Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 00:14
Static task
static1
Behavioral task
behavioral1
Sample
211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe
Resource
win10v2004-20241007-en
General
-
Target
211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe
-
Size
2.8MB
-
MD5
eadab56cfbaef413b705dac5db36aa16
-
SHA1
163fc1a47691e79e6bbffbab8be7f795bd55d99d
-
SHA256
211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1
-
SHA512
461087bdc52f78dde32330aa2240216527be6586903071f63cff43b4d0d43089262265816fc6f5ac3072d67624255fae694476754a4cf2a43990155051e0e014
-
SSDEEP
49152:GLNDk2Pu0hI2hcbYQc4Nv0PYax7Ia1uTZYsR:GFk2PuWIBeOv0P1WayZYsR
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
cryptbot
Extracted
lumma
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 3Q3R0EYOT5L0NU0VU.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection ab9c884a6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" ab9c884a6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 3Q3R0EYOT5L0NU0VU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 3Q3R0EYOT5L0NU0VU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 3Q3R0EYOT5L0NU0VU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 3Q3R0EYOT5L0NU0VU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" ab9c884a6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" ab9c884a6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" ab9c884a6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" ab9c884a6f.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 224 created 2892 224 7a0d88fc91.exe 49 -
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 26a0cd0104.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 81938ae1fe.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 22 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 26a0cd0104.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ W09N7EX3PRLX3RLU.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 81938ae1fe.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8e61526c80.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d51c3b53b7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ANEDNjf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ab9c884a6f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 044d040a1b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c211156b92.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7a0d88fc91.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VR6f3vF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c538ba3b49.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6a68dd3553.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 594a6989b5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3Q3R0EYOT5L0NU0VU.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4eb67ca1bd.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1340 powershell.exe 4404 powershell.exe 5640 powershell.exe 2192 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SETA822.tmp rundll32.exe File created C:\Windows\system32\DRIVERS\SETA822.tmp rundll32.exe File opened for modification C:\Windows\system32\DRIVERS\revoflt.sys rundll32.exe -
Checks BIOS information in registry 2 TTPs 42 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7a0d88fc91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VR6f3vF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3Q3R0EYOT5L0NU0VU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d51c3b53b7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 044d040a1b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VR6f3vF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c211156b92.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d51c3b53b7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 26a0cd0104.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 26a0cd0104.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ANEDNjf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c538ba3b49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3Q3R0EYOT5L0NU0VU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion W09N7EX3PRLX3RLU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 81938ae1fe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ANEDNjf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c211156b92.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ab9c884a6f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion W09N7EX3PRLX3RLU.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7a0d88fc91.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c538ba3b49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6a68dd3553.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4eb67ca1bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 044d040a1b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6a68dd3553.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 594a6989b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4eb67ca1bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ab9c884a6f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 594a6989b5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 81938ae1fe.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation kf5cl0F.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation ruplp.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation d51c3b53b7.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 41 IoCs
pid Process 2760 axplong.exe 3860 trunk.exe 1512 trunk.exe 3604 4eb67ca1bd.exe 5080 axplong.exe 224 7a0d88fc91.exe 4060 d51c3b53b7.exe 3548 skotes.exe 2116 26a0cd0104.exe 2564 Cq6Id6x.exe 2356 x0qQ2DH.exe 3404 NordVPNSetup.exe 4996 NordVPNSetup.tmp 3772 044d040a1b.exe 4532 VR6f3vF.exe 4144 Cq6Id6x.exe 3712 kf5cl0F.exe 2856 ANEDNjf.exe 3776 b57d061cb26c4e57b088f3531bfce386.exe 4800 cecff7cfae.exe 3908 c211156b92.exe 3092 axplong.exe 784 skotes.exe 1708 c538ba3b49.exe 1764 ruplp.exe 1308 RevoUninPro.exe 1016 4b323c4264.exe 4352 RevoUninPro.exe 536 ruplp.exe 2660 ab9c884a6f.exe 5288 ebda63061e.exe 5340 ebda63061e.exe 5856 6a68dd3553.exe 5616 594a6989b5.exe 5368 3Q3R0EYOT5L0NU0VU.exe 2264 W09N7EX3PRLX3RLU.exe 4508 cecff7cfae.exe 3028 cecff7cfae.exe 5544 81938ae1fe.exe 1420 e34353082b.exe 2756 8e61526c80.exe -
Identifies Wine through registry keys 2 TTPs 22 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine VR6f3vF.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine ANEDNjf.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine c211156b92.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 4eb67ca1bd.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine d51c3b53b7.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine c538ba3b49.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine ab9c884a6f.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 594a6989b5.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine W09N7EX3PRLX3RLU.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 7a0d88fc91.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 26a0cd0104.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 044d040a1b.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 6a68dd3553.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 3Q3R0EYOT5L0NU0VU.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 81938ae1fe.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 8e61526c80.exe -
Loads dropped DLL 48 IoCs
pid Process 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 1512 trunk.exe 4996 NordVPNSetup.tmp 4996 NordVPNSetup.tmp 4996 NordVPNSetup.tmp 4996 NordVPNSetup.tmp 4204 regsvr32.exe -
Modifies system executable filetype association 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features ab9c884a6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" ab9c884a6f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 3Q3R0EYOT5L0NU0VU.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d51c3b53b7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007314001\\d51c3b53b7.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c211156b92.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017194001\\c211156b92.exe" skotes.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c538ba3b49.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017195001\\c538ba3b49.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4b323c4264.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017196001\\4b323c4264.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab9c884a6f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017197001\\ab9c884a6f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4eb67ca1bd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007312001\\4eb67ca1bd.exe" axplong.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 88 raw.githubusercontent.com 89 raw.githubusercontent.com 300 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 50 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023ceb-742.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
pid Process 4724 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe 2760 axplong.exe 3604 4eb67ca1bd.exe 5080 axplong.exe 224 7a0d88fc91.exe 4060 d51c3b53b7.exe 3548 skotes.exe 2116 26a0cd0104.exe 3772 044d040a1b.exe 4532 VR6f3vF.exe 2856 ANEDNjf.exe 3776 b57d061cb26c4e57b088f3531bfce386.exe 3776 b57d061cb26c4e57b088f3531bfce386.exe 3908 c211156b92.exe 784 skotes.exe 3092 axplong.exe 1708 c538ba3b49.exe 3776 b57d061cb26c4e57b088f3531bfce386.exe 2660 ab9c884a6f.exe 5856 6a68dd3553.exe 5616 594a6989b5.exe 5368 3Q3R0EYOT5L0NU0VU.exe 2264 W09N7EX3PRLX3RLU.exe 5544 81938ae1fe.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2564 set thread context of 4144 2564 Cq6Id6x.exe 121 PID 5288 set thread context of 5340 5288 ebda63061e.exe 175 PID 4800 set thread context of 3028 4800 cecff7cfae.exe 184 -
Drops file in Program Files directory 63 IoCs
description ioc Process File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-3FCA5.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-FL9H4.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\unins000.dat NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-1QRRC.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-PGNLE.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-MTOLC.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-BVVHC.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JEIIJ.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-IR5IS.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PT5T6.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-CRI7B.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-OT8HH.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4B15T.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-7S4J4.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-LC7IH.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4I2V6.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PR425.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-64GO8.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-RILGT.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-J7POR.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-P5HUG.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-REONO.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-M6Q4F.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-P3IVE.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-21K2T.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-FB8ME.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-B06LG.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoCmd.exe NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-G940S.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-M4C8R.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BSAAS.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-3QSCR.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-H3U55.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-K5L6H.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T4DRG.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-PFSEL.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-T0Q84.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-AN7FA.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-UQ6SG.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-GQS85.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-OHD8D.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-4OV1T.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-2K81L.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-JG50B.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-5SR5G.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-151JH.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BVF84.tmp NordVPNSetup.tmp File opened for modification C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoAppBar.exe NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-OR2T3.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-VLH8S.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-D4FKB.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-40J3U.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\is-BRPUD.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0H14E.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-VMJSL.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-0MQ9G.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-I04R4.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-BNKGS.tmp NordVPNSetup.tmp File created C:\Program Files\VS Revo Group\Revo Uninstaller Pro\lang\is-KB9BD.tmp NordVPNSetup.tmp -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe File created C:\Windows\Tasks\skotes.job d51c3b53b7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4912 224 WerFault.exe 102 4800 2756 WerFault.exe 191 -
System Location Discovery: System Language Discovery 1 TTPs 45 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 4b323c4264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a68dd3553.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e34353082b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x0qQ2DH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 044d040a1b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cecff7cfae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e61526c80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cq6Id6x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b57d061cb26c4e57b088f3531bfce386.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ruplp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kf5cl0F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cecff7cfae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4eb67ca1bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a0d88fc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26a0cd0104.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebda63061e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language W09N7EX3PRLX3RLU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NordVPNSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab9c884a6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VR6f3vF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cq6Id6x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANEDNjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 594a6989b5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3Q3R0EYOT5L0NU0VU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c538ba3b49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 4b323c4264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebda63061e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81938ae1fe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d51c3b53b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NordVPNSetup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c211156b92.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b323c4264.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS x0qQ2DH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName x0qQ2DH.exe -
Kills process with taskkill 5 IoCs
pid Process 1344 taskkill.exe 5000 taskkill.exe 4428 taskkill.exe 392 taskkill.exe 2404 taskkill.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}\ = "RUExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version\ = "5.1" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1 ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0 ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\.ruel NordVPNSetup.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\RevoUninstallerPro.ruel\shell\open\command NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\ = "RUShellExt Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4} ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\FLAGS ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid\ = "{DD72B942-27D2-4A3C-9353-FA0441FBABA0}" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\Version ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe" NordVPNSetup.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder\Attributes = "48" NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RevoUninPro.exe,0" NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RUExt.DLL\AppID = "{1D928D64-60D3-4FAC-B810-C4D9D8A680CF}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ = "Revo Uninstaller Pro" NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell\open\command NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F} ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0} ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510 ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ProgID\ = "LicProtector.LicProtectorEXE510" ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272} NordVPNSetup.tmp Key created \REGISTRY\MACHINE\Software\Classes\RevoUninstallerPro.ruel\DefaultIcon NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt\ = "{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\LocalServer32\ = "C:\\PROGRA~1\\VSREVO~1\\REVOUN~1\\ruplp.exe" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\Version = "5.1" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\InfoTip = "Uninstall, Remove Programs, Clear Web Browsers Tracks, Control Automatically Started Applications" NordVPNSetup.tmp Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\DefaultIcon NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2C5515DC-2A7E-4BFD-B813-CACC2B685EB7}\InprocServer32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\RUExt.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32 ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LicProtector.LicProtectorEXE510\Clsid ruplp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\ShellFolder NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\DefaultIcon NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\ = "LicProtector Library" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\ = "LicProtector Object" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DD72B942-27D2-4A3C-9353-FA0441FBABA0}\TypeLib ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open\command NordVPNSetup.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\RevoUninstallerPro.ruel\shell NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel\shell NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1D928D64-60D3-4FAC-B810-C4D9D8A680CF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB562550-BBE6-4298-861A-5C0A6562C272}\Shell\Open NordVPNSetup.tmp Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.ruel NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\RevoUninstallerPro.ruel NordVPNSetup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32\ = "C:\\Program Files\\VS Revo Group\\Revo Uninstaller Pro\\ruplp.exe" ruplp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\HELPDIR ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\TypeLib\ = "{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}" ruplp.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\RevoUninstallerPro.ruel\shell\open NordVPNSetup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\RUShellExt regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37B86290-9C1A-453F-BFA7-CB6EC9CEC00F}\5.1\0\win32 ruplp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58DF91C9-795D-4356-9568-7F149ED299B4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ruplp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4724 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe 4724 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe 2760 axplong.exe 2760 axplong.exe 3604 4eb67ca1bd.exe 3604 4eb67ca1bd.exe 5080 axplong.exe 5080 axplong.exe 224 7a0d88fc91.exe 224 7a0d88fc91.exe 224 7a0d88fc91.exe 224 7a0d88fc91.exe 224 7a0d88fc91.exe 224 7a0d88fc91.exe 1764 svchost.exe 1764 svchost.exe 1764 svchost.exe 1764 svchost.exe 4060 d51c3b53b7.exe 4060 d51c3b53b7.exe 3548 skotes.exe 3548 skotes.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2116 26a0cd0104.exe 2356 x0qQ2DH.exe 2356 x0qQ2DH.exe 2356 x0qQ2DH.exe 2356 x0qQ2DH.exe 2356 x0qQ2DH.exe 2356 x0qQ2DH.exe 2356 x0qQ2DH.exe 2356 x0qQ2DH.exe 2356 x0qQ2DH.exe 4996 NordVPNSetup.tmp 4996 NordVPNSetup.tmp 3772 044d040a1b.exe 3772 044d040a1b.exe 4532 VR6f3vF.exe 4532 VR6f3vF.exe 3712 kf5cl0F.exe 3712 kf5cl0F.exe 4144 Cq6Id6x.exe 4144 Cq6Id6x.exe 4144 Cq6Id6x.exe 4144 Cq6Id6x.exe 4532 VR6f3vF.exe 4532 VR6f3vF.exe 4532 VR6f3vF.exe 4532 VR6f3vF.exe 1340 powershell.exe 1340 powershell.exe 1340 powershell.exe 2856 ANEDNjf.exe 2856 ANEDNjf.exe 4404 powershell.exe 4404 powershell.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1512 trunk.exe Token: SeDebugPrivilege 2564 Cq6Id6x.exe Token: SeDebugPrivilege 3712 kf5cl0F.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeDebugPrivilege 4800 cecff7cfae.exe Token: SeDebugPrivilege 1344 taskkill.exe Token: SeDebugPrivilege 5000 taskkill.exe Token: SeDebugPrivilege 4428 taskkill.exe Token: SeDebugPrivilege 392 taskkill.exe Token: SeDebugPrivilege 2404 taskkill.exe Token: SeDebugPrivilege 2212 firefox.exe Token: SeDebugPrivilege 2212 firefox.exe Token: SeDebugPrivilege 2660 ab9c884a6f.exe Token: SeDebugPrivilege 5368 3Q3R0EYOT5L0NU0VU.exe Token: SeDebugPrivilege 1420 e34353082b.exe Token: SeDebugPrivilege 5640 powershell.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4724 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe 4060 d51c3b53b7.exe 4996 NordVPNSetup.tmp 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 2212 firefox.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe 1016 4b323c4264.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3776 b57d061cb26c4e57b088f3531bfce386.exe 1308 RevoUninPro.exe 1308 RevoUninPro.exe 4352 RevoUninPro.exe 4352 RevoUninPro.exe 2212 firefox.exe 4352 RevoUninPro.exe 4352 RevoUninPro.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4724 wrote to memory of 2760 4724 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe 83 PID 4724 wrote to memory of 2760 4724 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe 83 PID 4724 wrote to memory of 2760 4724 211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe 83 PID 2760 wrote to memory of 3860 2760 axplong.exe 93 PID 2760 wrote to memory of 3860 2760 axplong.exe 93 PID 3860 wrote to memory of 1512 3860 trunk.exe 95 PID 3860 wrote to memory of 1512 3860 trunk.exe 95 PID 2760 wrote to memory of 3604 2760 axplong.exe 99 PID 2760 wrote to memory of 3604 2760 axplong.exe 99 PID 2760 wrote to memory of 3604 2760 axplong.exe 99 PID 2760 wrote to memory of 224 2760 axplong.exe 102 PID 2760 wrote to memory of 224 2760 axplong.exe 102 PID 2760 wrote to memory of 224 2760 axplong.exe 102 PID 224 wrote to memory of 1764 224 7a0d88fc91.exe 103 PID 224 wrote to memory of 1764 224 7a0d88fc91.exe 103 PID 224 wrote to memory of 1764 224 7a0d88fc91.exe 103 PID 224 wrote to memory of 1764 224 7a0d88fc91.exe 103 PID 224 wrote to memory of 1764 224 7a0d88fc91.exe 103 PID 2760 wrote to memory of 4060 2760 axplong.exe 108 PID 2760 wrote to memory of 4060 2760 axplong.exe 108 PID 2760 wrote to memory of 4060 2760 axplong.exe 108 PID 4060 wrote to memory of 3548 4060 d51c3b53b7.exe 109 PID 4060 wrote to memory of 3548 4060 d51c3b53b7.exe 109 PID 4060 wrote to memory of 3548 4060 d51c3b53b7.exe 109 PID 2760 wrote to memory of 2116 2760 axplong.exe 112 PID 2760 wrote to memory of 2116 2760 axplong.exe 112 PID 2760 wrote to memory of 2116 2760 axplong.exe 112 PID 3548 wrote to memory of 2564 3548 skotes.exe 114 PID 3548 wrote to memory of 2564 3548 skotes.exe 114 PID 3548 wrote to memory of 2564 3548 skotes.exe 114 PID 3548 wrote to memory of 2356 3548 skotes.exe 115 PID 3548 wrote to memory of 2356 3548 skotes.exe 115 PID 3548 wrote to memory of 2356 3548 skotes.exe 115 PID 2356 wrote to memory of 3404 2356 x0qQ2DH.exe 116 PID 2356 wrote to memory of 3404 2356 x0qQ2DH.exe 116 PID 2356 wrote to memory of 3404 2356 x0qQ2DH.exe 116 PID 3404 wrote to memory of 4996 3404 NordVPNSetup.exe 117 PID 3404 wrote to memory of 4996 3404 NordVPNSetup.exe 117 PID 3404 wrote to memory of 4996 3404 NordVPNSetup.exe 117 PID 3548 wrote to memory of 3772 3548 skotes.exe 119 PID 3548 wrote to memory of 3772 3548 skotes.exe 119 PID 3548 wrote to memory of 3772 3548 skotes.exe 119 PID 3548 wrote to memory of 4532 3548 skotes.exe 120 PID 3548 wrote to memory of 4532 3548 skotes.exe 120 PID 3548 wrote to memory of 4532 3548 skotes.exe 120 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 2564 wrote to memory of 4144 2564 Cq6Id6x.exe 121 PID 3548 wrote to memory of 3712 3548 skotes.exe 123 PID 3548 wrote to memory of 3712 3548 skotes.exe 123 PID 3548 wrote to memory of 3712 3548 skotes.exe 123 PID 3712 wrote to memory of 1340 3712 kf5cl0F.exe 125 PID 3712 wrote to memory of 1340 3712 kf5cl0F.exe 125 PID 3712 wrote to memory of 1340 3712 kf5cl0F.exe 125 PID 3548 wrote to memory of 2856 3548 skotes.exe 127 PID 3548 wrote to memory of 2856 3548 skotes.exe 127 PID 3548 wrote to memory of 2856 3548 skotes.exe 127 PID 3712 wrote to memory of 4404 3712 kf5cl0F.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2892
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1764
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:5872
-
-
C:\Users\Admin\AppData\Local\Temp\211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe"C:\Users\Admin\AppData\Local\Temp\211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe"C:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\onefile_3860_133790408952263883\trunk.exeC:\Users\Admin\AppData\Local\Temp\1007054001\trunk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007312001\4eb67ca1bd.exe"C:\Users\Admin\AppData\Local\Temp\1007312001\4eb67ca1bd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\1007313001\7a0d88fc91.exe"C:\Users\Admin\AppData\Local\Temp\1007313001\7a0d88fc91.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 5364⤵
- Program crash
PID:4912
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007314001\d51c3b53b7.exe"C:\Users\Admin\AppData\Local\Temp\1007314001\d51c3b53b7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4144
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\is-TM4P6.tmp\NordVPNSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TM4P6.tmp\NordVPNSetup.tmp" /SL5="$9009E,15409387,73728,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4996 -
C:\Windows\system32\rundll32.exe"rundll32.exe " SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\VS Revo Group\Revo Uninstaller Pro\revoflt.inf8⤵
- Drops file in Drivers directory
- Adds Run key to start application
PID:2200 -
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r9⤵
- Checks processor information in registry
PID:4352 -
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o10⤵PID:1588
-
-
-
-
C:\Windows\system32\regsvr32.exe"regsvr32" "C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RUExt.dll" /s8⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:4204
-
-
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\ruplp.exe" /regserver /NOREDIRECT8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1764
-
-
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe" /bc8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308
-
-
C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"C:\Program Files\VS Revo Group\Revo Uninstaller Pro\RevoUninPro.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016974001\044d040a1b.exe"C:\Users\Admin\AppData\Local\Temp\1016974001\044d040a1b.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3772
-
-
C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe"C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\oqjtzg"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\oqjtzg\b57d061cb26c4e57b088f3531bfce386.exe"C:\oqjtzg\b57d061cb26c4e57b088f3531bfce386.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3776
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\1017192001\cecff7cfae.exe"C:\Users\Admin\AppData\Local\Temp\1017192001\cecff7cfae.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\1017192001\cecff7cfae.exe"C:\Users\Admin\AppData\Local\Temp\1017192001\cecff7cfae.exe"6⤵
- Executes dropped EXE
PID:4508
-
-
C:\Users\Admin\AppData\Local\Temp\1017192001\cecff7cfae.exe"C:\Users\Admin\AppData\Local\Temp\1017192001\cecff7cfae.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017194001\c211156b92.exe"C:\Users\Admin\AppData\Local\Temp\1017194001\c211156b92.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\3Q3R0EYOT5L0NU0VU.exe"C:\Users\Admin\AppData\Local\Temp\3Q3R0EYOT5L0NU0VU.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5368
-
-
C:\Users\Admin\AppData\Local\Temp\W09N7EX3PRLX3RLU.exe"C:\Users\Admin\AppData\Local\Temp\W09N7EX3PRLX3RLU.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2264
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017195001\c538ba3b49.exe"C:\Users\Admin\AppData\Local\Temp\1017195001\c538ba3b49.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\1017196001\4b323c4264.exe"C:\Users\Admin\AppData\Local\Temp\1017196001\4b323c4264.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:960
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c35bede1-b41e-4f09-a644-80e773b244c7} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" gpu8⤵PID:2248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe8051f-b937-4947-84a1-0157dbb26c83} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" socket8⤵PID:624
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3408 -childID 1 -isForBrowser -prefsHandle 3400 -prefMapHandle 3396 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {408b8fec-96dc-4d0e-9a83-c5d8e84455cd} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab8⤵PID:4648
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3436 -childID 2 -isForBrowser -prefsHandle 2808 -prefMapHandle 2812 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29e15804-c71a-4cba-ba0a-0692e71048d4} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab8⤵PID:4776
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4692 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4476 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3037d320-360b-40af-8cf5-5cfe795dbeb2} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" utility8⤵
- Checks processor information in registry
PID:5916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 3 -isForBrowser -prefsHandle 5740 -prefMapHandle 1124 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b85ba37-4b99-4d4f-98ab-ddd22bbed9c6} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab8⤵PID:5828
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 4 -isForBrowser -prefsHandle 5848 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c828216-1d38-4bba-bb09-e5f246ecffc6} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab8⤵PID:5660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6032 -childID 5 -isForBrowser -prefsHandle 6040 -prefMapHandle 6044 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c994539-dff4-4a0c-ae9c-6e5bafb19ff0} 2212 "\\.\pipe\gecko-crash-server-pipe.2212" tab8⤵PID:5756
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017197001\ab9c884a6f.exe"C:\Users\Admin\AppData\Local\Temp\1017197001\ab9c884a6f.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\1017198001\ebda63061e.exe"C:\Users\Admin\AppData\Local\Temp\1017198001\ebda63061e.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5288 -
C:\Users\Admin\AppData\Local\Temp\1017198001\ebda63061e.exe"C:\Users\Admin\AppData\Local\Temp\1017198001\ebda63061e.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5340
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017199001\6a68dd3553.exe"C:\Users\Admin\AppData\Local\Temp\1017199001\6a68dd3553.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5856
-
-
C:\Users\Admin\AppData\Local\Temp\1017200001\594a6989b5.exe"C:\Users\Admin\AppData\Local\Temp\1017200001\594a6989b5.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5616
-
-
C:\Users\Admin\AppData\Local\Temp\1017201001\81938ae1fe.exe"C:\Users\Admin\AppData\Local\Temp\1017201001\81938ae1fe.exe"5⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:5544
-
-
C:\Users\Admin\AppData\Local\Temp\1017202001\e34353082b.exe"C:\Users\Admin\AppData\Local\Temp\1017202001\e34353082b.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\yrdevyvdww"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5640
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"6⤵
- Command and Scripting Interpreter: PowerShell
PID:2192
-
-
C:\yrdevyvdww\9e1672a0d9bb486495b5deb9d35f7fd4.exe"C:\yrdevyvdww\9e1672a0d9bb486495b5deb9d35f7fd4.exe"6⤵PID:3648
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017203001\8e61526c80.exe"C:\Users\Admin\AppData\Local\Temp\1017203001\8e61526c80.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 5366⤵
- Program crash
PID:4800
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017204001\4777444e95.exe"C:\Users\Admin\AppData\Local\Temp\1017204001\4777444e95.exe"5⤵PID:5204
-
C:\Users\Admin\AppData\Local\Temp\1017204001\4777444e95.exe"C:\Users\Admin\AppData\Local\Temp\1017204001\4777444e95.exe"6⤵PID:5936
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007315001\26a0cd0104.exe"C:\Users\Admin\AppData\Local\Temp\1007315001\26a0cd0104.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 224 -ip 2241⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:784
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3092
-
C:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exeC:\PROGRA~1\VSREVO~1\REVOUN~1\ruplp.exe -Embedding1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2756 -ip 27561⤵PID:5220
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24.2MB
MD5c8c368988a2a4c2a953b7db4bca47961
SHA15acc29b51284146a9ff7b1587c3d89416e66acdf
SHA256f680e0fe00a48f6e3d079c1572682d6664f476b119745d73cb852baba58cc683
SHA5125fdef1f4e3b471910fe2b12f6f6aa8bfad3f2a9c80954843085c79139823a88e0c7d921b7c01dda56871800afc20de4739682c02e9fa6a94715c64207a671b30
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD5088f9a5e57d4f4030cab052caa4193d0
SHA11e5f59b55686ba287d6aa99613113d6d80046dd1
SHA2564d15b314f92e8a282add52f8e238f9e1ed24c0ba74275b66ca28eaa58ea0b57d
SHA5128ba429cc0617ef795f66484fc93c9eb2b597412984ca508b68b576e2916ef203d37009eb13a88aebd28b3ee3cd2cfc065ab87944584a83d17943433c0299cabd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\cache2\entries\92F4D5A4F9CED6E2E644D803AEE3647A0EA4D984
Filesize13KB
MD5f4b10d9a9ce007b91629094b89c7a8de
SHA14908bf67dc8f04418290dd0f932299f6411538df
SHA256038169a51bb66d29d26d2cb9e5f695d371cbe276bc7ace38a7f34db21497ef91
SHA512673a1468e01addd26d397995b61812c3809ff00f166b1005e63640a34a8db8c67d49f33ad2383c87eed31bce3d2fff3001777cfe54211bd1fd15217dfb7c72d0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
10.2MB
MD5d3b39a6b63c3822be6f8af9b3813bbad
SHA100b020e5a1c05442612f2cec7950c2814b59b1b6
SHA256786f1331a0618485b31ba763911b14fcec691bf9897bee8f42680076092b7a2f
SHA512a5c7504b29798fdabf610cf65716ec1d7745956f470d86de12a52b3c8731f858764fdf78647e50b3111622e7e65f05f82cd258b98c1a0f45ef7fdc088647d4ff
-
Filesize
2.8MB
MD59122e2bcf23186c18f6600aa3548a997
SHA1f1fb113d1659300ff0edae392398a51235685665
SHA25661b12be55358b1356a682c7e891c42205afcb367ac9025feefec5b08a333bfcc
SHA512d7c6a752fe10d846eb15deb16c2d3bbc800460c21af6a75fb21a661d38f2ef023b3028ce535f80448123da7d1191f815c971783132260758496dd6f5fc6950c4
-
Filesize
1.9MB
MD5cbcfb4d5443855cec4a4871e69d7e58e
SHA1c44cec80d1c60979299f3d52d4d7d0bfb75dee21
SHA256120957e5a588345f6c6af3908edde7cd04bf78a3ec7655a81c0098970e97e2ec
SHA512c40472c1a225211916bbf96761de1d939ac31ca50755512ed541bd93861c5c6635ae0aa10f73655ca0c45db0ab31c77c2bba765b58fceb4529f06b633742e39a
-
Filesize
2.8MB
MD58cbe0ced0c0f7bfbdf19128ba80adb99
SHA115e615a0fe64fe5200dd916232d9bc26b1c3d815
SHA256055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895
SHA5124b258260770b08fdd8f14b7bf0e703b8ca5010e4698e457bc0cfc76c246fb9e7c60ee4d2068b717f8205c2c1954d3b6b8742ed2547b67082f5b89c63d850e938
-
Filesize
4.2MB
MD51bba40cd593bed2b1f35529f02a1bc01
SHA1a0d27bf89c1d0ef1da317b101d134dd83a326fd9
SHA2560c9d197700bb3c5a707382a110a0466daa05c6d44793a60248c69c1784b02237
SHA512f75b3e7ea9751b2e3f02d90de33f46cee91a2c464d2e32072dc3ca5aef85cd3e46be44e87ac1201b3b9fe08ba015522d9094869347afe2809b30a3bc0c57182d
-
Filesize
3.1MB
MD5f9b9f98592292b5cbf59c7a60e9ebaee
SHA159cc872fd0a11b259cc5b70893f35e9b5a7c8cbb
SHA2565688e9e0becc622c573af2a1af4ee0676ef3907e38a9258a7801b46b7ad64665
SHA512f27e4a96173aeb064f47d44ff445b1e15f6d4f39a4ad711c019bb29692caea56eb910970d22bc13ac5c57a256d71e77b12aa60c8405335a239781c57cb0eaf8e
-
Filesize
17.6MB
MD53c224e3fc892719dc1e302378e533579
SHA10a65062e1426a95bfeca355398b6fdc4912fb6b1
SHA25664cc7f7906fe1ebf0b6977892abd9aa36f5e525cb241964c3986ee9e1a18312d
SHA512554a26e9654eccce831e4adcee49d5e2507956935e562b134a86f332d867debfcd1f64fdb88fccb2e1eee810975d565dbc6ea1376516817ee38765e4bd733a49
-
Filesize
2.8MB
MD58f0a96de651243bd92487d6281594240
SHA1139e1824f6b2a6bb1d2c5b7b19e336976164da98
SHA25609746a78e3bac9ee20a487f0efc864dcfed4d1e89cd6b1e84e76f188987914d2
SHA5122a63c5439ec65900a7383277b5b81bd3c1d932d75879c634351e53ae9f10c8819f4ea32bfb3935df8514c17831beb03c217c5ec0367b58bb682d4dc480f0b5ea
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
1.8MB
MD5ffd3e08783983aa539d8056c4a45755a
SHA135319d1dfd1accbf215edf312d26c62ffe44193b
SHA256f0a572023009f960fc10a93f127dd60641929b63a63f9c51c8a0c2e2aec6f5f0
SHA512079743895dbf994875f12309db2493e1a6365a92e76aea3e0494e2a99bedd3e93a14298a6cef1543ab00748d44aad36f41ffac841e0de72f48458a66c701f4af
-
Filesize
945KB
MD5dfb8c708ccb6c1db1e96a93c74f43fed
SHA16744eefe63b1576820dbfb280f688e84260cd15d
SHA25637cb8b12dc71e54353806cc79a1f274a1b2719407b18988d9bfc1641c539f36b
SHA512468c7011b96cdc5680918c0ecc50fa6606c576ae11e2ecd4b2af42571df912818356247ebcf5f18c412ee0f897260f5a0b16dbcfd650732da1e16c786cb50de8
-
Filesize
1.7MB
MD5f5c9f0438e3c02bc9ef1435d9dd0a821
SHA118af196ad4bccfa8848ad9b7d68580008fcb9ed2
SHA2568c2166ee7dccc82b851f1e4e0cfe03da6e1c3dc7a7cc18a541073e6e77efde7a
SHA512b5308945d033171646cb7484072476602d1ec3c766a36ffd70a9ef41451dc2ce2c33179b7f726952455231c5ba7b5fbdba03f78e5b294f269b8ce908833083de
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
4.3MB
MD5c85e8fbe79404550962a289efec68827
SHA1979e2c636887d7a73b1537cb66da879fc809bb0f
SHA25675548f4c67674ae7fca0c89630bdb0c4adb57a476fbfd7b6e793aa9dbbdfdd9c
SHA512c097329db9865da9bdb641c38b7e56e4e4d02fc146187d976397a25e0e51e172fd01e77a48c4a5bed1b23c8d3a239d548f69db2a084db8bbfcd006ba68350475
-
Filesize
747KB
MD58a9cb17c0224a01bd34b46495983c50a
SHA100296ea6a56f6e10a0f1450a20c5fb329b8856c1
SHA2563d51b9523b387859bc0d94246dfb216cfa82f9d650c8d11be11ed67f70e7440b
SHA5121472e4670f469c43227b965984ecc223a526f6284363d8e08a3b5b55e602ccce62df4bc49939ee5bd7df7b0c26e20da896b084eccab767f8728e6bf14d71c840
-
Filesize
2.8MB
MD5eadab56cfbaef413b705dac5db36aa16
SHA1163fc1a47691e79e6bbffbab8be7f795bd55d99d
SHA256211ea35545389fab23d79e5e83b02a53d000971e6e4fc0a1346fc38bc97d72d1
SHA512461087bdc52f78dde32330aa2240216527be6586903071f63cff43b4d0d43089262265816fc6f5ac3072d67624255fae694476754a4cf2a43990155051e0e014
-
Filesize
13KB
MD5f19cb847e567a31fab97435536c7b783
SHA14c8bfe404af28c1781740e7767619a5e2d2ff2b7
SHA2561ece1dc94471d6977dbe2ceeba3764adf0625e2203d6257f7c781c619d2a3dad
SHA512382dc205f703fc3e1f072f17f58e321e1a65b86be7d9d6b07f24a02a156308a7fec9b1a621ba1f3428fd6bb413d14ae9ecb2a2c8dd62a7659776cffdebb6374c
-
Filesize
10KB
MD5f24f9356a6bdd29b9ef67509a8bc3a96
SHA1a26946e938304b4e993872c6721eb8cc1dcbe43b
SHA256034bb8efe3068763d32c404c178bd88099192c707a36f5351f7fdb63249c7f81
SHA512c4d3f92d7558be1a714388c72f5992165dd7a9e1b4fa83b882536030542d93fdad9148c981f76fff7868192b301ac9256edb8c3d5ce5a1a2acac183f96c1028b
-
Filesize
48KB
MD5f8dfa78045620cf8a732e67d1b1eb53d
SHA1ff9a604d8c99405bfdbbf4295825d3fcbc792704
SHA256a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5
SHA512ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371
-
Filesize
122KB
MD55377ab365c86bbcdd998580a79be28b4
SHA1b0a6342df76c4da5b1e28a036025e274be322b35
SHA2566c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93
SHA51256f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26
-
Filesize
174KB
MD590f080c53a2b7e23a5efd5fd3806f352
SHA1e3b339533bc906688b4d885bdc29626fbb9df2fe
SHA256fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4
SHA5124b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a
-
Filesize
36KB
MD5827615eee937880862e2f26548b91e83
SHA1186346b816a9de1ba69e51042faf36f47d768b6c
SHA25673b7ee3156ef63d6eb7df9900ef3d200a276df61a70d08bd96f5906c39a3ac32
SHA51245114caf2b4a7678e6b1e64d84b118fb3437232b4c0add345ddb6fbda87cebd7b5adad11899bdcd95ddfe83fdc3944a93674ca3d1b5f643a2963fbe709e44fb8
-
Filesize
292KB
MD550ea156b773e8803f6c1fe712f746cba
SHA12c68212e96605210eddf740291862bdf59398aef
SHA25694edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47
SHA51201ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0
-
Filesize
10KB
MD571d96f1dbfcd6f767d81f8254e572751
SHA1e70b74430500ed5117547e0cd339d6e6f4613503
SHA256611e1b4b9ed6788640f550771744d83e404432830bb8e3063f0b8ec3b98911af
SHA5127b10e13b3723db0e826b7c7a52090de999626d5fa6c8f9b4630fdeef515a58c40660fa90589532a6d4377f003b3cb5b9851e276a0b3c83b9709e28e6a66a1d32
-
Filesize
5.0MB
MD5123ad0908c76ccba4789c084f7a6b8d0
SHA186de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA2564e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA51280fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04
-
Filesize
774KB
MD54ff168aaa6a1d68e7957175c8513f3a2
SHA1782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA2562e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3
-
Filesize
508KB
MD50fc69d380fadbd787403e03a1539a24a
SHA177f067f6d50f1ec97dfed6fae31a9b801632ef17
SHA256641e0b0fa75764812fff544c174f7c4838b57f6272eaae246eb7c483a0a35afc
SHA512e63e200baf817717bdcde53ad664296a448123ffd055d477050b8c7efcab8e4403d525ea3c8181a609c00313f7b390edbb754f0a9278232ade7cfb685270aaf0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD540390f2113dc2a9d6cfae7127f6ba329
SHA19c886c33a20b3f76b37aa9b10a6954f3c8981772
SHA2566ba9c910f755885e4d356c798a4dd32d2803ea4cfabb3d56165b3017d0491ae2
SHA512617b963816838d649c212c5021d7d0c58839a85d4d33bbaf72c0ec6ecd98b609080e9e57af06fa558ff302660619be57cc974282826ab9f21ae0d80fbaa831a1
-
Filesize
12KB
MD5899895c0ed6830c4c9a3328cc7df95b6
SHA1c02f14ebda8b631195068266ba20e03210abeabc
SHA25618d568c7be3e04f4e6026d12b09b1fa3fae50ff29ac3deaf861f3c181653e691
SHA5120b4c50e40af92bc9589668e13df417244274f46f5a66e1fc7d1d59bc281969ba319305becea119385f01cc4603439e4b37afa2cf90645425210848a02839e3e7
-
Filesize
14KB
MD5c4c525b081f8a0927091178f5f2ee103
SHA1a1f17b5ea430ade174d02ecc0b3cb79dbf619900
SHA2564d86a90b2e20cde099d6122c49a72bae081f60eb2eea0f76e740be6c41da6749
SHA5127c06e3e6261427bc6e654b2b53518c7eaa5f860a47ae8e80dc3f8f0fed91e122cb2d4632188dc44123fb759749b5425f426cd1153a8f84485ef0491002b26555
-
Filesize
10KB
MD580bb1e0e06acaf03a0b1d4ef30d14be7
SHA1b20cac0d2f3cd803d98a2e8a25fbf65884b0b619
SHA2565d1c2c60c4e571b88f27d4ae7d22494bed57d5ec91939e5716afa3ea7f6871f6
SHA5122a13ab6715b818ad62267ab51e55cd54714aebf21ec9ea61c2aefd56017dc84a6b360d024f8682a2e105582b9c5fe892ecebd2bef8a492279b19ffd84bc83fa5
-
Filesize
11KB
MD519e0abf76b274c12ff624a16713f4999
SHA1a4b370f556b925f7126bf87f70263d1705c3a0db
SHA256d9fda05ae16c5387ab46dc728c6edce6a3d0a9e1abdd7acb8b32fc2a17be6f13
SHA512d03033ea5cf37641fbd802ebeb5019caef33c9a78e01519fea88f87e773dca92c80b74ba80429b530694dad0bfa3f043a7104234c7c961e18d48019d90277c8e
-
Filesize
13KB
MD5d54feb9a270b212b0ccb1937c660678a
SHA1224259e5b684c7ac8d79464e51503d302390c5c9
SHA256032b83f1003a796465255d9b246050a196488bac1260f628913e536314afded4
SHA51229955a6569ca6d039b35bb40c56aeeb75fc765600525d0b469f72c97945970a428951bab4af9cd21b3161d5bba932f853778e2674ca83b14f7aba009fa53566f
-
Filesize
17KB
MD5556e6d0e5f8e4da74c2780481105d543
SHA17a49cdef738e9fe9cd6cd62b0f74ead1a1774a33
SHA256247b0885cf83375211861f37b6dd1376aed5131d621ee0137a60fe7910e40f8b
SHA51228fa0ce6bdbcc5e95b80aadc284c12658ef0c2be63421af5627776a55050ee0ea0345e30a15b744fc2b2f5b1b1bbb61e4881f27f6e3e863ebaaeed1073f4cda1
-
Filesize
21KB
MD5cde035b8ab3d046b1ce37eee7ee91fa0
SHA14298b62ed67c8d4f731d1b33e68d7dc9a58487ff
SHA25616bea322d994a553b293a724b57293d57da62bc7eaf41f287956b306c13fd972
SHA512c44fdee5a210459ce4557351e56b2d357fd4937f8ec8eaceab842fee29761f66c2262fcbaac837f39c859c67fa0e23d13e0f60b3ae59be29eb9d8abab0a572bb
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
83KB
MD530f396f8411274f15ac85b14b7b3cd3d
SHA1d3921f39e193d89aa93c2677cbfb47bc1ede949c
SHA256cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f
SHA5127d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f
-
Filesize
64KB
MD5a25bc2b21b555293554d7f611eaa75ea
SHA1a0dfd4fcfae5b94d4471357f60569b0c18b30c17
SHA25643acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d
SHA512b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5
-
Filesize
156KB
MD59e94fac072a14ca9ed3f20292169e5b2
SHA11eeac19715ea32a65641d82a380b9fa624e3cf0d
SHA256a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f
SHA512b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb
-
Filesize
31KB
MD5e1c6ff3c48d1ca755fb8a2ba700243b2
SHA12f2d4c0f429b8a7144d65b179beab2d760396bfb
SHA2560a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa
SHA51255bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1
-
Filesize
81KB
MD569801d1a0809c52db984602ca2653541
SHA10f6e77086f049a7c12880829de051dcbe3d66764
SHA25667aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3
SHA5125fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb
-
Filesize
122KB
MD5d8f690eae02332a6898e9c8b983c56dd
SHA1112c1fe25e0d948f767e02f291801c0e4ae592f0
SHA256c6bb8cad80b8d7847c52931f11d73ba64f78615218398b2c058f9b218ff21ca9
SHA512e732f79f39ba9721cc59dbe8c4785ffd74df84ca00d13d72afa3f96b97b8c7adf4ea9344d79ee2a1c77d58ef28d3ddcc855f3cb13edda928c17b1158abcc5b4a
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
6.6MB
MD5166cc2f997cba5fc011820e6b46e8ea7
SHA1d6179213afea084f02566ea190202c752286ca1f
SHA256c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA51249d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb
-
Filesize
30KB
MD57c14c7bc02e47d5c8158383cb7e14124
SHA15ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3
SHA25600bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5
SHA512af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c
-
Filesize
18.0MB
MD586ddf66d8651d0baa1cc13d6f8c18dc1
SHA1ee15109134300e555085811f4060048e245269f9
SHA256ee045dffee8b48356106a2105803b73776b73bf7462d364b1f82540fcf72f4cf
SHA512385fce7ded01cba93f842a1b698b78e3eb1d73833c282669ebe6bea22ec6c4957b179325614f17ecb7c7357051fb7381e011cf2ebc0f5ca2f24414f0e23a0c6c
-
Filesize
1.1MB
MD5a8ed52a66731e78b89d3c6c6889c485d
SHA1781e5275695ace4a5c3ad4f2874b5e375b521638
SHA256bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7
SHA5121c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize7KB
MD5ac6fef67d7223d80ce1f073c733c318b
SHA15fc8fc245f9c39e1b65ace5a75f6778b311f4999
SHA256217f6ed523b9319cc5a5c94f460b8064504ccd5580fe7dd6740ef64be43ff5ce
SHA512da86792a390eef0189877346e313cdcd7987cd0b1dfbae636724b3d9ac2a9a7907a3ee1308eef358a40fb884b4b8329ed2a1fb6fa8e18f5581f31d840767c074
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin
Filesize8KB
MD573047a89c7cbf5fc77f6f078a2abbc92
SHA13118f2675d7961d3a76b965dabad8d1709955f5b
SHA256dd63b428050efedc5e20e40c1d90fa12cfc6b86c7f8722dbec7fbaf644f126d6
SHA5128d423a88dc0bf7e5f76b776da83fb5ec2736c32e025f749abeb326bd9adcec47c5003eb34d38ebaab84e4055422ea0ee25145100d03c5e96599fbb5f3278ce82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5591b7811e7dd861a8c837e0ae00240c4
SHA1ee9c8eef8df2b6a29538a7f387ededd760ccbb0d
SHA2561e6438d140f53626f2810304aca05c7d3d404ec1a8001e6af9f38abd752e5019
SHA512153f1bad979cf9b3aedb99a304cab2e18af68f0bf4353d90b37cec4fcdc4a41048adc26828a43784de988debd192d42a3041cb6baaa321a9a22fc92a0b05ae7b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5dbac57c09541cb604a9992277640bb0e
SHA103403cfe9efbd420ea836dc29e6c86bb52d1e9f7
SHA25698917f956dc948bf4c0c82d7404cb40f97695d8e8acd45ab42eb0b3d10ab53d1
SHA512c604e765fa36d4660a139ee8e92f90f6b2510330bb1c8d5b57f1efe678a378c2845d1b9f59182b76045a4d8bbd71593ef4a3ac2147d7878e9a679e5c2d7374ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD5c690b0324ef8201db39444ae1e55f628
SHA1c810e22078e04dba900740c223b30d5298a4abb0
SHA256aa6d47c4f64349f2edf72cf99eb77ed54052b15f3740dc6ba3b7b851a61df2f5
SHA512f202a0fba1504d95b116014c8cb27a6a5e5246b71ea99bf2cbbeafa8c7d177cec9a1e43400575df25ccb112834a6ea8f29455f95f58d304be51cdfdb7460e814
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize24KB
MD529fb0c4f9e48c403eb269ba4af0c6a70
SHA1f71cfdc61afa2385f9b70422e52e8f0cb8c10e3b
SHA256db223df3c341ba63d112fb90e3b8721dcb3776f119ff09f7908cbf936d084ba6
SHA512cdeb4048c9ec23d8b601d3e5f0f0cb1b9b6cf45e6d9d56f1e59ef7208d89ca19ac3c87869bb3e116c12ceb9e212876918057340288ff8aefb68f972c3429205d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD569675f3dc544cb4c379a5b18486114c3
SHA1078b7187eb3a6b827a077d41bb958b98972cf13f
SHA256ac15a9fd324acc41fdd0ed8ecd47440887b427537226399dfc9dc6ecdd76355e
SHA5122eb65ca38e3f3c835f7c692d5119ca226a68d900f3fe5af000dcfc8083c4d2987842a78dcb072a8fb5ec77a52b6eda227ad9c4b60180efa4d4e03f5f6787f176
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp
Filesize20KB
MD5f0f08ff0fb219b7060a0e67f5641b908
SHA10b29beba947c6c1391a665e1241f43d4360dca88
SHA2566f1b567653456a36224f8bee29631bada6e14e9654c132f193edffa904a6ddd4
SHA512886f274a5c6a1e091aec314ab9f31bbbb7d767b397b18f7f8549b8a815108222aa1fd709033a2615f851ab75aa5c66afd84e7787d426d5eab6433874b5aa6f6e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\627493be-cb72-4bce-b511-7a0616673be8
Filesize659B
MD5e11850b755cd67e8c312a51e742595c0
SHA149bfa2bc23eeab57ad9f0cea5e023ea50d8a628e
SHA256513e111395fcd11fb3086ec580df31de75e7e0d2f662de865a6a87ad47a985ac
SHA51253babe533ab8740d72c1619a478644e7f17e0851b111f5b45e6b29f7b47c5fa40f793f7beea843fb5a0f24bafe7d94a797dc057571863eb331d86eef24bac410
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\c9dbf658-a636-402c-817a-25a04f447253
Filesize982B
MD5dc521702ed43c9da9315792be5b44d41
SHA173716633db35d00b5db20940fed83ee09342fa61
SHA256061d600327701bf56f34c4e7151784210d3b52a84e39f6a1d5edf8d0f60a1fb7
SHA512f63ea5b3bc7efbb53a85e166a050e1a3dccf8e09cb8b253868983734350741c6e24328139624467783cad760aaf1a8c3ce4eab99c2336a42efe5651aeb966c6d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD51314fff0d3399f372feb1902392c57b5
SHA1165e69c0e4e4bb6dfb4274151e8ef0da40988eaf
SHA256938933918a972937233be6cdd2a3e0f065b42995a0a0e130d2d500a2372b1a5b
SHA512d8aad644af62397f07a76382955e86b258d99028a7c4cf08c880a922388b676d28175b39de42c228b221c6695f6d9343e18cce7453d8dab7e9004ca2c391bab9
-
Filesize
10KB
MD5b9bdcb2904868fe5bba536decd043fd6
SHA1f494575a1504eab5811def3ba1946b3de27159fd
SHA2565124f60916eb71b61dd5feea4e3fb3d649637e7a18ed63688245ba9ed0d5dc9c
SHA5121c89f5d51da58d718dab6113dc3ee49c155321cfd778e84e34015c6b820bbc8edb594d5f4148f9a12911e329dcc3a5f4f723c18e86408b4c14c2673c95a302dd
-
Filesize
37KB
MD5ec8e58e6b58b4fcde77431cda3a24c0e
SHA1ebb474009b2a2fbce648adff4b8b797fcd00c997
SHA25625667717bf4691957f07a6363585e2c7eaf22e5fd7229bf32c91ea59ef4a2edd
SHA512e2c667ebe97973ff27c1edf3e45ebf7950bc8d7aad1126da25290a2f590b21808654694cbe6a0ad1d3649566ec7645eb6b3379c7d7c0a650d5381a69e9cdade4
-
Filesize
1.2MB
MD5577cd52217da6d7163cea46bb01c107f
SHA182b31cc52c538238e63bdfc22d1ea306ea0b852a
SHA256139762e396fb930400fab8faab80cb679abbe642144261cba24973fb23bcd728
SHA5128abad4eaf2a302dfd9ead058e8c14d996437975730125c46d034a71028921ff36ff5d157ad3671e328ac667ec8095db19fa14a9e8eaaf1a7738aa3d0120b5474