Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe
Resource
win7-20240729-en
General
-
Target
c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe
-
Size
2.8MB
-
MD5
61cb850896f4b6aac18c72e82eb9ac90
-
SHA1
c1fcdd242b13e4c5ad99f7e76da886288622b6dc
-
SHA256
c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f
-
SHA512
d156751d3d9e353a116e55cbc9a9e87da03a4d29efe529344ce996324ec361f0472724bb8162c2be7ea6f291aaf2f7cbbc8659672777e182e40283fa661a2043
-
SSDEEP
49152:nZNt60MWKf4ZmSXyOQqcxSdj04drGcnaj0GpmeogTOpGg:nZNt66Kf4Zm4yOraSd44ZGEaoGpkzGg
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Signatures
-
Amadey family
-
Detect Vidar Stealer 4 IoCs
resource yara_rule behavioral1/memory/2592-164-0x00000000034C0000-0x00000000036F9000-memory.dmp family_vidar_v7 behavioral1/memory/2592-163-0x00000000034C0000-0x00000000036F9000-memory.dmp family_vidar_v7 behavioral1/memory/2592-322-0x00000000034C0000-0x00000000036F9000-memory.dmp family_vidar_v7 behavioral1/memory/2592-321-0x00000000034C0000-0x00000000036F9000-memory.dmp family_vidar_v7 -
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 8ec60caf49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 8ec60caf49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 8ec60caf49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 8ec60caf49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 8ec60caf49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 8ec60caf49.exe -
Vidar family
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF ce6479e041.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 269ef1738b.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c19fb1cf27.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 42de031164.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 997a977ce3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e1184f44c7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 269ef1738b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ce6479e041.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8ec60caf49.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1592 powershell.exe 2076 powershell.exe 2392 powershell.exe 1492 powershell.exe 2412 powershell.exe -
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Z9wx5_1948\ImagePath = "\\??\\C:\\Windows\\Temp\\p3jf86_1948.sys" vbc.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c19fb1cf27.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 42de031164.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8ec60caf49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 42de031164.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8ec60caf49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ce6479e041.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c19fb1cf27.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 997a977ce3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e1184f44c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 269ef1738b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ce6479e041.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 997a977ce3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e1184f44c7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 269ef1738b.exe -
Executes dropped EXE 32 IoCs
pid Process 1136 skotes.exe 2536 WEX7mCI.exe 2592 Dry.com 2108 77d4503e2c.exe 1676 e1184f44c7.exe 2056 bbb95df60e.exe 2444 bbb95df60e.exe 2860 003.exe 2952 4cc76774f9.exe 980 8fd6d530e2.exe 648 Dry.com 1596 269ef1738b.exe 2068 37d625c12a.exe 2248 3fc259db12.exe 2868 4cc76774f9.exe 9720 83ef3ddb90.exe 9868 7z.exe 9892 7z.exe 9924 7z.exe 9948 7z.exe 9976 7z.exe 10000 7z.exe 10024 7z.exe 10048 7z.exe 10080 in.exe 2824 ce6479e041.exe 3204 c19fb1cf27.exe 3620 42de031164.exe 4280 997a977ce3.exe 4828 c4278bf154.exe 8056 8ec60caf49.exe 4832 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine c19fb1cf27.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 42de031164.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 8ec60caf49.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine e1184f44c7.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 269ef1738b.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine ce6479e041.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 997a977ce3.exe -
Loads dropped DLL 52 IoCs
pid Process 848 c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe 1136 skotes.exe 2536 WEX7mCI.exe 2772 cmd.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 2056 bbb95df60e.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 980 8fd6d530e2.exe 1788 cmd.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 2952 4cc76774f9.exe 1136 skotes.exe 9836 cmd.exe 9868 7z.exe 9836 cmd.exe 9892 7z.exe 9836 cmd.exe 9924 7z.exe 9836 cmd.exe 9948 7z.exe 9836 cmd.exe 9976 7z.exe 9836 cmd.exe 10000 7z.exe 9836 cmd.exe 10024 7z.exe 9836 cmd.exe 10048 7z.exe 9836 cmd.exe 9836 cmd.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 1136 skotes.exe 3204 c19fb1cf27.exe 4784 taskeng.exe 4784 taskeng.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 8ec60caf49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 8ec60caf49.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\42de031164.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018861001\\42de031164.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\997a977ce3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018862001\\997a977ce3.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\c4278bf154.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018863001\\c4278bf154.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\8ec60caf49.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1018864001\\8ec60caf49.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000500000001c794-2910.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 2856 tasklist.exe 1624 tasklist.exe 1800 tasklist.exe 332 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 848 c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe 1136 skotes.exe 1676 e1184f44c7.exe 1596 269ef1738b.exe 2824 ce6479e041.exe 3204 c19fb1cf27.exe 3620 42de031164.exe 4280 997a977ce3.exe 8056 8ec60caf49.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2056 set thread context of 2444 2056 bbb95df60e.exe 52 PID 2860 set thread context of 1948 2860 003.exe 55 PID 2952 set thread context of 2868 2952 4cc76774f9.exe 88 PID 4832 set thread context of 4848 4832 Intel_PTT_EK_Recertification.exe 140 -
resource yara_rule behavioral1/memory/10080-2828-0x000000013F790000-0x000000013FC20000-memory.dmp upx behavioral1/memory/9836-2825-0x000000013F790000-0x000000013FC20000-memory.dmp upx -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe File opened for modification C:\Windows\CommunityProduction WEX7mCI.exe File opened for modification C:\Windows\ExtractNicholas WEX7mCI.exe File opened for modification C:\Windows\MpForgotten 8fd6d530e2.exe File opened for modification C:\Windows\CommunityProduction 8fd6d530e2.exe File opened for modification C:\Windows\ExtractNicholas 8fd6d530e2.exe File opened for modification C:\Windows\MpForgotten WEX7mCI.exe File opened for modification C:\Windows\TabletAction WEX7mCI.exe File opened for modification C:\Windows\TabletAction 8fd6d530e2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 54 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1184f44c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dry.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dry.com Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage c4278bf154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbb95df60e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77d4503e2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language c4278bf154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42de031164.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbb95df60e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 269ef1738b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce6479e041.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 997a977ce3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cc76774f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fc259db12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c19fb1cf27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4cc76774f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 83ef3ddb90.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ec60caf49.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fd6d530e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WEX7mCI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4278bf154.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2196 PING.EXE 4936 powershell.exe 5084 PING.EXE 10120 powershell.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Dry.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Dry.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Dry.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Dry.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1644 timeout.exe 2280 timeout.exe -
Kills process with taskkill 5 IoCs
pid Process 4888 taskkill.exe 5080 taskkill.exe 1608 taskkill.exe 5188 taskkill.exe 5296 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a e1184f44c7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a e1184f44c7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 bbb95df60e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a bbb95df60e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 e1184f44c7.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2196 PING.EXE 5084 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 10112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 848 c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe 1136 skotes.exe 2592 Dry.com 2592 Dry.com 2592 Dry.com 2108 77d4503e2c.exe 1592 powershell.exe 2076 powershell.exe 1676 e1184f44c7.exe 2592 Dry.com 2392 powershell.exe 2600 powershell.exe 648 Dry.com 648 Dry.com 648 Dry.com 1596 269ef1738b.exe 1596 269ef1738b.exe 1596 269ef1738b.exe 1596 269ef1738b.exe 1596 269ef1738b.exe 1596 269ef1738b.exe 2248 3fc259db12.exe 648 Dry.com 1492 powershell.exe 2412 powershell.exe 2868 4cc76774f9.exe 2868 4cc76774f9.exe 10120 powershell.exe 2824 ce6479e041.exe 2824 ce6479e041.exe 2824 ce6479e041.exe 2824 ce6479e041.exe 2824 ce6479e041.exe 2824 ce6479e041.exe 3204 c19fb1cf27.exe 3620 42de031164.exe 4280 997a977ce3.exe 4828 c4278bf154.exe 8056 8ec60caf49.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 8056 8ec60caf49.exe 8056 8ec60caf49.exe 4832 Intel_PTT_EK_Recertification.exe 4936 powershell.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1948 vbc.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeDebugPrivilege 1624 tasklist.exe Token: SeDebugPrivilege 1800 tasklist.exe Token: SeDebugPrivilege 2108 77d4503e2c.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 332 tasklist.exe Token: SeDebugPrivilege 2856 tasklist.exe Token: SeLoadDriverPrivilege 1948 vbc.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2248 3fc259db12.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2868 4cc76774f9.exe Token: SeRestorePrivilege 9868 7z.exe Token: 35 9868 7z.exe Token: SeSecurityPrivilege 9868 7z.exe Token: SeSecurityPrivilege 9868 7z.exe Token: SeRestorePrivilege 9892 7z.exe Token: 35 9892 7z.exe Token: SeSecurityPrivilege 9892 7z.exe Token: SeSecurityPrivilege 9892 7z.exe Token: SeRestorePrivilege 9924 7z.exe Token: 35 9924 7z.exe Token: SeSecurityPrivilege 9924 7z.exe Token: SeSecurityPrivilege 9924 7z.exe Token: SeRestorePrivilege 9948 7z.exe Token: 35 9948 7z.exe Token: SeSecurityPrivilege 9948 7z.exe Token: SeSecurityPrivilege 9948 7z.exe Token: SeRestorePrivilege 9976 7z.exe Token: 35 9976 7z.exe Token: SeSecurityPrivilege 9976 7z.exe Token: SeSecurityPrivilege 9976 7z.exe Token: SeRestorePrivilege 10000 7z.exe Token: 35 10000 7z.exe Token: SeSecurityPrivilege 10000 7z.exe Token: SeSecurityPrivilege 10000 7z.exe Token: SeRestorePrivilege 10024 7z.exe Token: 35 10024 7z.exe Token: SeSecurityPrivilege 10024 7z.exe Token: SeSecurityPrivilege 10024 7z.exe Token: SeRestorePrivilege 10048 7z.exe Token: 35 10048 7z.exe Token: SeSecurityPrivilege 10048 7z.exe Token: SeSecurityPrivilege 10048 7z.exe Token: SeDebugPrivilege 10120 powershell.exe Token: SeDebugPrivilege 4888 taskkill.exe Token: SeDebugPrivilege 5080 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 5188 taskkill.exe Token: SeDebugPrivilege 5296 taskkill.exe Token: SeDebugPrivilege 5416 firefox.exe Token: SeDebugPrivilege 5416 firefox.exe Token: SeDebugPrivilege 8056 8ec60caf49.exe Token: SeDebugPrivilege 4936 powershell.exe Token: SeLockMemoryPrivilege 4848 explorer.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 848 c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe 2592 Dry.com 2592 Dry.com 2592 Dry.com 648 Dry.com 648 Dry.com 648 Dry.com 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 5416 firefox.exe 5416 firefox.exe 5416 firefox.exe 5416 firefox.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2592 Dry.com 2592 Dry.com 2592 Dry.com 648 Dry.com 648 Dry.com 648 Dry.com 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 5416 firefox.exe 5416 firefox.exe 5416 firefox.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe 4828 c4278bf154.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 848 wrote to memory of 1136 848 c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe 28 PID 848 wrote to memory of 1136 848 c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe 28 PID 848 wrote to memory of 1136 848 c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe 28 PID 848 wrote to memory of 1136 848 c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe 28 PID 1136 wrote to memory of 2536 1136 skotes.exe 30 PID 1136 wrote to memory of 2536 1136 skotes.exe 30 PID 1136 wrote to memory of 2536 1136 skotes.exe 30 PID 1136 wrote to memory of 2536 1136 skotes.exe 30 PID 2536 wrote to memory of 2772 2536 WEX7mCI.exe 31 PID 2536 wrote to memory of 2772 2536 WEX7mCI.exe 31 PID 2536 wrote to memory of 2772 2536 WEX7mCI.exe 31 PID 2536 wrote to memory of 2772 2536 WEX7mCI.exe 31 PID 2772 wrote to memory of 1624 2772 cmd.exe 33 PID 2772 wrote to memory of 1624 2772 cmd.exe 33 PID 2772 wrote to memory of 1624 2772 cmd.exe 33 PID 2772 wrote to memory of 1624 2772 cmd.exe 33 PID 2772 wrote to memory of 1460 2772 cmd.exe 34 PID 2772 wrote to memory of 1460 2772 cmd.exe 34 PID 2772 wrote to memory of 1460 2772 cmd.exe 34 PID 2772 wrote to memory of 1460 2772 cmd.exe 34 PID 2772 wrote to memory of 1800 2772 cmd.exe 36 PID 2772 wrote to memory of 1800 2772 cmd.exe 36 PID 2772 wrote to memory of 1800 2772 cmd.exe 36 PID 2772 wrote to memory of 1800 2772 cmd.exe 36 PID 2772 wrote to memory of 588 2772 cmd.exe 37 PID 2772 wrote to memory of 588 2772 cmd.exe 37 PID 2772 wrote to memory of 588 2772 cmd.exe 37 PID 2772 wrote to memory of 588 2772 cmd.exe 37 PID 2772 wrote to memory of 2036 2772 cmd.exe 38 PID 2772 wrote to memory of 2036 2772 cmd.exe 38 PID 2772 wrote to memory of 2036 2772 cmd.exe 38 PID 2772 wrote to memory of 2036 2772 cmd.exe 38 PID 2772 wrote to memory of 2028 2772 cmd.exe 39 PID 2772 wrote to memory of 2028 2772 cmd.exe 39 PID 2772 wrote to memory of 2028 2772 cmd.exe 39 PID 2772 wrote to memory of 2028 2772 cmd.exe 39 PID 2772 wrote to memory of 900 2772 cmd.exe 40 PID 2772 wrote to memory of 900 2772 cmd.exe 40 PID 2772 wrote to memory of 900 2772 cmd.exe 40 PID 2772 wrote to memory of 900 2772 cmd.exe 40 PID 2772 wrote to memory of 2592 2772 cmd.exe 41 PID 2772 wrote to memory of 2592 2772 cmd.exe 41 PID 2772 wrote to memory of 2592 2772 cmd.exe 41 PID 2772 wrote to memory of 2592 2772 cmd.exe 41 PID 2772 wrote to memory of 648 2772 cmd.exe 42 PID 2772 wrote to memory of 648 2772 cmd.exe 42 PID 2772 wrote to memory of 648 2772 cmd.exe 42 PID 2772 wrote to memory of 648 2772 cmd.exe 42 PID 1136 wrote to memory of 2108 1136 skotes.exe 43 PID 1136 wrote to memory of 2108 1136 skotes.exe 43 PID 1136 wrote to memory of 2108 1136 skotes.exe 43 PID 1136 wrote to memory of 2108 1136 skotes.exe 43 PID 2108 wrote to memory of 1592 2108 77d4503e2c.exe 45 PID 2108 wrote to memory of 1592 2108 77d4503e2c.exe 45 PID 2108 wrote to memory of 1592 2108 77d4503e2c.exe 45 PID 2108 wrote to memory of 1592 2108 77d4503e2c.exe 45 PID 2108 wrote to memory of 2076 2108 77d4503e2c.exe 47 PID 2108 wrote to memory of 2076 2108 77d4503e2c.exe 47 PID 2108 wrote to memory of 2076 2108 77d4503e2c.exe 47 PID 2108 wrote to memory of 2076 2108 77d4503e2c.exe 47 PID 1136 wrote to memory of 1676 1136 skotes.exe 49 PID 1136 wrote to memory of 1676 1136 skotes.exe 49 PID 1136 wrote to memory of 1676 1136 skotes.exe 49 PID 1136 wrote to memory of 1676 1136 skotes.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 10096 attrib.exe 10104 attrib.exe 10072 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe"C:\Users\Admin\AppData\Local\Temp\c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f_Sigmanly.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\1018833001\WEX7mCI.exe"C:\Users\Admin\AppData\Local\Temp\1018833001\WEX7mCI.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
PID:1460
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
PID:588
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2453475⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "profiles" Organizing5⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Judy + ..\Sheets + ..\Another + ..\Wanting b5⤵
- System Location Discovery: System Language Discovery
PID:900
-
-
C:\Users\Admin\AppData\Local\Temp\245347\Dry.comDry.com b5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\245347\Dry.com" & rd /s /q "C:\ProgramData\KFUAIWTJM7GV" & exit6⤵
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1644
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:648
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018838001\77d4503e2c.exe"C:\Users\Admin\AppData\Local\Temp\1018838001\77d4503e2c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\wjyicueda"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018850001\e1184f44c7.exe"C:\Users\Admin\AppData\Local\Temp\1018850001\e1184f44c7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\1018851001\bbb95df60e.exe"C:\Users\Admin\AppData\Local\Temp\1018851001\bbb95df60e.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\1018851001\bbb95df60e.exe"C:\Users\Admin\AppData\Local\Temp\1018851001\bbb95df60e.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2444
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018852001\003.exe"C:\Users\Admin\AppData\Local\Temp\1018852001\003.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2860 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe4⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Remove-MpPreference -ExclusionPath C:\5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018853001\4cc76774f9.exe"C:\Users\Admin\AppData\Local\Temp\1018853001\4cc76774f9.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\1018853001\4cc76774f9.exe"C:\Users\Admin\AppData\Local\Temp\1018853001\4cc76774f9.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018854001\8fd6d530e2.exe"C:\Users\Admin\AppData\Local\Temp\1018854001\8fd6d530e2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move App App.cmd & App.cmd4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:332
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
PID:2276
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2453475⤵
- System Location Discovery: System Language Discovery
PID:2156
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "profiles" Organizing5⤵
- System Location Discovery: System Language Discovery
PID:2352
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Judy + ..\Sheets + ..\Another + ..\Wanting b5⤵
- System Location Discovery: System Language Discovery
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\245347\Dry.comDry.com b5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\245347\Dry.com" & rd /s /q "C:\ProgramData\6F3E3ECTRI5F" & exit6⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2280
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
PID:2292
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018855001\269ef1738b.exe"C:\Users\Admin\AppData\Local\Temp\1018855001\269ef1738b.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\1018856001\37d625c12a.exe"C:\Users\Admin\AppData\Local\Temp\1018856001\37d625c12a.exe"3⤵
- Executes dropped EXE
PID:2068
-
-
C:\Users\Admin\AppData\Local\Temp\1018857001\3fc259db12.exe"C:\Users\Admin\AppData\Local\Temp\1018857001\3fc259db12.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\alxqovhwb"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018858001\83ef3ddb90.exe"C:\Users\Admin\AppData\Local\Temp\1018858001\83ef3ddb90.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:9720 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Loads dropped DLL
PID:9836 -
C:\Windows\system32\mode.commode 65,105⤵PID:9860
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:9868
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:9892
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:9924
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:9948
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:9976
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:10000
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:10024
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:10048
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:10072
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
PID:10080 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:10096
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:10104
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:10112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:10120 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2196
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018859001\ce6479e041.exe"C:\Users\Admin\AppData\Local\Temp\1018859001\ce6479e041.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\1018860001\c19fb1cf27.exe"C:\Users\Admin\AppData\Local\Temp\1018860001\c19fb1cf27.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3204
-
-
C:\Users\Admin\AppData\Local\Temp\1018861001\42de031164.exe"C:\Users\Admin\AppData\Local\Temp\1018861001\42de031164.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3620
-
-
C:\Users\Admin\AppData\Local\Temp\1018862001\997a977ce3.exe"C:\Users\Admin\AppData\Local\Temp\1018862001\997a977ce3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\1018863001\c4278bf154.exe"C:\Users\Admin\AppData\Local\Temp\1018863001\c4278bf154.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4828 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5188
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5296
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:5400
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5416 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5416.0.1472492145\1072974306" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1112 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a692cfa8-d550-4585-b552-7c55a6c121e9} 5416 "\\.\pipe\gecko-crash-server-pipe.5416" 1316 fdd6858 gpu6⤵PID:5824
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5416.1.1750633816\1142666440" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1512 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8984e3a7-0918-4b5f-a0f9-32f74ed8358f} 5416 "\\.\pipe\gecko-crash-server-pipe.5416" 1544 45eb558 socket6⤵PID:5956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5416.2.1059554617\643214167" -childID 1 -isForBrowser -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ba24772-3d76-4e25-aad2-7bd328c82285} 5416 "\\.\pipe\gecko-crash-server-pipe.5416" 2120 fd6af58 tab6⤵PID:2924
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5416.3.1306741425\477967643" -childID 2 -isForBrowser -prefsHandle 2764 -prefMapHandle 2760 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3970b27f-0406-42d6-b2d7-25b0ac3f26b6} 5416 "\\.\pipe\gecko-crash-server-pipe.5416" 2776 e64b58 tab6⤵PID:6824
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5416.4.567946377\1794090261" -childID 3 -isForBrowser -prefsHandle 3732 -prefMapHandle 3728 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4107188-abc5-4965-b9c8-f0ac82b88bab} 5416 "\\.\pipe\gecko-crash-server-pipe.5416" 3744 1eee0858 tab6⤵PID:8120
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5416.5.1910908395\486371038" -childID 4 -isForBrowser -prefsHandle 3852 -prefMapHandle 3856 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {840e5402-b2a9-4cce-88ab-8818ccc2984a} 5416 "\\.\pipe\gecko-crash-server-pipe.5416" 3840 1f014658 tab6⤵PID:8136
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5416.6.187343884\188185146" -childID 5 -isForBrowser -prefsHandle 4016 -prefMapHandle 4020 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2eb8da3-acfb-4f4b-9488-28c1b2551221} 5416 "\\.\pipe\gecko-crash-server-pipe.5416" 4004 1f015558 tab6⤵PID:8156
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018864001\8ec60caf49.exe"C:\Users\Admin\AppData\Local\Temp\1018864001\8ec60caf49.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8056
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {44AEB977-1F33-4659-BE02-46A24818A8F5} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:4784 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4832 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5084
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Discovery
Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LW44N8OS\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\activity-stream.discovery_stream.json.tmp
Filesize23KB
MD5a9297a09ff6ddffb65a4a6463e46f807
SHA15e7ffe884b0fc44a9e6ecc68112802e605976837
SHA25642842f83af564b6781d2098f8461f6a46a5f9af808334edf63fbd142215f8650
SHA512cdba1524baefab4bb14c87582af1e5a8e239578e523ce5717b573a669dfaf4794cfe420dbb0388a5c38faa4b557d4387b8dfa9530b88406baa83e83a2813769d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n3lsnn48.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
842KB
MD58eb4f92605e35c57a42b0917c221d65c
SHA10e64d77ef1b917b3afe512b49710250c71369175
SHA256b57d78d93f74f7ae840ab03d3fda4f22a24ad35afcf9a53128cf82a92a67a085
SHA5124cc5db426c8de3d7afdcfa26440d5bd9a885f5148e4307b8d04c5d56c96672d5c82ed9989bf346ce7aecea07d980735c46a930b885f824ba53738ac76dbb05bf
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
1.8MB
MD527c1f96d7e1b72b6817b6efeff037f90
SHA12972cc112fc7e20cbf5952abe07407b8c1fbb2a2
SHA256aec3ec473de321d123e939985579227ee62b53b3b3edb7ab96e2a66c17e9696d
SHA5129a31dc9945889d35aea8710df2f42806c72c422b7b5f4aa8acba6986cbd9ea6a49181a41a50ee21ccbed86cbff87c98a742e681ac3f6a87e2bd4436c9112eb32
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
2.9MB
MD5cee335f824bab75bbc98d04def73e013
SHA1b6cabea09cb1d37e1919aaf6813d11904e951114
SHA256b8d24eeb78cf1b5a25f35e724a6ed3a444dae5aa1f47df344ff224a9d5d9eefa
SHA5129568270173dd0c10f015584226514c112449988a4d2d6bca60297f47ef7c3ee44d3ac6bc3a287b7ae920c5ee1a2a1285561864882484d719b155eacb65994634
-
Filesize
1.1MB
MD5ef08a45833a7d881c90ded1952f96cb4
SHA1f04aeeb63a1409bd916558d2c40fab8a5ed8168b
SHA25633c236dc81af2a47d595731d6fa47269b2874b281152530fdffdda9cbeb3b501
SHA51274e84f710c90121527f06d453e9286910f2e8b6ac09d2aeb4ab1f0ead23ea9b410c5d1074d8bc759bc3e766b5bc77d156756c7df093ba94093107393290ced97
-
Filesize
4.2MB
MD5ece3b1a61f2977c90820f0601637020e
SHA136ec33851c696b440730b3d9c8b59e2ab2e1b0b6
SHA256239eb2c35896d73e83b650bf4c5637188e9bb1a5a85c74a2202cd50c2382d6e6
SHA512e8fbbe975f739a40a97055bdda605bdf72210d6bfaaf7e0f1a78083238dfd816317de56a21590f5e05c1dd1e170b45e2610415c0b7ca3c27c12d037173161df7
-
Filesize
1.3MB
MD5669ed3665495a4a52029ff680ec8eba9
SHA17785e285365a141e307931ca4c4ef00b7ecc8986
SHA2562d2d405409b128eea72a496ccff0ed56f9ed87ee2564ae4815b4b116d4fb74d6
SHA512bedc8f7c1894fc64cdd00ebc58b434b7d931e52c198a0fa55f16f4e3d44a7dc4643eaa78ec55a43cc360571345cd71d91a64037a135663e72eed334fe77a21e6
-
Filesize
21KB
MD504f57c6fb2b2cd8dcc4b38e4a93d4366
SHA161770495aa18d480f70b654d1f57998e5bd8c885
SHA25651e4d0cbc184b8abfa6d84e219317cf81bd542286a7cc602c87eb703a39627c2
SHA51253f95e98a5eca472ed6b1dfd6fecd1e28ea66967a1b3aa109fe911dbb935f1abf327438d4b2fe72cf7a0201281e9f56f4548f965b96e3916b9142257627e6ccd
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
4.2MB
MD56087d5a01774d89431f633d9b2d1d705
SHA15c3b075e194fa131fdffdab37ffb4936db50a0d7
SHA25651121d1b988327e1845be7351022f85370a19154989ed3079cf7c202f45a428f
SHA5124acc1431638ad5b1b66137ec1a253ef2eec1655f111fd7edd22692d7e5edadef61dd40ed69180d13b7627822da827e3cdece77d7f868f72e6e0fa28a38b34a91
-
Filesize
1.9MB
MD581c164e0c2d7d36e812fe860548569a1
SHA197825c34e950ed01f6111b524c114f209a1b9819
SHA256f88321d520c20b67f4fba3b0dcc89003e30d1aabf2e728e5c50773badd64632e
SHA512e13101abd29bc203bfc553056741cc9fadc239350230f92397c74697dd069cc5f6540e1979063b35c18aaab913682104dbe24b17430d359adaaa583e6ef6c548
-
Filesize
1.8MB
MD5184cee9b3f334e2cee2ccc95977e5335
SHA13c13283ed8c4e0e09ae0e5f361da46f073cd2386
SHA256188e74bab6540e25c1cc694264d96ed609f113267f747be27e09a2420ef90577
SHA512adbe8c840684e0d56f2ab56677548a4dd47a8c8f0810557cbdfd21c27829b7ecf4950bd8ff7008a3c2e6d6ecbac84a368542109d103d493c412751f56748ef6e
-
Filesize
2.7MB
MD5d7593c78ec8bf3f98603559b67cb3ccd
SHA14db5fb73dfc7d2067058437eb1e8b6d8da90f742
SHA2565ffb2e33be22c35585ffe74f82986dcd542e9b89fdc9e0e9243c804f17c32521
SHA51269b1b4c1d2691a3fa85d6e04557761b28d8c0f57c1db5f4500a7166717323b1920a429e4c700dca6b5c0badeb40023bb1dfbcbed20040c72b185e0aaba0c8f1a
-
Filesize
947KB
MD592755c6663e0aa7af1dd7aaa7abcfcbd
SHA153097d488facff9896f2adff5399f783314a8cc0
SHA2568a7034c6750914f3a966287a9e97307cf3f83eaca584fec77d7ebf5b2665d4ad
SHA5129a49a39acf2840acbce159401964c4542f81c237259901f57aa45d78fbb2b7f9a9abc046ca20107bf12ca0f8c2afaaa4275c00283df47d9fe8812450e23c6803
-
Filesize
2.6MB
MD5f7330ca504d0f0551eff459cd9a4f461
SHA1e3eb3a4d8a7ba4204dd57c95bacc2bcbe425aa1f
SHA2567c2b8c5ec1e07f8b267d81a67e1af69f09a129373d81ca07c8633c5dbefd66c4
SHA512641394e9b238e830d04737e3a898f1c238660b2ebea140ebc95e7647a65f2db2e6a519de357f6c621d124b285e720df7069a24e71456ccf2cecc3a3b57bf96c3
-
Filesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
Filesize
267KB
MD50c7d5f0db7d1be49fc2285c64d3c45aa
SHA1942803613a17b0735f80d32dab9be6b87a0e472f
SHA256d49d834cb452343c64c7b9716f5b6d6032ce8b81e04995ccd1af130ff863143d
SHA51252c3cacdd5a798243bdf191d0f673c63befd5297284e2841de8ef0588b103b1192e60d50e22e5572fa160834be7d052aa328556ed182a1cc56c9be55ab76ccc8
-
Filesize
96KB
MD55535aa11bb8a32622dadb4cb7d45071c
SHA176b4b6221174f1b11370d7aa2a89a5996624c7f8
SHA256ead59f9d65f7830e35a9c213b07938b7bc57513692ecbcf66b4be4ac82350eba
SHA512b14a53ea33b6f44ef4fffb76060955f9ae85bfed79ca206359ffcdf80aa33d21abff41d526e43ba55bc33048fd8a237a2c854e92856f292cb4825304acfbe3bd
-
Filesize
17KB
MD515687a16a1310bb6dfcb1fb9b8d052b3
SHA1bda139691a5c3f90f7059d84dbad98354748832f
SHA25608f36da3d5e25c26d14e49bc46995aa1a5842ad368a9e02244db850f77d4a70f
SHA5129dfafa0cf6e7a54037cc53c155c7214580a90b4066d3b469a966f53d363ae63a6a4d9bb08a8de64796e8c6b36e6a5e8374069952628a81b13ebfe93abbc51574
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
103KB
MD58496cef888ee804f2b8a44171481e40a
SHA190fcde8c353d79ae02bfc946d708d35fedfea64f
SHA2560d8671285841832d972ca2576cdb83f412af8433cf33c511f652912e7fd7e29b
SHA512158c70a8804e73dfb25a1265328fadc26903c5b035a991aaa570f0ef98f89d616c635e4820e926fb8e00e1c20cfcf3fd441dcc0ca5eefa109dd5bc23e0e4c61d
-
Filesize
114KB
MD537f28bccbcaea4719409c72aa6385586
SHA1083ad006b92745c976989bc5fb76e7187d81a597
SHA2567101d14a5fcf7b47a9c6b809155bea70121c61d2df7e2244573204c2190ccf45
SHA512105de3a0358c0e95b573dd1fc590b27c33f8033158b28a523a5ef9bdbfaa1f488e6b0f7556d6e46d96e23f00392f4eebded0dcea31926a05823ea1b5d4fff22f
-
Filesize
125KB
MD53b84985152cd93f2bd04bd909d7c902e
SHA14bd3d6af1e4ed7efe357e707ec7e6ab2e3ff4eee
SHA2569df8e69068b9ce01749fe0a515db1554c05d491c3a5a4f80f8aba060ea89950f
SHA512051d3b9fa3d463d78d1ac971396dcb00d930a9e9c3f7a1278a7dd8027d1ab159f688f912d65d78ada9f059d73526f987a36cac0d5100cae5491959dd059f89dd
-
Filesize
88KB
MD53efe58b3be584c2afe3d64a453f70dac
SHA1ba151bdfa43145dc0e3a495ac5382638cfb0a2c1
SHA2567054a53ce5187d3470517170af3138dc28cec4ed1793574a91cca795fb7e3e10
SHA512929b0a9af43360af0f820fab936650b211978523b9fdef00ee563930e03f2a9830e5c2246be9ace7f95ab78cfb075e82347cafb02472b8a09dc4859c9a5232f3
-
Filesize
70KB
MD5f5c4ea189e763c79767bb2f4bc471f08
SHA16abe10f27aeb64cb3583ec3549d8f84eb23b05eb
SHA25649b1a81a6965071db23fe804a6293b87fd2ab96cfda6e28d806c1e76a53e723e
SHA51231e79f7a7fc0a5eea3c4d70b152f75573c43c324b317667f41a824ebb2913d7bf4bacbf08a85d6281ec33ada2f2babe2a26d251008288cb6a4ce85e38dbe51d7
-
Filesize
239B
MD528a97febfc5cd391bec1e2a3d9d938bf
SHA1adea302b1d73d65c4c2a64f4f10955d5e4d728aa
SHA2562528cd8d1353e6c4dbcc6d2226b5b50ef14027a962a49c4001d2c8c072904773
SHA5127bbb7f7781c77740efc6361c5195a01f854c3ca1afd9ec7870c4f87c5a28432af97d61a41e4af0d2d3cea45fa3565e297fc08cd7aca91831792df0a81efe0f82
-
Filesize
63KB
MD57bbdcf2829f157f4178ad1a4ea31bfe6
SHA1afc7c5852f104d94fc2726b3230039b696f17fc2
SHA256bac794ee8129a6edaa06fed424a8839d24b6b8e6a75c4f23bc8c3e7735498818
SHA512d2dd73e8f2b965b9bf9bb806c639af654646d76628e5c707f29ede16a1634dd5a699fb239c83c4bcf492b03e2941129affc777c39b9851f948a96f537dc844ff
-
Filesize
66KB
MD553ab895bb726a4933dd1dc3f2fa2e5f8
SHA13933c015286de1871305ac17679d7244e0c73a07
SHA256230c6c15bb57bcb9566d03a0940eb2d8cbb52fd2807cb195982c2541ef7ebbc2
SHA5123ffb82fb40e8ff1d98d395601de10beb59af9f77af6300dba79e2436ea787ee7dce026dd43cdda324515f81ec7b5f48e1df396cfc3568128468c3cc5e663682b
-
Filesize
116KB
MD53b125d59ce5a2cf242a621511a0fb164
SHA13ccba09f214b941931d6169ca9959ace2a72aba7
SHA256e4c1fbedc713173bcef5c724f3d64283add852a64f65c87eb3ec8d86c55833aa
SHA512c026f9aa8e83f2c888e2b8336c7ec8380d34873956407e32fae31fd72bda741b72c649b7162587435e3d13b9b9fae8e0552330d710831c774264724c8589f36c
-
Filesize
61KB
MD5d947e72346c4ac1aba8bbde8bb791f6f
SHA1f6dc2cffbc0b29502cba42d9adee2263a7ff4835
SHA256a6e6fc90d3c04e2461e3017e9f1dbaa27abb9278f5db7bb09a218a3a969feb41
SHA51261e4a6bfb253d4fcf21781324c6dd7b2dff0750075bfe4ccaffff07a4d2fa552016dfb343bb835bfc7e7d6fd80b2b35b9519f2d6958885502758138bab764e9c
-
Filesize
54KB
MD535469ff6842a57bd9788db58a1e1c0cc
SHA147b76f8ae04aeff8cde18e15a6ab9d072214a54a
SHA2567006a277a8b2ab82ae4409df94e227083287b7678b9ffe79e2e19d534f1335ec
SHA5123b97531e8d41c069dd9a8a6f3fe0fbc498facbb6df823525a726499cf5a4ea40879b7d02138c6d020520df2d59c28efc2f51470bf9aac9f00b6f40101fe51ad0
-
Filesize
50KB
MD504df53fd74b69c92dba8cd83eafa1180
SHA1275765d9c7e3300c0b7579ae3de32f658e12945c
SHA256db246122e92d7c13ae1050c65c1e1f722f4e98375c9875d719f775cfe1478ee9
SHA51244dfa1ccf0c3b054dac3fadba5a87c7c56f318c74dff83810310e349b80029f19a08133c502dd7b65e543b882e567ac19de54f8a520ff073774894f6f8320ef5
-
Filesize
52KB
MD57847e23cce3770257dd905024cdc5020
SHA12d2070cb134ccde38544814a1e1e35a08ab95ea6
SHA25675f0206860b962d3636015d98c420ec5ebf4023ca7b75b747aeb388aafe9049a
SHA51297f5b6924c23343f732ab470b8006ef2b25c92fadb3560fd56db6e53b8daf0c65ce66eb416bd03126c3b1ae6fa2cf66178a487c0eabad24263a3de7253c236b0
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
93KB
MD5d9ebae5a1b2f513852f89fdc3d31672d
SHA1dfa418e6fd3c5b16b685ea0e09cc159a5ff6ed14
SHA256b9a3c8e95d261cc9c6b28b58518554120aa2cfa09c2be81c609c0f01b26b313d
SHA512d5a9226ea1152566872669c4072bea6498c930e405db45fb6b7b63cd7a807be814c7a71e983851f5d7a66b131319a850ddb10e1d4661d4cacd3082cb5c1caeac
-
Filesize
40KB
MD56f1a940a0159306f679ff4d03524ae0b
SHA12b48523d0bf3828abd8590e13a03b5946b3d442d
SHA2567e294dd8f93a9a7d79fb118070f548d1e8fda62fa96af973e1a950f150b0331e
SHA5124ddf0afa24b981bac3ca60cb52af73e39bf7155972f49968c8fc85a17f561208d76158cd117948467176696a0ba87b9ac33658c5e7ef1ef3d4201139e959f932
-
Filesize
2.8MB
MD561cb850896f4b6aac18c72e82eb9ac90
SHA1c1fcdd242b13e4c5ad99f7e76da886288622b6dc
SHA256c2bee3616cf5c0f19ecc5738ee39a8c3d0d0523c2178177b86563d5a3d758d0f
SHA512d156751d3d9e353a116e55cbc9a9e87da03a4d29efe529344ce996324ec361f0472724bb8162c2be7ea6f291aaf2f7cbbc8659672777e182e40283fa661a2043
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HYO4U0EWWR5ZVCTBOKD2.temp
Filesize7KB
MD51c6b6661b063e2c5b0c1528bf36c389b
SHA1e1882ed8e6b92798cacc4129881a1cfd70d8d764
SHA256cb029956dc2575030cee42257b731dace4ac9cbab2bbe7dea2c73ebfc01ad97d
SHA51298b579d5c49c0de4a8b6a7070a09de57d94a6cce01345173617f30d7563b56062a8051a83317717f9b480438af5c96fa8a5242639f5645db0cb7cd1008b242ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5e5b9f93a94e7a18b5de73da7bef4d099
SHA136be69d507a83685eb8aaad7b9132d3bb7317740
SHA25629d25314cde6babde67bf7687968a695981b567133c9e943d97b4f590edd7fd6
SHA512651fdaf7ceb80844b5e48cd9bc8a74b714b1f2fc02f016b651cea19e6b56c489440688e1944a60517a26f84d3bb1fd432c1bfb0c8be93b604b60ecd254fb62f8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5a0e086cda52f358c52a35c8f3fd395da
SHA13d5a13c5f4c28ecbdb55a9fee334e54870f219b0
SHA256fa3674aa2c93d81a05f4a168d58adeb121f017b035c6e8a4f93b4244990cf586
SHA5120b94c088633b760946b11c70692de82f60b639a52bac16d94d1260c5fad7ebc1b53b899bc5a755eaa412b739d6aef9678cdbc204b59af550acab4d37e8cbaa74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD51c974e7612a2c7b00b5ec491b1a410a9
SHA1d59a855484909e163d91321541db97bd2770c253
SHA2569ce98bfb7411f8a951081823edd373ad58ae71696bbd7b93d11a97158f04b77a
SHA51254ed14e3e3f250362561100b9126d9010eb3796f871f18065b6417a190b3d4fb73dcc93b5d2b2d979cac0c4c1c01486f64ecb31adc953cec4e53677fe7903a86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\07a84688-1faa-47f6-969a-f0f6d53f88e4
Filesize745B
MD5ede0feb02a25ab23dc1f707885c3d60d
SHA1ebd3eb8b95a701d3d447b36947e2606caac99196
SHA256cb6055bd5523346a0396bb81c5b8546fc2240d1af1e66a8fa620a7f7a7097ad8
SHA512c498f06da7c42a70c4b9ade7f026aeaa8bf60ba267fd7c12a93d193bcd5d61741379ab47790d4b3be765261b7b9eba7ce9be6301ebd4a7c49226c7363d7b5f57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\datareporting\glean\pending_pings\f6b0da92-980c-42c2-95c5-d3d2dec94f12
Filesize13KB
MD5b2896762fce197df41505701494364a7
SHA1286966e8d47aab688ba695b7c054d9f9218c0a00
SHA256bb13d100df6f027476fbd1c5951904f1f212f8356c11919604640dad94b4fb8e
SHA51235879466267e111e697c3afb0a3768631a6d330f3452a0e3ba5dbfcd082ed0f5216caf3a372d407c5d1b0ebe7ff3b25ac8f1043f5c09176bc46019a8428217f3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5425664400002a51c4456372b8264810c
SHA10f4dcce953c29f9fa4201aa719d0ac99342e17c5
SHA256b434575adc443f14975b95c13d66573f10cb6f4b49dd1a1c2a12eb6e40f8674d
SHA512d2a7c0ea7483c2c89ea404417406ab8281556d8f722b72b2d3a5c908286acb3e84a0df72ba338ab02f64f516316b40745b2e1b69757d476bceb03964ab6d3af0
-
Filesize
6KB
MD599bf221fc93e7fdab1ea7b6859e6c13b
SHA1537e76e13c0784c8ddea2e76d477abf36fdb29ec
SHA256f3592ea73eb7508dc23b18c597ef92b57cbe914adba16aa184b3eb38414a288b
SHA51227841b719685a990d76793217f121f7901ea8d840f38cf1416e1b1d7d95e1e392aa9fe76081fddca58f9c30a8f00804aede27c0b7de8bfcff9d4f5577c00c07f
-
Filesize
7KB
MD5ee4ca30f475db544f899a470ebd21c7f
SHA14c85aedceebedc346a04b93688ecefaeffa77db9
SHA2562dfa26a8763877f564e1bd596b80cc741d7bdb05090355d221ca8ebdb3d92d29
SHA5122a9d0a8cd179be99250c17a74d4c805c85613774f7f053ddddd7599f9efd701de51d8d50528f3f6ec42f3fc7355803e20fc85ac535e3ba6654baf7e8bf2fe195
-
Filesize
6KB
MD5d6141b99b0c34501bf4e40363a4072c7
SHA194d1a7e251cc05946b2a05786a6788904f18c8fe
SHA256fc29682e49a1ba6f5ff679f445d435dff0026e8770b083a019b5cdec5c5668bc
SHA512673914fe9fd9d1b652799a0d4e7b844c2c6c6fd3d034f368f7d598be77a32f14e9c7b3913efc38e99565db16cd02d7892ddc4430fec5503d7dd73f30adad1007
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5cbe2a7d721656d1bed86c72726ef2d51
SHA1a9cbe99513a30f0843b997ea5b73bced37b52533
SHA256b5fa0ada77af52b39bb11b8dc03da5cf2cd205468088d572ef7380ff6a2ab680
SHA5126b91fd484ed1c64f1f63c4da67b276c5e8fee12d2e64b64381d322bd0141812bd1bd9e545520000186cd11a2d283d6a380ec4b6a0491e41f925d06989e91772c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5bde04b604a1580dd7229a5a5ef7a0149
SHA1614b55bd1e65593c6481d6286b3d55bba8405b18
SHA25652f549fe2e0968ac2bd70b297a50ce229525344f0c61a1fef4916ac658283117
SHA512bafe35a581f5ac4f460dfbeb21f95b44076d1d3b9c60396a717bc9a55f36757ce2df2533c795de50c372f1ab77b865e899a2c55510d293871a3452c9b6dc7737
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f