Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 17:13
Static task
static1
Behavioral task
behavioral1
Sample
e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe
Resource
win10v2004-20241007-en
General
-
Target
e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe
-
Size
2.9MB
-
MD5
8a6df8d3bab93a45abfec4947c817b93
-
SHA1
94cc2a82869276fd48a17019971d606c3fe6abc0
-
SHA256
e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d
-
SHA512
3af6e9df139d2a51095d07fd45bef9ee8f99dcaf8b70eabed25fc64c9dc9bbfb54445470e007b6c6b67ed2bf4f8df3336099db87ec3b959aeb6c23570441133c
-
SSDEEP
49152:Yu/hmcGcq7VRaizO/0kizrIYRpxu4JxqTsmEO:d/hmcGcq7VRaizO/0rMSBJ53O
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
default_valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
Extracted
cryptbot
Extracted
lumma
https://shineugler.biz/api
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1072 created 1260 1072 633ad5fbc9.exe 21 -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF b957569edc.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 633ad5fbc9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b957569edc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4c278ec1bc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c41682d63e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ v_dolg.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 110423c8a9.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 33 2704 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b957569edc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c41682d63e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion v_dolg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 633ad5fbc9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c41682d63e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 110423c8a9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4c278ec1bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4c278ec1bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion v_dolg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b957569edc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 110423c8a9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 633ad5fbc9.exe -
Executes dropped EXE 34 IoCs
pid Process 1836 skotes.exe 1472 Cq6Id6x.exe 1964 Cq6Id6x.exe 2116 Cq6Id6x.exe 2484 Cq6Id6x.exe 688 Cq6Id6x.exe 528 Cq6Id6x.exe 600 x0qQ2DH.exe 2076 c41682d63e.exe 592 axplong.exe 2792 stealc_default2.exe 2800 legs.exe 2476 AllNew.exe 1156 Gxtuum.exe 1956 am209.exe 264 defnur.exe 1712 326065b9ea.exe 1816 v_dolg.exe 1640 326065b9ea.exe 1072 633ad5fbc9.exe 1124 326065b9ea.exe 2396 67dfa006bc.exe 2012 67dfa006bc.exe 760 b957569edc.exe 1072 110423c8a9.exe 1124 roblox.exe 2164 stub.exe 2096 goldddd123.exe 1764 goldddd123.exe 1080 4c278ec1bc.exe 2688 sintv.exe 1524 e1525add02.exe 1520 Out.exe 404 Out.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine c41682d63e.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine 633ad5fbc9.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine b957569edc.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine 110423c8a9.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine 4c278ec1bc.exe -
Loads dropped DLL 53 IoCs
pid Process 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 1836 skotes.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1836 skotes.exe 1836 skotes.exe 1836 skotes.exe 2076 c41682d63e.exe 2076 c41682d63e.exe 592 axplong.exe 592 axplong.exe 592 axplong.exe 592 axplong.exe 592 axplong.exe 2476 AllNew.exe 592 axplong.exe 1956 am209.exe 2792 stealc_default2.exe 2792 stealc_default2.exe 1836 skotes.exe 1836 skotes.exe 592 axplong.exe 1712 326065b9ea.exe 1836 skotes.exe 1836 skotes.exe 1072 633ad5fbc9.exe 1072 633ad5fbc9.exe 2704 rundll32.exe 2704 rundll32.exe 2704 rundll32.exe 2704 rundll32.exe 1836 skotes.exe 1836 skotes.exe 2396 67dfa006bc.exe 1836 skotes.exe 1836 skotes.exe 592 axplong.exe 1124 roblox.exe 2164 stub.exe 592 axplong.exe 592 axplong.exe 2096 goldddd123.exe 1836 skotes.exe 1836 skotes.exe 592 axplong.exe 1836 skotes.exe 592 axplong.exe 592 axplong.exe 1520 Out.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\110423c8a9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016995001\\110423c8a9.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c278ec1bc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016996001\\4c278ec1bc.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\e1525add02.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1016997001\\e1525add02.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA v_dolg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000500000001c670-595.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 1836 skotes.exe 2076 c41682d63e.exe 592 axplong.exe 1816 v_dolg.exe 1072 633ad5fbc9.exe 760 b957569edc.exe 1072 110423c8a9.exe 1080 4c278ec1bc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1712 set thread context of 1640 1712 326065b9ea.exe 53 PID 2396 set thread context of 2012 2396 67dfa006bc.exe 61 PID 2096 set thread context of 1764 2096 goldddd123.exe 70 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Application\chrome.exe sintv.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe sintv.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe File created C:\Windows\Tasks\axplong.job c41682d63e.exe File created C:\Windows\Tasks\Gxtuum.job AllNew.exe File created C:\Windows\Tasks\defnur.job am209.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language goldddd123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c41682d63e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AllNew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language defnur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 326065b9ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67dfa006bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cq6Id6x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 633ad5fbc9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language e1525add02.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage e1525add02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v_dolg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 326065b9ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 67dfa006bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c278ec1bc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Out.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language am209.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b957569edc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language goldddd123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Out.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gxtuum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 326065b9ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 110423c8a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1525add02.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 1640 taskkill.exe 2732 taskkill.exe 2588 taskkill.exe 1608 taskkill.exe 1344 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 v_dolg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a v_dolg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a v_dolg.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\SystemCertificates\Root\Certificates\C86D6E9C73D96A8B0EEB519BBCAE82865233FF7D goldddd123.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\SystemCertificates\Root\Certificates\C86D6E9C73D96A8B0EEB519BBCAE82865233FF7D\Blob = 0f0000000100000020000000e6b6eac27b44f927d8ddab9b1e98f9770dfba5cc2f05e70959fc97ef15336c27030000000100000014000000c86d6e9c73d96a8b0eeb519bbcae82865233ff7d0200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020853f76092ad7c75b5300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231383137313532395a170d3237303332333137313532395a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aee6236030d2c9dbdeb7e2977b378d44d8c56f81e93b3d8066ac19e8fabeab9303084db199c0e1259998253119767dfbfc8c422039f0fd620cdd177ce40303be9d002f520f93ce8835077caee2a3e5df65e532be8d2814455c052b4525c5a01558d5c93e64fa5d9dbc9b7ac2a257d29be574ba20093a50f9634b5da0aec88195c1e76aa86c502a928952c10189d21d05207da8f4796a57c905356a3a98d294db8623159f18f0a5d89a99f89a21592956886731e3e0d99543a5a890caae5f281ee1d6a22a522fb936c889bb404b77936f235b8f63464bd8d672b34b6f219d2beb09e251dd7b56ef91ad77e195db532a79a8dcf5d69d0bdbde33bb6c1352375a570203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101003a48ea961e4750035cf2adec0e008854877bf29f99446d369e127cbefc16e35336960073d738c3374f7fbb159611353191688f383dd336b0e86282b92f50dbe98ba1821fdccc6e75258242a9cad11eb0dd6385a6e3dc411c1897f00c0cedbe7bab3275db27da85fc886cd3b5a54409d827e1b786853441f0feb782abf029bd992a992fef7c01f7b639e807c04af6fe8076cd76cd203d497aeecb3cd66c3f9dc910807f70c03981607de2f6090671dc24185605984918217c7ef1cda12f7eca92d92698f7f21cce89a9d1d9c1ccfd6aaee9cbf0913bff72d17b12c2171d4243ae14b6a141c6ea821db39ce3f2ae6caea6745cedc0f030402b3fd104634c7e417c goldddd123.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\SystemCertificates\Root\Certificates\C86D6E9C73D96A8B0EEB519BBCAE82865233FF7D\Blob = 1400000001000000140000005dcfce3437c110fa8d127ac1adc8ddd2059d91d70b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000c86d6e9c73d96a8b0eeb519bbcae82865233ff7d0f0000000100000020000000e6b6eac27b44f927d8ddab9b1e98f9770dfba5cc2f05e70959fc97ef15336c2720000000010000000a03000030820306308201eea003020102020853f76092ad7c75b5300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231383137313532395a170d3237303332333137313532395a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aee6236030d2c9dbdeb7e2977b378d44d8c56f81e93b3d8066ac19e8fabeab9303084db199c0e1259998253119767dfbfc8c422039f0fd620cdd177ce40303be9d002f520f93ce8835077caee2a3e5df65e532be8d2814455c052b4525c5a01558d5c93e64fa5d9dbc9b7ac2a257d29be574ba20093a50f9634b5da0aec88195c1e76aa86c502a928952c10189d21d05207da8f4796a57c905356a3a98d294db8623159f18f0a5d89a99f89a21592956886731e3e0d99543a5a890caae5f281ee1d6a22a522fb936c889bb404b77936f235b8f63464bd8d672b34b6f219d2beb09e251dd7b56ef91ad77e195db532a79a8dcf5d69d0bdbde33bb6c1352375a570203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101003a48ea961e4750035cf2adec0e008854877bf29f99446d369e127cbefc16e35336960073d738c3374f7fbb159611353191688f383dd336b0e86282b92f50dbe98ba1821fdccc6e75258242a9cad11eb0dd6385a6e3dc411c1897f00c0cedbe7bab3275db27da85fc886cd3b5a54409d827e1b786853441f0feb782abf029bd992a992fef7c01f7b639e807c04af6fe8076cd76cd203d497aeecb3cd66c3f9dc910807f70c03981607de2f6090671dc24185605984918217c7ef1cda12f7eca92d92698f7f21cce89a9d1d9c1ccfd6aaee9cbf0913bff72d17b12c2171d4243ae14b6a141c6ea821db39ce3f2ae6caea6745cedc0f030402b3fd104634c7e417c goldddd123.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\SystemCertificates\Root\Certificates\C86D6E9C73D96A8B0EEB519BBCAE82865233FF7D\Blob = 19000000010000001000000091936f0b72cf8cf524e04edaf1cf1b5e0f0000000100000020000000e6b6eac27b44f927d8ddab9b1e98f9770dfba5cc2f05e70959fc97ef15336c27030000000100000014000000c86d6e9c73d96a8b0eeb519bbcae82865233ff7d0200000001000000cc0000001c0000006c000000010000000000000000000000000000000100000043004e003d0054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000001400000001000000140000005dcfce3437c110fa8d127ac1adc8ddd2059d91d720000000010000000a03000030820306308201eea003020102020853f76092ad7c75b5300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233313231383137313532395a170d3237303332333137313532395a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100aee6236030d2c9dbdeb7e2977b378d44d8c56f81e93b3d8066ac19e8fabeab9303084db199c0e1259998253119767dfbfc8c422039f0fd620cdd177ce40303be9d002f520f93ce8835077caee2a3e5df65e532be8d2814455c052b4525c5a01558d5c93e64fa5d9dbc9b7ac2a257d29be574ba20093a50f9634b5da0aec88195c1e76aa86c502a928952c10189d21d05207da8f4796a57c905356a3a98d294db8623159f18f0a5d89a99f89a21592956886731e3e0d99543a5a890caae5f281ee1d6a22a522fb936c889bb404b77936f235b8f63464bd8d672b34b6f219d2beb09e251dd7b56ef91ad77e195db532a79a8dcf5d69d0bdbde33bb6c1352375a570203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101003a48ea961e4750035cf2adec0e008854877bf29f99446d369e127cbefc16e35336960073d738c3374f7fbb159611353191688f383dd336b0e86282b92f50dbe98ba1821fdccc6e75258242a9cad11eb0dd6385a6e3dc411c1897f00c0cedbe7bab3275db27da85fc886cd3b5a54409d827e1b786853441f0feb782abf029bd992a992fef7c01f7b639e807c04af6fe8076cd76cd203d497aeecb3cd66c3f9dc910807f70c03981607de2f6090671dc24185605984918217c7ef1cda12f7eca92d92698f7f21cce89a9d1d9c1ccfd6aaee9cbf0913bff72d17b12c2171d4243ae14b6a141c6ea821db39ce3f2ae6caea6745cedc0f030402b3fd104634c7e417c goldddd123.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 1836 skotes.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 1472 Cq6Id6x.exe 2076 c41682d63e.exe 592 axplong.exe 2792 stealc_default2.exe 2792 stealc_default2.exe 1816 v_dolg.exe 1640 326065b9ea.exe 1640 326065b9ea.exe 1640 326065b9ea.exe 1640 326065b9ea.exe 1072 633ad5fbc9.exe 1072 633ad5fbc9.exe 1072 633ad5fbc9.exe 1072 633ad5fbc9.exe 1072 633ad5fbc9.exe 1124 326065b9ea.exe 1124 326065b9ea.exe 1124 326065b9ea.exe 1124 326065b9ea.exe 2012 67dfa006bc.exe 2012 67dfa006bc.exe 2012 67dfa006bc.exe 2012 67dfa006bc.exe 1816 v_dolg.exe 1816 v_dolg.exe 1816 v_dolg.exe 1816 v_dolg.exe 760 b957569edc.exe 760 b957569edc.exe 760 b957569edc.exe 760 b957569edc.exe 760 b957569edc.exe 760 b957569edc.exe 1072 110423c8a9.exe 1080 4c278ec1bc.exe 2688 sintv.exe 1524 e1525add02.exe 1764 goldddd123.exe 1764 goldddd123.exe 1764 goldddd123.exe 1764 goldddd123.exe 1524 e1525add02.exe 1524 e1525add02.exe 1072 110423c8a9.exe 1072 110423c8a9.exe 1072 110423c8a9.exe 1072 110423c8a9.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 1472 Cq6Id6x.exe Token: SeDebugPrivilege 2688 sintv.exe Token: SeDebugPrivilege 2588 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1344 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 2732 taskkill.exe Token: SeDebugPrivilege 1124 firefox.exe Token: SeDebugPrivilege 1124 firefox.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 2076 c41682d63e.exe 2476 AllNew.exe 1956 am209.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1124 firefox.exe 1124 firefox.exe 1124 firefox.exe 1124 firefox.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1124 firefox.exe 1124 firefox.exe 1124 firefox.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe 1524 e1525add02.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1892 wrote to memory of 1836 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 30 PID 1892 wrote to memory of 1836 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 30 PID 1892 wrote to memory of 1836 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 30 PID 1892 wrote to memory of 1836 1892 e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe 30 PID 1836 wrote to memory of 1472 1836 skotes.exe 32 PID 1836 wrote to memory of 1472 1836 skotes.exe 32 PID 1836 wrote to memory of 1472 1836 skotes.exe 32 PID 1836 wrote to memory of 1472 1836 skotes.exe 32 PID 1836 wrote to memory of 1472 1836 skotes.exe 32 PID 1836 wrote to memory of 1472 1836 skotes.exe 32 PID 1836 wrote to memory of 1472 1836 skotes.exe 32 PID 1472 wrote to memory of 1964 1472 Cq6Id6x.exe 34 PID 1472 wrote to memory of 1964 1472 Cq6Id6x.exe 34 PID 1472 wrote to memory of 1964 1472 Cq6Id6x.exe 34 PID 1472 wrote to memory of 1964 1472 Cq6Id6x.exe 34 PID 1472 wrote to memory of 1964 1472 Cq6Id6x.exe 34 PID 1472 wrote to memory of 1964 1472 Cq6Id6x.exe 34 PID 1472 wrote to memory of 1964 1472 Cq6Id6x.exe 34 PID 1472 wrote to memory of 2116 1472 Cq6Id6x.exe 35 PID 1472 wrote to memory of 2116 1472 Cq6Id6x.exe 35 PID 1472 wrote to memory of 2116 1472 Cq6Id6x.exe 35 PID 1472 wrote to memory of 2116 1472 Cq6Id6x.exe 35 PID 1472 wrote to memory of 2116 1472 Cq6Id6x.exe 35 PID 1472 wrote to memory of 2116 1472 Cq6Id6x.exe 35 PID 1472 wrote to memory of 2116 1472 Cq6Id6x.exe 35 PID 1472 wrote to memory of 2484 1472 Cq6Id6x.exe 36 PID 1472 wrote to memory of 2484 1472 Cq6Id6x.exe 36 PID 1472 wrote to memory of 2484 1472 Cq6Id6x.exe 36 PID 1472 wrote to memory of 2484 1472 Cq6Id6x.exe 36 PID 1472 wrote to memory of 2484 1472 Cq6Id6x.exe 36 PID 1472 wrote to memory of 2484 1472 Cq6Id6x.exe 36 PID 1472 wrote to memory of 2484 1472 Cq6Id6x.exe 36 PID 1472 wrote to memory of 688 1472 Cq6Id6x.exe 37 PID 1472 wrote to memory of 688 1472 Cq6Id6x.exe 37 PID 1472 wrote to memory of 688 1472 Cq6Id6x.exe 37 PID 1472 wrote to memory of 688 1472 Cq6Id6x.exe 37 PID 1472 wrote to memory of 688 1472 Cq6Id6x.exe 37 PID 1472 wrote to memory of 688 1472 Cq6Id6x.exe 37 PID 1472 wrote to memory of 688 1472 Cq6Id6x.exe 37 PID 1472 wrote to memory of 528 1472 Cq6Id6x.exe 38 PID 1472 wrote to memory of 528 1472 Cq6Id6x.exe 38 PID 1472 wrote to memory of 528 1472 Cq6Id6x.exe 38 PID 1472 wrote to memory of 528 1472 Cq6Id6x.exe 38 PID 1472 wrote to memory of 528 1472 Cq6Id6x.exe 38 PID 1472 wrote to memory of 528 1472 Cq6Id6x.exe 38 PID 1472 wrote to memory of 528 1472 Cq6Id6x.exe 38 PID 1836 wrote to memory of 600 1836 skotes.exe 39 PID 1836 wrote to memory of 600 1836 skotes.exe 39 PID 1836 wrote to memory of 600 1836 skotes.exe 39 PID 1836 wrote to memory of 600 1836 skotes.exe 39 PID 1836 wrote to memory of 2076 1836 skotes.exe 40 PID 1836 wrote to memory of 2076 1836 skotes.exe 40 PID 1836 wrote to memory of 2076 1836 skotes.exe 40 PID 1836 wrote to memory of 2076 1836 skotes.exe 40 PID 2076 wrote to memory of 592 2076 c41682d63e.exe 41 PID 2076 wrote to memory of 592 2076 c41682d63e.exe 41 PID 2076 wrote to memory of 592 2076 c41682d63e.exe 41 PID 2076 wrote to memory of 592 2076 c41682d63e.exe 41 PID 592 wrote to memory of 2792 592 axplong.exe 42 PID 592 wrote to memory of 2792 592 axplong.exe 42 PID 592 wrote to memory of 2792 592 axplong.exe 42 PID 592 wrote to memory of 2792 592 axplong.exe 42 PID 592 wrote to memory of 2800 592 axplong.exe 43 PID 592 wrote to memory of 2800 592 axplong.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe"C:\Users\Admin\AppData\Local\Temp\e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"5⤵
- Executes dropped EXE
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"5⤵
- Executes dropped EXE
PID:2116
-
-
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"5⤵
- Executes dropped EXE
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"5⤵
- Executes dropped EXE
PID:688
-
-
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"5⤵
- Executes dropped EXE
PID:528
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"4⤵
- Executes dropped EXE
PID:600
-
-
C:\Users\Admin\AppData\Local\Temp\1016974001\c41682d63e.exe"C:\Users\Admin\AppData\Local\Temp\1016974001\c41682d63e.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\1001527001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\legs.exe"6⤵
- Executes dropped EXE
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"C:\Users\Admin\AppData\Local\Temp\1003013001\AllNew.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe"C:\Users\Admin\AppData\Local\Temp\1005242001\v_dolg.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe"C:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\onefile_1124_133790157216974000\stub.exeC:\Users\Admin\AppData\Local\Temp\1006252001\roblox.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006343001\goldddd123.exe"C:\Users\Admin\AppData\Local\Temp\1006343001\goldddd123.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\1006343001\goldddd123.exe"C:\Users\Admin\AppData\Local\Temp\1006343001\goldddd123.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1764
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe"C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp6DB3.tmp"7⤵PID:2636
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:404
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016991001\326065b9ea.exe"C:\Users\Admin\AppData\Local\Temp\1016991001\326065b9ea.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\1016991001\326065b9ea.exe"C:\Users\Admin\AppData\Local\Temp\1016991001\326065b9ea.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1640
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016992001\633ad5fbc9.exe"C:\Users\Admin\AppData\Local\Temp\1016992001\633ad5fbc9.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\1016993001\67dfa006bc.exe"C:\Users\Admin\AppData\Local\Temp\1016993001\67dfa006bc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\1016993001\67dfa006bc.exe"C:\Users\Admin\AppData\Local\Temp\1016993001\67dfa006bc.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2012
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016994001\b957569edc.exe"C:\Users\Admin\AppData\Local\Temp\1016994001\b957569edc.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\1016995001\110423c8a9.exe"C:\Users\Admin\AppData\Local\Temp\1016995001\110423c8a9.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\1016996001\4c278ec1bc.exe"C:\Users\Admin\AppData\Local\Temp\1016996001\4c278ec1bc.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\1016997001\e1525add02.exe"C:\Users\Admin\AppData\Local\Temp\1016997001\e1525add02.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:2980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1124 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.0.91270898\1069178594" -parentBuildID 20221007134813 -prefsHandle 1268 -prefMapHandle 1156 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a1ddd81-7c0a-455b-b0bd-8ee85103031d} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 1344 108f3358 gpu7⤵PID:2276
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.1.702318650\725625013" -parentBuildID 20221007134813 -prefsHandle 1548 -prefMapHandle 1544 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3baffb6f-a373-4e93-bb99-67c1bff18013} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 1560 f5ebe58 socket7⤵PID:2752
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.2.669255339\971081940" -childID 1 -isForBrowser -prefsHandle 1996 -prefMapHandle 1992 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16ea7ad6-b48a-4d2c-abcc-2165866692dd} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 2008 19ca2d58 tab7⤵PID:1808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.3.88924345\682934727" -childID 2 -isForBrowser -prefsHandle 2728 -prefMapHandle 2724 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93f806db-e436-48bd-a353-ec93e4c088a1} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 2740 1d52ab58 tab7⤵PID:3144
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.4.2041793445\1507501151" -childID 3 -isForBrowser -prefsHandle 3444 -prefMapHandle 3440 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2463fd7-67a0-493d-a110-be66e4fefcbf} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 3456 19fe8858 tab7⤵PID:3736
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.5.1503960744\861033895" -childID 4 -isForBrowser -prefsHandle 3564 -prefMapHandle 3568 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {639d5b61-182b-42a9-a8ea-6d557079b91b} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 3552 1effcf58 tab7⤵PID:3744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1124.6.1701663307\878524783" -childID 5 -isForBrowser -prefsHandle 3728 -prefMapHandle 3732 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea9ec95a-3c99-47e9-bdba-aa3f02f045c7} 1124 "\\.\pipe\gecko-crash-server-pipe.1124" 3716 1effde58 tab7⤵PID:3752
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016991001\326065b9ea.exe"C:\Users\Admin\AppData\Local\Temp\1016991001\326065b9ea.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1124
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp
Filesize26KB
MD5a1e1e87c2122e657b9da645fdaf57fb5
SHA1a8ea193c3d5bc420c1976fbf05619d0943de694d
SHA2561bcb4ced79ac659f43b61b097bf55121021452379698c585ee349a9d2fa2637c
SHA512a03d72098fbaf9b825f7e5dff72e98bdeaa6087ce323911f12bde51b7a8c97eb4ea04dfd41152889971effbaeaab4e863068a0f7f9d2201bc232955c50b5e009
-
Filesize
307KB
MD568a99cf42959dc6406af26e91d39f523
SHA1f11db933a83400136dc992820f485e0b73f1b933
SHA256c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA5127342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75
-
Filesize
758KB
MD575cf470500d65ce4411790e09e650806
SHA191aca1838bc6e3868d25e44308f58124b749167d
SHA256f29a920dd390574c50df03e8f909a8f81a1894af912af2d92a9baf4b57cf1c04
SHA5121c281fe53742a338becb9aa4efd2a7e418a66949a7f3d156440e02e2351548f6ff0ead5d93aae157509f57d0b4cc3584a9ab623c6446ea389b45b49d0df85c48
-
Filesize
429KB
MD5c07e06e76de584bcddd59073a4161dbb
SHA108954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f
-
Filesize
429KB
MD5ce27255f0ef33ce6304e54d171e6547c
SHA1e594c6743d869c852bf7a09e7fe8103b25949b6e
SHA25682c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c
SHA51296cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9
-
Filesize
3.6MB
MD5378706614b22957208e09fc84fceece8
SHA1d35e1f89f36aed26553b665f791cd69d82136fb8
SHA256df6e6d5bead4aa34f8e0dd325400a5829265b0f615cd1da48d155cc30b89ad6d
SHA512bef7a09ce1ffd0a0b169a6ec7c143ca322c929139ca0af40353502ae22fed455fe10a9b80ba93cc399a88add94f921b7aa801033ddae351f8f8d477781ca476e
-
Filesize
10.7MB
MD56898eace70e2da82f257bc78cb081b2f
SHA15ac5ed21436d8b4c59c0b62836d531844c571d6d
SHA256bcdd8b7c9ec736765d4596332c0fec1334b035d4456df1ec25b569f9b6431a23
SHA512ca719707417a095fe092837e870aefc7e8874ef351e27b5b41e40f46a9e2f6cb2ba915858bc3c99a14c2f1288c71c7ddd9c2adee6588d6b43cd3ba276e1585d2
-
Filesize
4.5MB
MD538fcaa23700e62fb0b3fc2591f82cc80
SHA1abedd6ec573a6fede05d15920f3ac3763062c75c
SHA256fb829a6a8535a443932cd167e8301b5e74c60702b5f7fade7e9f13a736ce72b0
SHA5125da88a61c716a9891cb225f36f275040d69915c4c731c2a5c042d5c997ca39241a3e9d6646569468d477f47db42462c21b58f2de7f56a84cb145e6cee478eeef
-
Filesize
2.5MB
MD57ff947867bc70055adffa2164a741b01
SHA1cff424168c2f6bcef107ebc9bd65590f3ead76ae
SHA256b6d6628d2dc7dea808eef05180c27abe10a1af245d624aacdacccc52a1eb7b40
SHA512da507d1847056d0dc2c122c45ecbea4901a81c06890bcdbffc2f18ad4b96f0ac2c2fa9ebde1a315828c74a97af653062a8c50ce70c9b6d6966c48871150747ee
-
Filesize
3.1MB
MD5f9b9f98592292b5cbf59c7a60e9ebaee
SHA159cc872fd0a11b259cc5b70893f35e9b5a7c8cbb
SHA2565688e9e0becc622c573af2a1af4ee0676ef3907e38a9258a7801b46b7ad64665
SHA512f27e4a96173aeb064f47d44ff445b1e15f6d4f39a4ad711c019bb29692caea56eb910970d22bc13ac5c57a256d71e77b12aa60c8405335a239781c57cb0eaf8e
-
Filesize
17.6MB
MD53c224e3fc892719dc1e302378e533579
SHA10a65062e1426a95bfeca355398b6fdc4912fb6b1
SHA25664cc7f7906fe1ebf0b6977892abd9aa36f5e525cb241964c3986ee9e1a18312d
SHA512554a26e9654eccce831e4adcee49d5e2507956935e562b134a86f332d867debfcd1f64fdb88fccb2e1eee810975d565dbc6ea1376516817ee38765e4bd733a49
-
Filesize
2.9MB
MD5adb82f61953bedf4b2eda53ca8e26ed7
SHA1905dd9713e5dc58f0f4e1a5c36dc76c42823e734
SHA2567f7d4d11aa9ce238909c3f93f50e46ff9296860da623022a0f3d37d3ca1dd0e8
SHA51217a427293b613bb4e8f1709e0153528a26aebc608c8b4e2a13e1ca72efa8b7da9c7086a8c7cf5ad416e52125879fb30f87b0232b8b3e2324c663b1f9efe315d8
-
Filesize
1.9MB
MD5e7eb9a61aec1e191dcc006e605c7628e
SHA1f931ceab7be44e9efb12b7ff292e0227eadebce2
SHA2560428284ddb962526e13dcf1be7707e0ce1acfcca7eba4dc33a03dc8503c03253
SHA51273856a2a132ea5786860d07b36bd3293facc0562f2b630a08036932331d1e91417e87753815c25d534fa2eb0f6d76e8039a3af6eb407294711eae5bb0b1a1ba5
-
Filesize
747KB
MD58a9cb17c0224a01bd34b46495983c50a
SHA100296ea6a56f6e10a0f1450a20c5fb329b8856c1
SHA2563d51b9523b387859bc0d94246dfb216cfa82f9d650c8d11be11ed67f70e7440b
SHA5121472e4670f469c43227b965984ecc223a526f6284363d8e08a3b5b55e602ccce62df4bc49939ee5bd7df7b0c26e20da896b084eccab767f8728e6bf14d71c840
-
Filesize
4.2MB
MD560cb08aff943753c526cf73fd6007489
SHA182a65e58388a24fa079f644e574b5a26512d1078
SHA2565a1e55df322d7f0f410e19bda46827def8374605479fe22d16c921c36751ec96
SHA512e6cadb0cb30f8c37e8d20f8448952ded9ef9501ad03e059f6140e70f82fc8d3ce12033a7d8887b4793145b2c7d4279d71df02e2ad8ea4a4d973384973e7a1aa9
-
Filesize
1.8MB
MD5ab319afa60cadbafd45f46b07484fd03
SHA13bba5171e2e000c0e4c3e33ae1b20ba96e28fb0d
SHA25668f4cfa9038f190598f1e5fe4b2d069ce63e01d1133c2845ee8cacb97798ee2b
SHA512612ed711a96bfb8dd0c87cfef531bb6bc20aa675194c1403c05f1aa4745e3e3b28bcb8f33d639977367d090cba1948cc211af25df3c8bc09db93bb119eb3aba5
-
Filesize
2.8MB
MD553255a4e52bac509d13e48fe99717cb0
SHA1763d5cf8a29bad2c20eb0270392e02426afe8e82
SHA25686c5ad704dccd2f1a4175b66e019550a68ebcd538ef9ad6f9aee743a613940af
SHA5125a1a5fad42a71a6bc795f82ab29a025e5b5076310cbbfa5fb845af5cd9149348c523493bf3d675a9941019a05eddd108a4601cf77ca6b8f8e7fd74cba244fb1d
-
Filesize
942KB
MD50d8ac576eca10da9277638f730c0bab1
SHA1be4abb2939e19d612b81d22069c7135f53cc4a75
SHA256f3675e0c735833e5da3a5d75140713a08f2657232b965d6066bb14a153bc4c7e
SHA512bf81c40a99037e99f3a57ebc9cd248e60e790cd2c6a68a66e46a288d7131c359e8dcff2392506a1c2e042e680ef374e366d66929ff55c15d51bbde430ae92217
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2KB
MD51a4242337929abb2e76761453ee3d09e
SHA1906d98b7fc799988f092631d3fb34dfad3ed512e
SHA2564848bca96c2c0f9802c453f27acef345966860b9da4e8ddc7e8b7fc1a2fa44f6
SHA512f2976112bd1b5add64191fa611c7942feb477000e236dd46a5e8e9e28ffd0d5c8a4a27b35d139dc830c66092c7fdc41e047001777e0e727185be247884b57756
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\C86D6E9C73D96A8B0EEB519BBCAE82865233FF7D
Filesize1KB
MD56f376d81f65b8dea2cc340a54f8a5206
SHA1065e1e7eb9d8dd37b72906b9cb1bd1c7669bb899
SHA256f07db2bc9e5a91f117d19b7fd0040036f36b82c807e77e9a7202e166720bcbf1
SHA51272b711fbf21b4e743b50a6a85726bc3ca739b9878e6843cd41198f97bc6c5d2d7beda74771e76ccace91d29e6509b5b351afd29f7e0e86fb3518d243187a9d3c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5f74a4669023cf495f62f395b4a4d3b58
SHA1bdb733674478a8224be3b2c62b959b158ed81125
SHA256e1a7599754c9cfcf28170606874a0e0f0ff82003ee4fb61e85764db15428dc0b
SHA5123891bc19140d66e4940388e8f14f608cda7540542cbce7eb54d63cf90a5ab88f6c650d3328bea13e34ede3bfd1feefd8ad36386c9a8b4933da7e732ccdfc3361
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\42da24ed-125f-4e82-a3a2-853b2cf81c9f
Filesize11KB
MD551152c51f3cc6c35b05418e56456898b
SHA1b7d7f2611a6d96831122f98babe16ea2fec6d86d
SHA256473e0db86a9b2d95e2e596a2c1ab66f1fa0f8838952392e007ba88fa3ee96eff
SHA5124fd8ce0fcf7f7c7f9abfbd02588c4826c3edaf613a5631cefedf8ade8493b74308fc905c8440065005173ffffe14a2248df21f4c8148d2d1945a03bde7e1401f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\48f447ef-fd33-4778-826a-8589fd7051b8
Filesize745B
MD58aeac6b57baa34d108e89298ce1c1202
SHA1a984532ac410e045ff46a3c401d31d3e1e0551f3
SHA256c24e75e14276c05c6260249484bed7a3eae398c8b11143f0e47aa45925789141
SHA5120ad8f7ccad76d8b75f464ef1ed338a1c381b9440c53fbdacd43b605cbb300225f4ee006a44d06d275e7d4f1aba26d62aef9de0c8e31f5ca76f5cd19349f6ca82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD52b908bc2577b90c5a79ab547aeaca69a
SHA17096d4d54ec132838bb36502a444e5d71d9cd28b
SHA256552f06edb775b4a37d32fcdef911440222b1f91b39ad9706053f629ac40bfcfa
SHA512fe87081013026bfed9c2f90b2fa6b2991ea65e205623ffbae4b2582bb211fa995d25bbd74bc47d59da30eb5f87fca972191d1a209c2bfa0820a018cea73a90f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD53dc733f51b6c47c0e57ae7035b9abacf
SHA1d4c28a6f9d4bae9e297440a46726a2cb3e2504ba
SHA256aafa700fb884f14becaf86a0eb9df79dfa15885b2ebe11cabe5f48a3a5d9e0e1
SHA512e02670f6fa626a21ad150e0e0e589ba9f1f7a1fb921dc28f4117dc0a30a337b9c9b165dd0a30da864fe4dbdf130372e846648792a0bcf5aad4e8d28118101067
-
Filesize
124KB
MD50d3418372c854ee228b78e16ea7059be
SHA1c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1
SHA256885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7
SHA512e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
2.9MB
MD58a6df8d3bab93a45abfec4947c817b93
SHA194cc2a82869276fd48a17019971d606c3fe6abc0
SHA256e9ec73f8477faa71fbc7546d41174906e4a02a88a823ed3378373d661175d18d
SHA5123af6e9df139d2a51095d07fd45bef9ee8f99dcaf8b70eabed25fc64c9dc9bbfb54445470e007b6c6b67ed2bf4f8df3336099db87ec3b959aeb6c23570441133c