b847e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x0qQ2DH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NordVPNSetup.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage c42e877180.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b337b847e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3cc41ea41d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3cc41ea41d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9415fc812f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 216fdcf432.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 699de6dcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 699de6dcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18a0fdcf28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71df9e725b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cq6Id6x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18a0fdcf28.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 94c056e9a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NordVPNSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language c42e877180.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c8775dd75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de32729128.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cq6Id6x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c42e877180.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5528 powershell.exe 3820 PING.EXE 5940 powershell.exe 3752 PING.EXE -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS x0qQ2DH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName x0qQ2DH.exe -
Kills process with taskkill 5 IoCs
pid Process 3676 taskkill.exe 640 taskkill.exe 4340 taskkill.exe 2476 taskkill.exe 2948 taskkill.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications" NordVPNSetup.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\{305CA226-D286-468e-B848-2B2E8E697B74} 2 = "8" NordVPNSetup.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder\Attributes = "48" NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" NordVPNSetup.tmp Key created \REGISTRY\MACHINE\Software\Classes\.ruel NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon NordVPNSetup.tmp Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\RevoUninstallerPro.ruel\shell\open NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL\AppID = "{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command NordVPNSetup.tmp Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0 ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro" NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command NordVPNSetup.tmp Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\RevoUninstallerPro.ruel NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel NordVPNSetup.tmp Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\RevoUninstallerPro.ruel\shell\open\command NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}\ = "RUExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\ = "LicProtector Object" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F} ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32 ruplp.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\RevoUninstallerPro.ruel\shell NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32 ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510 ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\Version = "5.1" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4} ruplp.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.ruel NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" NordVPNSetup.tmp Key created \REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\shell\open\command NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1 ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS\ = "0" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe" ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe /implog \"%1\"" NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ = "ILicProtectorEXE510" ruplp.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3820 PING.EXE 3752 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3204 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe 3204 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe 2144 skotes.exe 2144 skotes.exe 1548 x0qQ2DH.exe 1548 x0qQ2DH.exe 3996 NordVPNSetup.tmp 3996 NordVPNSetup.tmp 1548 x0qQ2DH.exe 1548 x0qQ2DH.exe 1548 x0qQ2DH.exe 1548 x0qQ2DH.exe 1548 x0qQ2DH.exe 1548 x0qQ2DH.exe 1548 x0qQ2DH.exe 1116 9415fc812f.exe 1116 9415fc812f.exe 2688 Cq6Id6x.exe 2688 Cq6Id6x.exe 2688 Cq6Id6x.exe 2688 Cq6Id6x.exe 1116 9415fc812f.exe 1116 9415fc812f.exe 1116 9415fc812f.exe 1116 9415fc812f.exe 1116 9415fc812f.exe 1116 9415fc812f.exe 1116 9415fc812f.exe 1116 9415fc812f.exe 3996 NordVPNSetup.tmp 3996 NordVPNSetup.tmp 2828 216fdcf432.exe 2828 216fdcf432.exe 2492 skotes.exe 2492 skotes.exe 1960 c42e877180.exe 1960 c42e877180.exe 3236 71fc4f9178.exe 3236 71fc4f9178.exe 3236 71fc4f9178.exe 3236 71fc4f9178.exe 3236 71fc4f9178.exe 1960 c42e877180.exe 1960 c42e877180.exe 6028 3c8775dd75.exe 6028 3c8775dd75.exe 916 18a0fdcf28.exe 916 18a0fdcf28.exe 6028 3c8775dd75.exe 6028 3c8775dd75.exe 6028 3c8775dd75.exe 6028 3c8775dd75.exe 5388 svchost.exe 5388 svchost.exe 5388 svchost.exe 5388 svchost.exe 5528 powershell.exe 5528 powershell.exe 5528 powershell.exe 1956 71df9e725b.exe 1956 71df9e725b.exe 5856 axplong.exe 5856 axplong.exe 5216 18a0fdcf28.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 1148 Cq6Id6x.exe Token: SeDebugPrivilege 916 18a0fdcf28.exe Token: SeDebugPrivilege 640 taskkill.exe Token: SeDebugPrivilege 4340 taskkill.exe Token: SeDebugPrivilege 2476 taskkill.exe Token: SeDebugPrivilege 2948 taskkill.exe Token: SeDebugPrivilege 3676 taskkill.exe Token: SeDebugPrivilege 3236 71fc4f9178.exe Token: SeDebugPrivilege 4536 firefox.exe Token: SeDebugPrivilege 4536 firefox.exe Token: SeRestorePrivilege 916 7z.exe Token: 35 916 7z.exe Token: SeSecurityPrivilege 916 7z.exe Token: SeSecurityPrivilege 916 7z.exe Token: SeRestorePrivilege 1960 7z.exe Token: 35 1960 7z.exe Token: SeSecurityPrivilege 1960 7z.exe Token: SeSecurityPrivilege 1960 7z.exe Token: SeRestorePrivilege 5196 7z.exe Token: 35 5196 7z.exe Token: SeSecurityPrivilege 5196 7z.exe Token: SeSecurityPrivilege 5196 7z.exe Token: SeRestorePrivilege 3996 7z.exe Token: 35 3996 7z.exe Token: SeSecurityPrivilege 3996 7z.exe Token: SeSecurityPrivilege 3996 7z.exe Token: SeRestorePrivilege 5504 7z.exe Token: 35 5504 7z.exe Token: SeSecurityPrivilege 5504 7z.exe Token: SeSecurityPrivilege 5504 7z.exe Token: SeRestorePrivilege 5548 7z.exe Token: 35 5548 7z.exe Token: SeSecurityPrivilege 5548 7z.exe Token: SeSecurityPrivilege 5548 7z.exe Token: SeRestorePrivilege 4832 7z.exe Token: 35 4832 7z.exe Token: SeSecurityPrivilege 4832 7z.exe Token: SeSecurityPrivilege 4832 7z.exe Token: SeRestorePrivilege 5940 7z.exe Token: 35 5940 7z.exe Token: SeSecurityPrivilege 5940 7z.exe Token: SeSecurityPrivilege 5940 7z.exe Token: SeDebugPrivilege 5528 powershell.exe Token: SeDebugPrivilege 5652 trunk.exe Token: SeLockMemoryPrivilege 4340 explorer.exe Token: SeDebugPrivilege 5940 powershell.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 3204 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe 3996 NordVPNSetup.tmp 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 4536 firefox.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe 1960 c42e877180.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4356 RevoUninPro.exe 4356 RevoUninPro.exe 4536 firefox.exe 5328 RevoUninPro.exe 5328 RevoUninPro.exe 5328 RevoUninPro.exe 5328 RevoUninPro.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3204 wrote to memory of 2144 3204 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe 83 PID 3204 wrote to memory of 2144 3204 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe 83 PID 3204 wrote to memory of 2144 3204 65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe 83 PID 2144 wrote to memory of 1148 2144 skotes.exe 84 PID 2144 wrote to memory of 1148 2144 skotes.exe 84 PID 2144 wrote to memory of 1148 2144 skotes.exe 84 PID 2144 wrote to memory of 1548 2144 skotes.exe 97 PID 2144 wrote to memory of 1548 2144 skotes.exe 97 PID 2144 wrote to memory of 1548 2144 skotes.exe 97 PID 1548 wrote to memory of 3780 1548 x0qQ2DH.exe 98 PID 1548 wrote to memory of 3780 1548 x0qQ2DH.exe 98 PID 1548 wrote to memory of 3780 1548 x0qQ2DH.exe 98 PID 3780 wrote to memory of 3996 3780 NordVPNSetup.exe 99 PID 3780 wrote to memory of 3996 3780 NordVPNSetup.exe 99 PID 3780 wrote to memory of 3996 3780 NordVPNSetup.exe 99 PID 2144 wrote to memory of 916 2144 skotes.exe 103 PID 2144 wrote to memory of 916 2144 skotes.exe 103 PID 2144 wrote to memory of 916 2144 skotes.exe 103 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 1148 wrote to memory of 2688 1148 Cq6Id6x.exe 105 PID 2144 wrote to memory of 1116 2144 skotes.exe 107 PID 2144 wrote to memory of 1116 2144 skotes.exe 107 PID 2144 wrote to memory of 1116 2144 skotes.exe 107 PID 2144 wrote to memory of 2828 2144 skotes.exe 108 PID 2144 wrote to memory of 2828 2144 skotes.exe 108 PID 2144 wrote to memory of 2828 2144 skotes.exe 108 PID 3996 wrote to memory of 4888 3996 NordVPNSetup.tmp 109 PID 3996 wrote to memory of 4888 3996 NordVPNSetup.tmp 109 PID 4888 wrote to memory of 3240 4888 rundll32.exe 110 PID 4888 wrote to memory of 3240 4888 rundll32.exe 110 PID 2144 wrote to memory of 1960 2144 skotes.exe 111 PID 2144 wrote to memory of 1960 2144 skotes.exe 111 PID 2144 wrote to memory of 1960 2144 skotes.exe 111 PID 3240 wrote to memory of 2688 3240 runonce.exe 148 PID 3240 wrote to memory of 2688 3240 runonce.exe 148 PID 1960 wrote to memory of 640 1960 c42e877180.exe 116 PID 1960 wrote to memory of 640 1960 c42e877180.exe 116 PID 1960 wrote to memory of 640 1960 c42e877180.exe 116 PID 3996 wrote to memory of 4144 3996 NordVPNSetup.tmp 132 PID 3996 wrote to memory of 4144 3996 NordVPNSetup.tmp 132 PID 3996 wrote to memory of 4676 3996 NordVPNSetup.tmp 119 PID 3996 wrote to memory of 4676 3996 NordVPNSetup.tmp 119 PID 3996 wrote to memory of 4676 3996 NordVPNSetup.tmp 119 PID 3996 wrote to memory of 4356 3996 NordVPNSetup.tmp 120 PID 3996 wrote to memory of 4356 3996 NordVPNSetup.tmp 120 PID 1960 wrote to memory of 4340 1960 c42e877180.exe 121 PID 1960 wrote to memory of 4340 1960 c42e877180.exe 121 PID 1960 wrote to memory of 4340 1960 c42e877180.exe 121 PID 2144 wrote to memory of 3236 2144 skotes.exe 123 PID 2144 wrote to memory of 3236 2144 skotes.exe 123 PID 2144 wrote to memory of 3236 2144 skotes.exe 123 PID 1960 wrote to memory of 2476 1960 c42e877180.exe 124 PID 1960 wrote to memory of 2476 1960 c42e877180.exe 124 PID 1960 wrote to memory of 2476 1960 c42e877180.exe 124 PID 1960 wrote to memory of 2948 1960 c42e877180.exe 126 PID 1960 wrote to memory of 2948 1960 c42e877180.exe 126 PID 1960 wrote to memory of 2948 1960 c42e877180.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 5140 attrib.exe 6032 attrib.exe 3428 attrib.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2500
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5388
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
PID:5492
-
-
C:\Users\Admin\AppData\Local\Temp\65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe"C:\Users\Admin\AppData\Local\Temp\65bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\is-T2E6D.tmp\NordVPNSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-T2E6D.tmp\NordVPNSetup.tmp" /SL5="$901D6,15409387,73728,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\system32\rundll32.exe"rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf6⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r7⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o8⤵PID:2688
-
-
-
-
C:\Windows\system32\regsvr32.exe"regsvr32" "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" /s6⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:4144
-
-
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4676
-
-
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4356
-
-
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5328
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016964001\18a0fdcf28.exe"C:\Users\Admin\AppData\Local\Temp\1016964001\18a0fdcf28.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Users\Admin\AppData\Local\Temp\1016964001\18a0fdcf28.exe"C:\Users\Admin\AppData\Local\Temp\1016964001\18a0fdcf28.exe"4⤵
- Executes dropped EXE
PID:5260
-
-
C:\Users\Admin\AppData\Local\Temp\1016964001\18a0fdcf28.exe"C:\Users\Admin\AppData\Local\Temp\1016964001\18a0fdcf28.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5216
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016965001\9415fc812f.exe"C:\Users\Admin\AppData\Local\Temp\1016965001\9415fc812f.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
C:\Users\Admin\AppData\Local\Temp\1016967001\216fdcf432.exe"C:\Users\Admin\AppData\Local\Temp\1016967001\216fdcf432.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\1016968001\c42e877180.exe"C:\Users\Admin\AppData\Local\Temp\1016968001\c42e877180.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:868
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57fa2c7f-542c-4ecd-bf9b-93b6e68a0248} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" gpu6⤵PID:4144
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04269bba-b29c-4f39-be35-0922ad9ab6a9} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" socket6⤵PID:3432
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3152 -childID 1 -isForBrowser -prefsHandle 3288 -prefMapHandle 3188 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c670570-65d8-4676-87d3-6c2ae736aa29} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" tab6⤵PID:1876
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 2764 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {864f09b9-766d-4c14-85cc-4a871c955628} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" tab6⤵PID:1364
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4820 -prefMapHandle 4816 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05ca7d88-5219-4a88-b512-98aee7481ae4} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" utility6⤵
- Checks processor information in registry
PID:776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -childID 3 -isForBrowser -prefsHandle 5136 -prefMapHandle 5132 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75da1def-9ec6-450a-8e3d-fae9a4a2eb11} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" tab6⤵PID:5956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -childID 4 -isForBrowser -prefsHandle 5384 -prefMapHandle 5380 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eca91131-61e2-4cf7-a07e-b7f0b6bb829a} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" tab6⤵PID:5984
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 5 -isForBrowser -prefsHandle 5524 -prefMapHandle 5528 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1228 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ce3b777-009c-406f-9d32-7ae3f74754ad} 4536 "\\.\pipe\gecko-crash-server-pipe.4536" tab6⤵PID:6008
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016969001\71fc4f9178.exe"C:\Users\Admin\AppData\Local\Temp\1016969001\71fc4f9178.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\1016970001\b337b847e1.exe"C:\Users\Admin\AppData\Local\Temp\1016970001\b337b847e1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\1016970001\b337b847e1.exe"C:\Users\Admin\AppData\Local\Temp\1016970001\b337b847e1.exe"4⤵
- Executes dropped EXE
PID:5568
-
-
C:\Users\Admin\AppData\Local\Temp\1016970001\b337b847e1.exe"C:\Users\Admin\AppData\Local\Temp\1016970001\b337b847e1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5604
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016971001\3c8775dd75.exe"C:\Users\Admin\AppData\Local\Temp\1016971001\3c8775dd75.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6028 -s 5684⤵
- Program crash
PID:5552
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016972001\3cc41ea41d.exe"C:\Users\Admin\AppData\Local\Temp\1016972001\3cc41ea41d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5692 -
C:\Users\Admin\AppData\Local\Temp\1016972001\3cc41ea41d.exe"C:\Users\Admin\AppData\Local\Temp\1016972001\3cc41ea41d.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5880
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016973001\de32729128.exe"C:\Users\Admin\AppData\Local\Temp\1016973001\de32729128.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵PID:2008
-
C:\Windows\system32\mode.commode 65,105⤵PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5196
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5548
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5940
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:5140
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:6032
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:6028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5528 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3820
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016974001\71df9e725b.exe"C:\Users\Admin\AppData\Local\Temp\1016974001\71df9e725b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5856 -
C:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe"C:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe"5⤵
- Executes dropped EXE
PID:5152 -
C:\Users\Admin\AppData\Local\Temp\onefile_5152_133790118900552203\trunk.exeC:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5652
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007235001\5796a13bed.exe"C:\Users\Admin\AppData\Local\Temp\1007235001\5796a13bed.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5724
-
-
C:\Users\Admin\AppData\Local\Temp\1007236001\699de6dcca.exe"C:\Users\Admin\AppData\Local\Temp\1007236001\699de6dcca.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 5686⤵
- Program crash
PID:5504
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007237001\699de6dcca.exe"C:\Users\Admin\AppData\Local\Temp\1007237001\699de6dcca.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\1007238001\94c056e9a3.exe"C:\Users\Admin\AppData\Local\Temp\1007238001\94c056e9a3.exe"5⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5288
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2492
-
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exeC:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5760
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6028 -ip 60281⤵PID:5500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5972 -ip 59721⤵PID:5376
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6076
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5336
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3768 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5940 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3752
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Query Registry
9Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5ec8e58e6b58b4fcde77431cda3a24c0e
SHA1ebb474009b2a2fbce648adff4b8b797fcd00c997
SHA25625667717bf4691957f07a6363585e2c7eaf22e5fd7229bf32c91ea59ef4a2edd
SHA512e2c667ebe97973ff27c1edf3e45ebf7950bc8d7aad1126da25290a2f590b21808654694cbe6a0ad1d3649566ec7645eb6b3379c7d7c0a650d5381a69e9cdade4
-
Filesize
187KB
MD58b9964e06195fd375d126b424e236f03
SHA16f1741cfeb9fb70c34857dbba3e063c88c3c32fa
SHA256bda04b693bfdea86a7a3b47f2e4ceae9cd9475c4e81b0aa73b70fd244a65f70f
SHA512741019523b4c5f4ef9a7952172309b2d304a84cbd98fff99a719105cc1938157edb1691554a21b9dcd2b523c0f1ab0d37879deefc3b2fa5579c0d8c76cade483
-
Filesize
24.2MB
MD5c8c368988a2a4c2a953b7db4bca47961
SHA15acc29b51284146a9ff7b1587c3d89416e66acdf
SHA256f680e0fe00a48f6e3d079c1572682d6664f476b119745d73cb852baba58cc683
SHA5125fdef1f4e3b471910fe2b12f6f6aa8bfad3f2a9c80954843085c79139823a88e0c7d921b7c01dda56871800afc20de4739682c02e9fa6a94715c64207a671b30
-
Filesize
123KB
MD500d7babcb1fca39669a305acc4e6bc4e
SHA1caa71de90128acf6e8d812e02aa8ba4622bf8454
SHA256f0f1890de8a60f87297d6de21146977060a3b5d82e09523bced0c238e94f5d2e
SHA5129f1348f6ee7325b7d3381865bda4d71807da45c941c3b40c7671df04a6558832dfd03f25f5664250b43b641117d7d3d7c71f7e81b747cbc559fc5b8169033f66
-
Filesize
132KB
MD50a56b7e703bd3ed03ebaff0d1ce37be1
SHA11629651f20c63bad9b92f7a21f66a095f7ab8fc1
SHA256b7727c9c2cedcef3808b677814640e3e4b486517bf66f512c543ef8d0b3a0a21
SHA5129dcae642eb17514e87c7798881f501bba75d39f6addfb08f795caa6ad229bade02a16b29a54e718d608778cfbae69ea8f864e61e6908bbc7598b09aaa6ce64e1
-
Filesize
2KB
MD5edc78deb34de240c787b1011161e9a4e
SHA12d31275530dce33d3bc329991c8ad59e1b303577
SHA25669569b4b111035cd35186da239d8241cf96350f6bb296210368ebc570fa2162b
SHA512e55eefcc39b7353ef11a778910400c5c85cab9657bb350840988cbbf556dc343a9c1803442643c9255c149f8d93a5c2d2e6c3bea244f67c895e635eaec0a0f7b
-
Filesize
9.6MB
MD5216b49b7eb7be44d7ed7367f3725285f
SHA1cf0776ecbc163c738fd43767bedcc2a67acef423
SHA256c6d97857b3b9f26c8e93d7b6e6481f93a16db75cbf9d1756cb29fba0fd9e240e
SHA512060fb76d91bee1b421f133cae17726a68adc97ddce76a67196d10e735e216d032bee939c905b847c50f29e859dca43cdf1b19e4ae349e00efe88147224d665cb
-
Filesize
64KB
MD58462a9b69c76a9603a4143d51fbc201e
SHA14473590f93f94f22c340a354516191c3c0ba6532
SHA256fe4bcb4251f77375119a936c80fb36221af0c5105e840e2e115d47f96cb437c8
SHA5122f02ecdb06760a093f4d8e6f04c97138695b064db8cb2dcc4af9b47c829852f38b77be9425eb2f3e3e36f85da181c116c829921fa35ae68afc57c728d5393570
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD558ca1a211961e83cd87f7043daf8de04
SHA1e506610e540ea039414587f712b316fbefde7497
SHA25651cfc901c5dea4fa1f2f0048643602702d89c2ccc75387d0a4f78fe8d1586b90
SHA512a206010167e5facdb1d322fb30f931eb3cb897eb6949512e22f0651811b9673d1878f7126a39d095b27515339bc619f58251eabb250ecc92a0f706d3f2a5859f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD555309b0fce9686a6a17add4e11c1d59c
SHA1d558d213d8613b93de60a436e912ed0cf37cc89c
SHA25667df23a53b0c42a5d708a051639531334cef4209ffbac0d05db6d4ee1c51e7a5
SHA512c72865dcce119231cc2aef21b717fb70ab2b96aa7b1ea804717c397c6c32d2c1dc4bc64a0b4026d9a338a82197b854b81bb4b6639dd7c3bee47129a56f54fca0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4ws2kncw.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
10.2MB
MD5d3b39a6b63c3822be6f8af9b3813bbad
SHA100b020e5a1c05442612f2cec7950c2814b59b1b6
SHA256786f1331a0618485b31ba763911b14fcec691bf9897bee8f42680076092b7a2f
SHA512a5c7504b29798fdabf610cf65716ec1d7745956f470d86de12a52b3c8731f858764fdf78647e50b3111622e7e65f05f82cd258b98c1a0f45ef7fdc088647d4ff
-
Filesize
2.9MB
MD517773f6ab422d27012d0f813eec77035
SHA1e148f243044c22dd5374d41d4d9c5ae066c454cf
SHA25634b764f92f6aa319f62bf730e82f02a914cda5c7d7fa665c20a8f2c5430acc4a
SHA5126e0f75cea50dd43eb019fa5eb66d7e92262b2a7fdc12ab872afbd6339c069856427ce0e7cfd86fcbf17943d7c180a15ce12a9799561330173f485cafaa4ace88
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
17.6MB
MD53c224e3fc892719dc1e302378e533579
SHA10a65062e1426a95bfeca355398b6fdc4912fb6b1
SHA25664cc7f7906fe1ebf0b6977892abd9aa36f5e525cb241964c3986ee9e1a18312d
SHA512554a26e9654eccce831e4adcee49d5e2507956935e562b134a86f332d867debfcd1f64fdb88fccb2e1eee810975d565dbc6ea1376516817ee38765e4bd733a49
-
Filesize
4.2MB
MD58841698b335573b0abe7875b85b653d6
SHA1e74926dcb5b7e996d4f4961a763d2c4d8e8e24d0
SHA256490fc3ac1830a381350813ad614c258eb761886aad612879a592461edffd719b
SHA5122f8941aaf2724687e70f4c742ac2f3a2009df18776d8e182a3042eb33422463df109e1e666d8f8a66cd7f6312e86aa9dd4a127c5559e04cbd57a6da51077e037
-
Filesize
2.8MB
MD53bb75cb881e430e48ec13d73d43abe49
SHA1dffcad869a875b9fa9a142bedf34d781db72e709
SHA2561e632d695c7204f2b42e9ce49001d02c81aad32216b0375f94e710f6190aeb6a
SHA5128bfd4b91c00b20e3cbcea3d0c19f80af8813fe5142eb59b30827e3bca0308b70f40754288345fa7b10de49e949792e81f084994e83197d857ef248f8f29d6eeb
-
Filesize
945KB
MD54e38b1008d236084740a6c44fbc4ebf6
SHA1fc8bd7f661e78127932bf4f0fed8651044c3ec28
SHA256d18ee20816febb7f9c68c906651376a94130383b54cc739aa9cbe55a9c4659bf
SHA512e5d0445f8c1de74a66934f4e21784fd4ab2d7bbe05047a5c2d826a3aaba8047f76cb084bec23bb7a243d68fcee72310541aafde2818b84edf703d59dae93ef7e
-
Filesize
1.7MB
MD57be93aff7cef5ad80c82706349b7fed3
SHA13ecee88fe03d1128fdd9687aadfefbc30422881e
SHA25603758fcdba856326a849effda02aa9185ab135b95c1c0854e9ec7d2d3889c0f3
SHA5127d620e39f4d1498765f733078c41f2db5c5f273e2e8781bfc517aee9d444bd6cbba817f0c925a95c2acb76f6f4467fa56a8306f6d372e321e7e1c69495a25db0
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
1.9MB
MD5e7eb9a61aec1e191dcc006e605c7628e
SHA1f931ceab7be44e9efb12b7ff292e0227eadebce2
SHA2560428284ddb962526e13dcf1be7707e0ce1acfcca7eba4dc33a03dc8503c03253
SHA51273856a2a132ea5786860d07b36bd3293facc0562f2b630a08036932331d1e91417e87753815c25d534fa2eb0f6d76e8039a3af6eb407294711eae5bb0b1a1ba5
-
Filesize
747KB
MD58a9cb17c0224a01bd34b46495983c50a
SHA100296ea6a56f6e10a0f1450a20c5fb329b8856c1
SHA2563d51b9523b387859bc0d94246dfb216cfa82f9d650c8d11be11ed67f70e7440b
SHA5121472e4670f469c43227b965984ecc223a526f6284363d8e08a3b5b55e602ccce62df4bc49939ee5bd7df7b0c26e20da896b084eccab767f8728e6bf14d71c840
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
2.9MB
MD553794ed30f84817a4fba9b4ab9e0d9f5
SHA137ac4bc007e07ab6ce504af155178e72fd209f31
SHA2561a0bbe3b41111bf13db81281111de188157cb55fa35097b7a541254a3da1b361
SHA512855a6cc5170a57652e778574a34f2bb952961da8921b78030f98b19818a2ff81b4b1e571fde36176a796ae2654dc066ee2137808d5158e4980445f0e023fd54d
-
Filesize
15.0MB
MD500fad648745710b9c4d16c4830416d80
SHA1fafb219fe26e065cc11d4c12a4960447509b2a84
SHA256e4561ffd0993938234d207ce56d5fe775c4ddb704f7be63003026d43eae0a337
SHA51221e7b3965d1f54eb671b46e272161a426dd8a4151208b154c7fbf144725c38d593d513fb6f77cd1cef4df651266fc235a76023102b5fdc85cc8cc67da6ded847
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.8MB
MD5d9f807e1722578cedc93b978f21093cb
SHA17c78ede2ffe2681575f73359d6b2dbc409106e74
SHA25665bbaec08da3f5f231efb44ddb1da44d6d4adfd9fc0fffe385f3b9d700681a63
SHA5129a4cefebf1ce31919abdbfe4d904cec897fc2c31481246d04c1a32369a87c8dec8d306a13932c95e651059f22556323a4e8b97e2ff05896d3a4f58b96cc11b94
-
Filesize
41KB
MD548f30e9b874607f974a289c4b9366eac
SHA1665bc7dd97777c2b28034b4fe9e67aef918638e6
SHA25636fc3878d46bb626808d005d048b06e047f099ea55e06630e5ca3f770e9d2001
SHA512b6920c6a3eb231cc7c4ec856f4c1c4244c81828ac8ef755f396d327a9e41c3f26fdea8c7f8ae1df8d9d48dd7840090bb19bcb2f653f84b958cb84cd6e901cc65
-
Filesize
5KB
MD59a4195984907c6c86e8f9f3c699c929a
SHA14ab99e6e19653e1843c87c9aea071e5e3baef8e8
SHA256a4c727202170101f55249b0867b24dc8a6ad3098af43c5c2dea7a683f34509bf
SHA51290dc881faa1b7cfd4e00130f22c433b1558f3a53090edf039a92250f7bb0a1bff213afa16b189f4c314a27658b229a434f2cb0eede1f412768888dc7639a0b9f
-
Filesize
51KB
MD5e5064949166150e855113e66df1abc38
SHA1d24f57301f4d4f3b48081e4c8744e9fc031676f7
SHA256e73cf0ce497baf7d5b8180143b91a2f42de1d87480cf3f38271f0f2f97aa4080
SHA512fc3749f2453d8eb7e9b9dc325951543c1640ca1d15ee547c9da117451a10fa5e1605b3a7e783558291ed67d460a712aed938a07681e99a1f203d5f14ae081086
-
Filesize
4KB
MD50ee914c6f0bb93996c75941e1ad629c6
SHA112e2cb05506ee3e82046c41510f39a258a5e5549
SHA2564dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
SHA512a899519e78125c69dc40f7e371310516cf8faa69e3b3ff747e0ddf461f34e50a9ff331ab53b4d07bb45465039e8eba2ee4684b3ee56987977ae8c7721751f5f9
-
Filesize
6KB
MD54ff75f505fddcc6a9ae62216446205d9
SHA1efe32d504ce72f32e92dcf01aa2752b04d81a342
SHA256a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
SHA512ba0469851438212d19906d6da8c4ae95ff1c0711a095d9f21f13530a6b8b21c3acbb0ff55edb8a35b41c1a9a342f5d3421c00ba395bc13bb1ef5902b979ce824
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
22KB
MD5ab35386487b343e3e82dbd2671ff9dab
SHA103591d07aea3309b631a7d3a6e20a92653e199b8
SHA256c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2
SHA512b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
4KB
MD586bee4a15a777e236f1636b57a37b047
SHA17c93de14c61603a0573719de1ffa86b7226c0dae
SHA25617e6f0e88a231e25c1de67a0d4ae308284f407dea77ff8b3ce363b770c5ba8f1
SHA512af3ebe043048c6dc683408f22e647609d0423fd2fa55cba5d981f978fb1123fd9d5cfca147168d4ff437a09f699fd5d5c1a14b50d66ed4bcae4485adcf0ab8b7
-
Filesize
4KB
MD5f5486535c71cd199e6c1f3dc43a8943e
SHA1366a454cfab4821747d069c2c5de687b84e49323
SHA256ee5c535dc8f819b31346e1723db1a5aab6bda94ff57c2477e1291fd4f7841bb8
SHA512ab2bf66480260064075e655746eabd32ea71e1f9b232c03ecb67999825418177c033b224b0f5f5b269d1b86428134e6bf7389c1729a591103d4b74b7497e67b1
-
Filesize
39KB
MD51ea948aad25ddd347d9b80bef6df9779
SHA10be971e67a6c3b1297e572d97c14f74b05dafed3
SHA25630eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488
SHA512f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545
-
Filesize
2KB
MD56e57cda7a4a20382c6033d2458bd676c
SHA15524b66fa844db104ce6173f7aa0de625f53a408
SHA2562b9fb591c534ff41765b9b4eaee88e121501b78cb3bce3bd768c68838a363e5b
SHA512f33de6f8897e9a756a2d3c86fdb75549b475e7185a8aa4b8d1462a59e2eedc8b48d2acfbef4347584ba23d71cd7aeb0856e737c07f4f82379aab40fe6860974a
-
Filesize
920KB
MD5ce14f23d9bfc00a3cc5ceb06a25030e7
SHA1c63991558fb7c45555a1c4e53151bdb518b15eec
SHA2565bd02d57433581efc6e14f6aefa4d1b5a52051f2ca269bde439b50658fa0bc39
SHA5126497e85f1009b26fe68317a695467505e6f75270f07308ee7c321abe9b08b7ae563598b11b44629051759f321a39ec7595c0c6e48b9778146ee7f42096ff88ce
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
322B
MD58194f5225ab02ee1917363692ca049cc
SHA15a802fab1dea33b6ed55e534731e358d14de0086
SHA2565e680443eb6c02c09ab00a1a42cfc2f3a2985e99933d88e06e030255ada9d206
SHA5121ad341d22bf34420265ddc4ba49e87841c712d30f2ff7ec366a5fbb421b1d322e24003c4562fbc38e91c4742e9242de7ea2b40742777705f61271f7b3e90f34b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize6KB
MD592a53653324c7c10be39668544e143b0
SHA1c2bece31e7900cba452e9227c04f1ca998a92c77
SHA256cf9925ea127197ec45697e100c34915e6018dfa1730bf880215383c14333304e
SHA512a83f5f2b192bddec63cdf7fab88da661a4f9e10ef6c5178280ac6abf4d48340c1ac3b6a4fe3fecb4227bf44afe69ca9c11c98ea0d3bfbedb25301c8a4651016e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize7KB
MD5a674574475433abe44408fd84b7f5c75
SHA169bf3e7e8be3596a3d0df4ee60965637a1f292d8
SHA256329203172a0603443fb3d9272f21f0e467b56953b19c474ddaf120f4398581a3
SHA512eda6a0ca5dc58e306175fb0dd227c3e92144ab08ba63f6a15280d8bed8da935129ded865c10d77829128101c07847594ff155d9484dc06a794fd77e2d7540f17
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\AlternateServices.bin
Filesize10KB
MD5c2022814afd237c0157aac553b4f1938
SHA1e8c17cb214f5c038d00bf61beacef840b114ecff
SHA25603342603cb653b28006b3d02879ff486321feb55958b8c60472b54ed204328ed
SHA512527324153d5d9766e7574e6a0fbadcacb761051b2ff12527f4426840a21c24b10aa67b369d12249805fec328ac223c9475f630ebedc2be569f82c801387962e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize3KB
MD54df5ded09104bf9ab0722659b1ea3ad7
SHA130215795f77a47e6b87534ccbc9d529a18ab039e
SHA256ebbdcb78f8638546bd012ef85a24083b05aa3e72c493128592b558000ab54fa6
SHA51251de6c1d2a2c08295087284ef12142ef58049ff3d6d51e1b78dd16b6c73bb29a8c6f67c689d8d4e25e1c13961c0fa4d2ab525db22fc0a4607208cdfd4342a2e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD550332eeb5279ae73642979afd4ea7a88
SHA1b64cb9a6def7c4ae20f51770494250d176554316
SHA2563edfdffb7341e5155ec64f540ef548577b28a2ab9cfb43e0e7142454782dd3c6
SHA512d548eaf8d8ece97633a4f9e372dec587f7f41eb54cb81e58b3788dbd0a279cecfd16ee7262379befe931bad1accde525839a608d69dc3472ee1af3a663625aa8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD548bd62a1e55821c698ae39918749f2b8
SHA1bcd0e8efe2baad8a9caba7d144bfc7896d5af563
SHA25678eca593d5d63036994d1b8692dee5f81d099eee06be1d74e4c93ed96ba3a70e
SHA5125e627df91dd10e9538617b9510a7ccc33f5b24ec551ffbb9a6abfbe9360a146e01a77d15c47261e6a789b684226b0486ccb9dc4787eaa7c2fffe5707c08afa05
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD52ef74a134f0e2b934d44861e8d05d814
SHA11494b7a3193e65fdef664a8160b129e20885131f
SHA25602b850edb9ed5d81ef744764ee873f9e6eaa464b5867f32545be68f1583d0ab6
SHA512607740aea61e642ad7927625c05758a3e9a0431e142388a836cd7e218cc610d707b30d2d82fd968dedd45961afa3c99d500f23dc1936084862f47402e05bfb5b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5c24c9d6bc73c8a51d438160a9c9242d1
SHA19fe6c528d6235bd7d20170f82a67324cf5b73c87
SHA2567995745f75cb80b617cd4f0fa1bc6c59bb9132e0699746803a8563493da1f698
SHA512a86f74d1de1bcfd7e96ba104e69007f651db0481df3805f527bed094eb1e6580b95fe65f1e37e07a14b4f854e9ae65f4e2e48b26d09a6eaf03f772ac4bdae11b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\2a18c169-f4d5-4207-8d70-6fc6981bb7e9
Filesize671B
MD5e0c016a604706101e5bebcac8f04ecb7
SHA17d6605efc193a85a27dbedeff89670693ee52c76
SHA2563a5c358c80ca80e4ec49d7c70af6196c6308c52486812ea403ed14e7c0db568d
SHA512699c71a8df559d681a8c88437a5873e13ba90f21dae416e2fb1d9fdee32fe93df5ac869f61d05408f34f18bcdcd8fa2ac6680bad4e013a2c5f79118c6f5d76fc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\a69f6a87-7a51-4b0d-a110-37a773e98658
Filesize982B
MD52779525feff8e0af319b0be91f6d5ab8
SHA135647925e39064b47d6e398f41c748d48533346d
SHA256ddf092109663f4afb279e93491ec51650fbbc7ba9729faaaf6ca393ad4ed9e47
SHA512157775535b46ed5bb19b0259b89bcc7048c0dcfcb7c2ddb8ad425f6cf46776881cf2230d1d7b7f4ea7a284778265b1f8b5d411bb545ad6e8c6f969803ec3a124
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\datareporting\glean\pending_pings\df021fc5-154f-4d42-9c10-e4403c8c5603
Filesize28KB
MD51b4dda9ff726e26296f5ef1b7a9543a1
SHA12c552effbf029f77aad1325d61b57fd761b88dbb
SHA25694b8ae19a5ef1ff18ad900207553af22eded06d8fb08c33dea52f6fda57561bb
SHA512fbab0e0c6a4c1a570e6709d19cb7e52d8a02b1eff37fb2bb26597f5c6f7b50a68e3cc906f990b15549cfe113ccfa6709c3757868425ee6285a23477caa049aa9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD59432424c5c932ea31d9b5a3d6e39a444
SHA1f93fa856d2399bbfea55995210e5ccb4d6e8a894
SHA256df6decc399f103cdc8b3ada014c4b0116bc685f86b7b29c07a24709060476bef
SHA512d0f8e9aa827473dec083c93d8cb8b08387a3fef6ee43df2a16fb8cff9b3af5a8830ac3671578b2afef4b274395606cfa8892f0a71468fb1a1d18ea243551c014
-
Filesize
11KB
MD5dbfc3e39c083cf3d09e6d1093ccb2eeb
SHA17c6ca8fc0f61447a2d25e64e7a865bbebed89351
SHA25688aec245efe78310153470bb4884950bfa8fc002c20866bac66ee6f441aa8390
SHA512e52d82e6693801b248d8ca4f2053662ff36fdafb8624df657549cfd9fbc71877efac86307413acc61a11958de232c63216738ea2176284ea5c4ed4e0fb344a6a
-
Filesize
15KB
MD5941a466299383e4a98c08937bb462af3
SHA11ee857015e160c49c8dc13a851aa196c5fd04740
SHA25658008489828e3c184dd742341290fcc907ddd1230d245b5b8c57ed483763b124
SHA5122185205afb39e0b19d987a394ef865dec0bb19f898d611bcf3df2a3f3af9354f04a3f9babae38ca01d7de07f95f55b3a61addc4e029a757d6faf3bdae95d85f8
-
Filesize
11KB
MD5b6da1b5a6adb761f88d136928aa4fb52
SHA16d7cb2a9d335a66a5d0f65e0c08574aabff376c7
SHA2560d69882ae9a1f9917796b2303699260c034536a50cd90f4401590514192041f9
SHA512b48bb9115e2d25b7fc650ad13c485c0f665bb32965d0774842840d9cf995c0097ba4bed88c813e49712fbf4e1df4e0dd9b5441b9f5730b520b2a2d7298772682
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4ws2kncw.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.2MB
MD5263ef0652b53248cb5de31c709d2e480
SHA104951e87a1439c4bc38945efb0330e8ea65db6f3
SHA256604863738e30d486aaa61a5b1007e13a380bbd9ef5723e194bd3aa8029aa1217
SHA51236d92af57b31c3a3fcb79b905b3b95fd34117a177765371d3ae191bdb2aaee2b7df3a27fdf3381d1b77f0d4514605d30fd0c8d3f688fd2093a009c60c8b1f66a