Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 03:44
Static task
static1
General
-
Target
51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe
-
Size
1.8MB
-
MD5
f6dda666a364b3ebd7628cbad0601cb8
-
SHA1
e1b063a09268a6bcd74679d4d71118437fdcc986
-
SHA256
51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de
-
SHA512
c9cbc87064c3e8054723eddb94235533c028ddfcab2d08c696bbd8e99aa351ae9f0797dfcd7797a05c2d2ac0b40020e526864422521e4a89b792be038e27d92c
-
SSDEEP
49152:0KRWwn8TTEWh8VC9PXnTE/VMUeg8gwTO:0K4w8TTEgw/Vkg8TT
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://shineugler.biz/api
https://pollution-raker.cyou/api
https://hosue-billowy.cyou/api
https://ripe-blade.cyou/api
https://smash-boiling.cyou/api
https://supporse-comment.cyou/api
https://greywe-snotty.cyou/api
https://steppriflej.xyz/api
https://sendypaster.xyz/api
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://shineugler.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection cb50696a1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cb50696a1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cb50696a1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cb50696a1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cb50696a1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cb50696a1e.exe -
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF e350d53e29.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 17 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SdVB3P2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 402666d7a5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e8b92b1dfa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ daa218575b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e350d53e29.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e373a2c02c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c27c1daa1c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ FCFBAKJDBK.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ac35a84b46.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2c6c2c740a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ be8afe1fc2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 22ae4f2b83.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cb50696a1e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dfd5c8ed00.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 24 1040 rundll32.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1696 chrome.exe 920 chrome.exe 988 chrome.exe 2524 chrome.exe 1316 chrome.exe 2508 chrome.exe 2080 chrome.exe 1164 chrome.exe -
Checks BIOS information in registry 2 TTPs 34 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c27c1daa1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SdVB3P2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e350d53e29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion be8afe1fc2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion daa218575b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ac35a84b46.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2c6c2c740a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e8b92b1dfa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cb50696a1e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion daa218575b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dfd5c8ed00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SdVB3P2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FCFBAKJDBK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ac35a84b46.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e373a2c02c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e373a2c02c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c27c1daa1c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e350d53e29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 22ae4f2b83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dfd5c8ed00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 22ae4f2b83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e8b92b1dfa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cb50696a1e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 402666d7a5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FCFBAKJDBK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2c6c2c740a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 402666d7a5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion be8afe1fc2.exe -
Executes dropped EXE 49 IoCs
pid Process 2888 axplong.exe 2984 legs.exe 2980 am209.exe 1324 legs.exe 3068 defnur.exe 2136 goldddd123.exe 1792 Out.exe 2876 dfd5c8ed00.exe 2728 Out.exe 1764 daa218575b.exe 1628 skotes.exe 780 c27c1daa1c.exe 2056 SdVB3P2.exe 3544 mdjw5me.exe 3588 mdjw5me.exe 3884 e350d53e29.exe 2552 FCFBAKJDBK.exe 2204 ac35a84b46.exe 3484 e373a2c02c.exe 3808 2c6c2c740a.exe 3248 207d54c8bf.exe 3416 5d7117ab66.exe 3428 5d7117ab66.exe 2548 5d7117ab66.exe 2284 5d7117ab66.exe 1748 5d7117ab66.exe 3200 5d7117ab66.exe 2616 402666d7a5.exe 1560 464de24878.exe 3084 7z.exe 3108 7z.exe 3140 7z.exe 3168 7z.exe 3024 7z.exe 1328 7z.exe 2376 7z.exe 1260 7z.exe 3384 in.exe 1916 be8afe1fc2.exe 2936 97680c29bf.exe 4008 97680c29bf.exe 4016 97680c29bf.exe 2592 22ae4f2b83.exe 1816 e8b92b1dfa.exe 1736 Intel_PTT_EK_Recertification.exe 2388 5aa0851f8d.exe 3832 cb50696a1e.exe 3312 713f2d1479.exe 2452 graph.exe -
Identifies Wine through registry keys 2 TTPs 17 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine daa218575b.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine e350d53e29.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine FCFBAKJDBK.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 402666d7a5.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine e8b92b1dfa.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine SdVB3P2.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine ac35a84b46.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine e373a2c02c.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 22ae4f2b83.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine dfd5c8ed00.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine be8afe1fc2.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine cb50696a1e.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine c27c1daa1c.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine 2c6c2c740a.exe -
Loads dropped DLL 64 IoCs
pid Process 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 2888 axplong.exe 2888 axplong.exe 2888 axplong.exe 2984 legs.exe 2980 am209.exe 2888 axplong.exe 2888 axplong.exe 2888 axplong.exe 2888 axplong.exe 1040 rundll32.exe 1040 rundll32.exe 1040 rundll32.exe 1040 rundll32.exe 2888 axplong.exe 2888 axplong.exe 1792 Out.exe 2888 axplong.exe 1764 daa218575b.exe 2888 axplong.exe 1628 skotes.exe 1628 skotes.exe 1628 skotes.exe 1628 skotes.exe 3544 mdjw5me.exe 2888 axplong.exe 2876 dfd5c8ed00.exe 2876 dfd5c8ed00.exe 1760 cmd.exe 1628 skotes.exe 1628 skotes.exe 1628 skotes.exe 1628 skotes.exe 1628 skotes.exe 1628 skotes.exe 1628 skotes.exe 3416 5d7117ab66.exe 3416 5d7117ab66.exe 3416 5d7117ab66.exe 3416 5d7117ab66.exe 3416 5d7117ab66.exe 780 c27c1daa1c.exe 1628 skotes.exe 1628 skotes.exe 1628 skotes.exe 1636 cmd.exe 3084 7z.exe 1636 cmd.exe 3108 7z.exe 1636 cmd.exe 3140 7z.exe 1636 cmd.exe 3168 7z.exe 1636 cmd.exe 3024 7z.exe 1636 cmd.exe 1328 7z.exe 1636 cmd.exe 2376 7z.exe 1636 cmd.exe 1260 7z.exe 3484 e373a2c02c.exe 1636 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features cb50696a1e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cb50696a1e.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\cb50696a1e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021510001\\cb50696a1e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graph = "C:\\Program Files\\Windows Media Player\\graph\\graph.exe" 713f2d1479.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfd5c8ed00.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008495001\\dfd5c8ed00.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\c27c1daa1c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008497001\\c27c1daa1c.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\22ae4f2b83.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021507001\\22ae4f2b83.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\e8b92b1dfa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021508001\\e8b92b1dfa.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\5aa0851f8d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1021509001\\5aa0851f8d.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 236 drive.google.com 238 drive.google.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 247 ipinfo.io 248 ipinfo.io -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000400000001d743-1225.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 2888 axplong.exe 2876 dfd5c8ed00.exe 1764 daa218575b.exe 1628 skotes.exe 780 c27c1daa1c.exe 2056 SdVB3P2.exe 3884 e350d53e29.exe 2552 FCFBAKJDBK.exe 2204 ac35a84b46.exe 3484 e373a2c02c.exe 3808 2c6c2c740a.exe 2616 402666d7a5.exe 1916 be8afe1fc2.exe 2592 22ae4f2b83.exe 1816 e8b92b1dfa.exe 3832 cb50696a1e.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2984 set thread context of 1324 2984 legs.exe 36 PID 3544 set thread context of 3588 3544 mdjw5me.exe 77 PID 3416 set thread context of 3200 3416 5d7117ab66.exe 93 PID 2936 set thread context of 4016 2936 97680c29bf.exe 124 PID 1736 set thread context of 2484 1736 Intel_PTT_EK_Recertification.exe 129 -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip 713f2d1479.exe File created C:\Program Files\Windows Media Player\graph\graph.exe 713f2d1479.exe File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip 713f2d1479.exe File opened for modification C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f 713f2d1479.exe File created C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f 713f2d1479.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe File created C:\Windows\Tasks\defnur.job am209.exe File created C:\Windows\Tasks\skotes.job daa218575b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language daa218575b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 22ae4f2b83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language legs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c6c2c740a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 402666d7a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdjw5me.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfd5c8ed00.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e373a2c02c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language 5aa0851f8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb50696a1e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language defnur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d7117ab66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 464de24878.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage 5aa0851f8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language am209.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language legs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SdVB3P2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be8afe1fc2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97680c29bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e8b92b1dfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5aa0851f8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Out.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e350d53e29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Out.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d7117ab66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 97680c29bf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c27c1daa1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mdjw5me.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3456 powershell.exe 2696 PING.EXE 2112 powershell.exe 872 PING.EXE -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dfd5c8ed00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dfd5c8ed00.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 3036 taskkill.exe 2808 taskkill.exe 2552 taskkill.exe 2420 taskkill.exe 3660 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings firefox.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a legs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Out.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Out.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 713f2d1479.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 713f2d1479.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 legs.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a legs.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2696 PING.EXE 872 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 604 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 2888 axplong.exe 2876 dfd5c8ed00.exe 2876 dfd5c8ed00.exe 2876 dfd5c8ed00.exe 1696 chrome.exe 1696 chrome.exe 1764 daa218575b.exe 1628 skotes.exe 2876 dfd5c8ed00.exe 2876 dfd5c8ed00.exe 780 c27c1daa1c.exe 1316 chrome.exe 1316 chrome.exe 2056 SdVB3P2.exe 2056 SdVB3P2.exe 2876 dfd5c8ed00.exe 2876 dfd5c8ed00.exe 3884 e350d53e29.exe 3884 e350d53e29.exe 3884 e350d53e29.exe 3884 e350d53e29.exe 3884 e350d53e29.exe 3884 e350d53e29.exe 2876 dfd5c8ed00.exe 2552 FCFBAKJDBK.exe 2204 ac35a84b46.exe 3484 e373a2c02c.exe 3808 2c6c2c740a.exe 2616 402666d7a5.exe 3456 powershell.exe 1916 be8afe1fc2.exe 2592 22ae4f2b83.exe 1816 e8b92b1dfa.exe 1736 Intel_PTT_EK_Recertification.exe 2112 powershell.exe 2388 5aa0851f8d.exe 3832 cb50696a1e.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 3312 713f2d1479.exe 3312 713f2d1479.exe 3312 713f2d1479.exe 3312 713f2d1479.exe 3312 713f2d1479.exe 3312 713f2d1479.exe 3832 cb50696a1e.exe 3832 cb50696a1e.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe 2452 graph.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1696 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeShutdownPrivilege 1316 chrome.exe Token: SeRestorePrivilege 3084 7z.exe Token: 35 3084 7z.exe Token: SeSecurityPrivilege 3084 7z.exe Token: SeSecurityPrivilege 3084 7z.exe Token: SeRestorePrivilege 3108 7z.exe Token: 35 3108 7z.exe Token: SeSecurityPrivilege 3108 7z.exe Token: SeSecurityPrivilege 3108 7z.exe Token: SeRestorePrivilege 3140 7z.exe Token: 35 3140 7z.exe Token: SeSecurityPrivilege 3140 7z.exe Token: SeSecurityPrivilege 3140 7z.exe Token: SeRestorePrivilege 3168 7z.exe Token: 35 3168 7z.exe Token: SeSecurityPrivilege 3168 7z.exe Token: SeSecurityPrivilege 3168 7z.exe Token: SeRestorePrivilege 3024 7z.exe Token: 35 3024 7z.exe Token: SeSecurityPrivilege 3024 7z.exe Token: SeSecurityPrivilege 3024 7z.exe Token: SeRestorePrivilege 1328 7z.exe Token: 35 1328 7z.exe Token: SeSecurityPrivilege 1328 7z.exe Token: SeSecurityPrivilege 1328 7z.exe Token: SeRestorePrivilege 2376 7z.exe Token: 35 2376 7z.exe Token: SeSecurityPrivilege 2376 7z.exe Token: SeSecurityPrivilege 2376 7z.exe Token: SeRestorePrivilege 1260 7z.exe Token: 35 1260 7z.exe Token: SeSecurityPrivilege 1260 7z.exe Token: SeSecurityPrivilege 1260 7z.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 2112 powershell.exe Token: SeLockMemoryPrivilege 2484 explorer.exe Token: SeDebugPrivilege 2808 taskkill.exe Token: SeDebugPrivilege 2552 taskkill.exe Token: SeDebugPrivilege 2420 taskkill.exe Token: SeDebugPrivilege 3660 taskkill.exe Token: SeDebugPrivilege 3036 taskkill.exe Token: SeDebugPrivilege 3128 firefox.exe Token: SeDebugPrivilege 3128 firefox.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 2980 am209.exe 1696 chrome.exe 1764 daa218575b.exe 1316 chrome.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 3128 firefox.exe 3128 firefox.exe 3128 firefox.exe 3128 firefox.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 3128 firefox.exe 3128 firefox.exe 3128 firefox.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe 2388 5aa0851f8d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2888 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 30 PID 2612 wrote to memory of 2888 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 30 PID 2612 wrote to memory of 2888 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 30 PID 2612 wrote to memory of 2888 2612 51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe 30 PID 2888 wrote to memory of 2984 2888 axplong.exe 33 PID 2888 wrote to memory of 2984 2888 axplong.exe 33 PID 2888 wrote to memory of 2984 2888 axplong.exe 33 PID 2888 wrote to memory of 2984 2888 axplong.exe 33 PID 2888 wrote to memory of 2980 2888 axplong.exe 35 PID 2888 wrote to memory of 2980 2888 axplong.exe 35 PID 2888 wrote to memory of 2980 2888 axplong.exe 35 PID 2888 wrote to memory of 2980 2888 axplong.exe 35 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2984 wrote to memory of 1324 2984 legs.exe 36 PID 2980 wrote to memory of 3068 2980 am209.exe 37 PID 2980 wrote to memory of 3068 2980 am209.exe 37 PID 2980 wrote to memory of 3068 2980 am209.exe 37 PID 2980 wrote to memory of 3068 2980 am209.exe 37 PID 2888 wrote to memory of 2136 2888 axplong.exe 38 PID 2888 wrote to memory of 2136 2888 axplong.exe 38 PID 2888 wrote to memory of 2136 2888 axplong.exe 38 PID 2888 wrote to memory of 2136 2888 axplong.exe 38 PID 2888 wrote to memory of 1792 2888 axplong.exe 41 PID 2888 wrote to memory of 1792 2888 axplong.exe 41 PID 2888 wrote to memory of 1792 2888 axplong.exe 41 PID 2888 wrote to memory of 1792 2888 axplong.exe 41 PID 3068 wrote to memory of 1040 3068 defnur.exe 42 PID 3068 wrote to memory of 1040 3068 defnur.exe 42 PID 3068 wrote to memory of 1040 3068 defnur.exe 42 PID 3068 wrote to memory of 1040 3068 defnur.exe 42 PID 3068 wrote to memory of 1040 3068 defnur.exe 42 PID 3068 wrote to memory of 1040 3068 defnur.exe 42 PID 3068 wrote to memory of 1040 3068 defnur.exe 42 PID 2888 wrote to memory of 2876 2888 axplong.exe 44 PID 2888 wrote to memory of 2876 2888 axplong.exe 44 PID 2888 wrote to memory of 2876 2888 axplong.exe 44 PID 2888 wrote to memory of 2876 2888 axplong.exe 44 PID 1792 wrote to memory of 2728 1792 Out.exe 45 PID 1792 wrote to memory of 2728 1792 Out.exe 45 PID 1792 wrote to memory of 2728 1792 Out.exe 45 PID 1792 wrote to memory of 2728 1792 Out.exe 45 PID 1792 wrote to memory of 2728 1792 Out.exe 45 PID 1792 wrote to memory of 2728 1792 Out.exe 45 PID 2876 wrote to memory of 1696 2876 dfd5c8ed00.exe 46 PID 2876 wrote to memory of 1696 2876 dfd5c8ed00.exe 46 PID 2876 wrote to memory of 1696 2876 dfd5c8ed00.exe 46 PID 2876 wrote to memory of 1696 2876 dfd5c8ed00.exe 46 PID 1696 wrote to memory of 340 1696 chrome.exe 47 PID 1696 wrote to memory of 340 1696 chrome.exe 47 PID 1696 wrote to memory of 340 1696 chrome.exe 47 PID 1696 wrote to memory of 2956 1696 chrome.exe 49 PID 1696 wrote to memory of 2956 1696 chrome.exe 49 PID 1696 wrote to memory of 2956 1696 chrome.exe 49 PID 1696 wrote to memory of 1648 1696 chrome.exe 51 PID 1696 wrote to memory of 1648 1696 chrome.exe 51 PID 1696 wrote to memory of 1648 1696 chrome.exe 51 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 3164 attrib.exe 3452 attrib.exe 3464 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe"C:\Users\Admin\AppData\Local\Temp\51d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\1001527001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\legs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\1001527001\legs.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\legs.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:1324
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"C:\Users\Admin\AppData\Local\Temp\1004899001\am209.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006343001\goldddd123.exe"C:\Users\Admin\AppData\Local\Temp\1006343001\goldddd123.exe"3⤵
- Executes dropped EXE
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2728
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008495001\dfd5c8ed00.exe"C:\Users\Admin\AppData\Local\Temp\1008495001\dfd5c8ed00.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7399758,0x7fef7399768,0x7fef73997785⤵PID:340
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:2956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1180,i,9563179106007166794,18214192366784911027,131072 /prefetch:25⤵PID:1648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1180,i,9563179106007166794,18214192366784911027,131072 /prefetch:85⤵PID:1704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1180,i,9563179106007166794,18214192366784911027,131072 /prefetch:85⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1180,i,9563179106007166794,18214192366784911027,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2404 --field-trial-handle=1180,i,9563179106007166794,18214192366784911027,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2412 --field-trial-handle=1180,i,9563179106007166794,18214192366784911027,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:2524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1180,i,9563179106007166794,18214192366784911027,131072 /prefetch:25⤵PID:1728
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1316 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68f9758,0x7fef68f9768,0x7fef68f97785⤵PID:2316
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:1752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1084 --field-trial-handle=1100,i,15467764081830289375,8456448910269756629,131072 /prefetch:25⤵PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1100,i,15467764081830289375,8456448910269756629,131072 /prefetch:85⤵PID:2076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1100,i,15467764081830289375,8456448910269756629,131072 /prefetch:85⤵PID:2376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1700 --field-trial-handle=1100,i,15467764081830289375,8456448910269756629,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:1164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2568 --field-trial-handle=1100,i,15467764081830289375,8456448910269756629,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:2080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2576 --field-trial-handle=1100,i,15467764081830289375,8456448910269756629,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:2508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1296 --field-trial-handle=1100,i,15467764081830289375,8456448910269756629,131072 /prefetch:25⤵PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\FCFBAKJDBK.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Users\Admin\Documents\FCFBAKJDBK.exe"C:\Users\Admin\Documents\FCFBAKJDBK.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008496001\daa218575b.exe"C:\Users\Admin\AppData\Local\Temp\1008496001\daa218575b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe"C:\Users\Admin\AppData\Local\Temp\1020416001\SdVB3P2.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"C:\Users\Admin\AppData\Local\Temp\1020934001\mdjw5me.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588
-
-
-
C:\Users\Admin\AppData\Local\Temp\1021498001\ac35a84b46.exe"C:\Users\Admin\AppData\Local\Temp\1021498001\ac35a84b46.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\1021499001\e373a2c02c.exe"C:\Users\Admin\AppData\Local\Temp\1021499001\e373a2c02c.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3484
-
-
C:\Users\Admin\AppData\Local\Temp\1021500001\2c6c2c740a.exe"C:\Users\Admin\AppData\Local\Temp\1021500001\2c6c2c740a.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3808
-
-
C:\Users\Admin\AppData\Local\Temp\1021501001\207d54c8bf.exe"C:\Users\Admin\AppData\Local\Temp\1021501001\207d54c8bf.exe"5⤵
- Executes dropped EXE
PID:3248
-
-
C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"6⤵
- Executes dropped EXE
PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"6⤵
- Executes dropped EXE
PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"6⤵
- Executes dropped EXE
PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"6⤵
- Executes dropped EXE
PID:1748
-
-
C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"C:\Users\Admin\AppData\Local\Temp\1021502001\5d7117ab66.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3200
-
-
-
C:\Users\Admin\AppData\Local\Temp\1021503001\402666d7a5.exe"C:\Users\Admin\AppData\Local\Temp\1021503001\402666d7a5.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\1021504001\464de24878.exe"C:\Users\Admin\AppData\Local\Temp\1021504001\464de24878.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"6⤵
- Loads dropped DLL
PID:1636 -
C:\Windows\system32\mode.commode 65,107⤵PID:3076
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"7⤵
- Views/modifies file attributes
PID:3164
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"7⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe8⤵
- Views/modifies file attributes
PID:3452
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe8⤵
- Views/modifies file attributes
PID:3464
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE8⤵
- Scheduled Task/Job: Scheduled Task
PID:604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2696
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1021505001\be8afe1fc2.exe"C:\Users\Admin\AppData\Local\Temp\1021505001\be8afe1fc2.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\1021506001\97680c29bf.exe"C:\Users\Admin\AppData\Local\Temp\1021506001\97680c29bf.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\1021506001\97680c29bf.exe"C:\Users\Admin\AppData\Local\Temp\1021506001\97680c29bf.exe"6⤵
- Executes dropped EXE
PID:4008
-
-
C:\Users\Admin\AppData\Local\Temp\1021506001\97680c29bf.exe"C:\Users\Admin\AppData\Local\Temp\1021506001\97680c29bf.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4016
-
-
-
C:\Users\Admin\AppData\Local\Temp\1021507001\22ae4f2b83.exe"C:\Users\Admin\AppData\Local\Temp\1021507001\22ae4f2b83.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\1021508001\e8b92b1dfa.exe"C:\Users\Admin\AppData\Local\Temp\1021508001\e8b92b1dfa.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\1021509001\5aa0851f8d.exe"C:\Users\Admin\AppData\Local\Temp\1021509001\5aa0851f8d.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2388 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:3116
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3128 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.0.205882841\1732397150" -parentBuildID 20221007134813 -prefsHandle 1196 -prefMapHandle 1128 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33c8b6bb-16c8-4443-a515-b0d53f25514d} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 1340 fbd7758 gpu8⤵PID:848
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.1.1543321442\1371098838" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1520 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd60ca9b-7976-4de7-9105-6cbb6602fa70} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 1552 e9ec458 socket8⤵PID:3548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.2.194353501\1195126535" -childID 1 -isForBrowser -prefsHandle 2008 -prefMapHandle 2004 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f08c9fe4-a5bd-4a33-8e56-ef82b29170e4} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2020 fb68158 tab8⤵PID:1348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.3.910216986\1270952812" -childID 2 -isForBrowser -prefsHandle 2800 -prefMapHandle 2644 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3792b3b8-0dbf-471b-b7a7-2115129796b9} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2812 1d438258 tab8⤵PID:3916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.4.897663867\1905715204" -childID 3 -isForBrowser -prefsHandle 3796 -prefMapHandle 3792 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7981d43a-e655-40a0-a0b3-a32f8f5a2bc8} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 3808 1b608558 tab8⤵PID:1256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.5.1207848292\313819271" -childID 4 -isForBrowser -prefsHandle 3916 -prefMapHandle 3920 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d05774da-5401-40ad-973a-6f3ede656801} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 3904 1fb78d58 tab8⤵PID:1912
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.6.1230729817\416346502" -childID 5 -isForBrowser -prefsHandle 3344 -prefMapHandle 4108 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 576 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {45c8c826-bd3c-4cdc-bc9b-f47cce46df02} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 4100 2035cc58 tab8⤵PID:1736
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1021510001\cb50696a1e.exe"C:\Users\Admin\AppData\Local\Temp\1021510001\cb50696a1e.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3832
-
-
C:\Users\Admin\AppData\Local\Temp\1021511001\713f2d1479.exe"C:\Users\Admin\AppData\Local\Temp\1021511001\713f2d1479.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3312 -
C:\Program Files\Windows Media Player\graph\graph.exe"C:\Program Files\Windows Media Player\graph\graph.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008497001\c27c1daa1c.exe"C:\Users\Admin\AppData\Local\Temp\1008497001\c27c1daa1c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:780
-
-
C:\Users\Admin\AppData\Local\Temp\1008498001\e350d53e29.exe"C:\Users\Admin\AppData\Local\Temp\1008498001\e350d53e29.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3884
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1904
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1736
-
C:\Windows\system32\taskeng.exetaskeng.exe {B518CB57-9A00-4CEB-B4B9-830E2D859F5A} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]1⤵PID:2504
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1736 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Discovery
Browser Information Discovery
1Query Registry
8Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD53ed93454146f99c5cdd62566090393fb
SHA1534152369f9388eb1dca76fec5f9928a74bd8325
SHA256d63fa42bc89fb788d05668f1f8effe21981e3fd0e58485522b2e715d6674f363
SHA512ad790bd79c9733ce7c0913c6bd7876f8b9f170fcdcf2801895f8ad6367130ec0603d65ced57b55d8c4f45c684c629b0e6e6448533b41e74dd22c9d231884ff64
-
Filesize
40B
MD54a665889f3436960b716c066cc9f7818
SHA13ba9ad9a24de57891e3a837bbfd74e16327f290b
SHA256682fec0092076f4b284dca80067793252e2217bdf47b47a690bdb46d1a2f0483
SHA512ad3a3a6df89587c6d4bf504bbb60602e20639875fa97b257b808306ba9de3903453ce62eddf94619e781f2aff0c0ce8cadf399a4de0863fe74794a2788d13f72
-
Filesize
16B
MD5979c29c2917bed63ccf520ece1d18cda
SHA165cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
16B
MD560e3f691077715586b918375dd23c6b0
SHA1476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
32KB
MD569e3a8ecda716584cbd765e6a3ab429e
SHA1f0897f3fa98f6e4863b84f007092ab843a645803
SHA256e0c9f1494a417f356b611ec769b975a4552c4065b0bc2181954fcbb4b3dfa487
SHA512bb78069c17196da2ce8546046d2c9d9f3796f39b9868b749ecada89445da7a03c9b54a00fcf34a23eb0514c871e026ac368795d2891bbf37e1dc5046c29beaaa
-
Filesize
193B
MD5d2595cc9444d0a4b60207621aa1d9cea
SHA1b6ea4738a2441e642482117a26fbb4e3109a8325
SHA256b16cfcce411f3262b6fe948735607d7ce0c4a66b18d8048c5b281fb057254e4d
SHA5128bdf12b59b58d2ebe459bd47e685dbdf3ce51ae43addd37e2dfa040995ee50728bae4a2bbab3996d86869814686d39822a2d65f78b2515ebb5b6e111da44fcaa
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\LOG
Filesize205B
MD546fce964fd9b305e478f58bf0c0b2b3f
SHA1e176bf96dcf97a9f7d95fcd9faf3ed80635f1cae
SHA2566cf9a4904dd328c7e05df6329e8330f6edfd935be638d44c9183272695342079
SHA51241e8058ed3666c5816a540135f37052bf1c39fccdf794041dfd54a346cac50519df5e12b5e15e8968f3fc2e36a8bd335564509c661f3fec20d327d5916975532
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
193B
MD576164ec0c8360f6756a55f9ce5303350
SHA15aefd94ab22fa89847e7460173f0c2e8ccdd792b
SHA25603cb25f9f0b483f00b6c32ec4644e6cedde61c4792c74d407f80355ab21d1586
SHA512c2d91e48ef7ae56ea7e2bad44495664fcf116e1b0fa7dc904db3142d9e1a60b70ff24d36b48b7801faffec4d8b4656e81edcefe0e3665b74871b1c149c89fd36
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\System Profile\Sync Data\LevelDB\MANIFEST-000002
Filesize50B
MD522bf0e81636b1b45051b138f48b3d148
SHA156755d203579ab356e5620ce7e85519ad69d614a
SHA256e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0
-
Filesize
128KB
MD52491bb6f36e56315d17c4dd3b3cd1c8e
SHA1b5fb1d32bd614babbecb56f57223e5e5ed2cff13
SHA25684654f8890502c74b688746380bbf7ec1cf39bc11f3b269e031493eda681b9d5
SHA512a9144731f1d76d661bf96eb1051a2f718cc5d2164f2a130c74f42522bd3b25b6607c2999bc3c4fd55a0f6525fa02a37c4fdf96db48a96f728c4b888c8f320c46
-
Filesize
86B
MD5f732dbed9289177d15e236d0f8f2ddd3
SHA153f822af51b014bc3d4b575865d9c3ef0e4debde
SHA2562741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93
SHA512b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\soft[1]
Filesize1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\activity-stream.discovery_stream.json.tmp
Filesize29KB
MD570b38e282803dfc86fbb4616af3ab2c0
SHA1abd117edb9cab534b420d439b63e7cd323d2c3c0
SHA256132d1ea16a72b9a5e6de6eb9db0983a370ad883ee5cf02d8ffb050689f18abde
SHA51201f4b7f3a58788e05e32817cafc08c8083c8b938cad28fa0fbecb0cfacd00f98576c3020e7233499d87f27052b1f409f0db0b93e7216aa77f29203dd65f81e73
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z3l10m6w.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
758KB
MD575cf470500d65ce4411790e09e650806
SHA191aca1838bc6e3868d25e44308f58124b749167d
SHA256f29a920dd390574c50df03e8f909a8f81a1894af912af2d92a9baf4b57cf1c04
SHA5121c281fe53742a338becb9aa4efd2a7e418a66949a7f3d156440e02e2351548f6ff0ead5d93aae157509f57d0b4cc3584a9ab623c6446ea389b45b49d0df85c48
-
Filesize
429KB
MD5ce27255f0ef33ce6304e54d171e6547c
SHA1e594c6743d869c852bf7a09e7fe8103b25949b6e
SHA25682c683a7f6e0b4a99a6d3ab519d539a3b0651953c7a71f5309b9d08e4daa7c3c
SHA51296cfafbab9138517532621d0b5f3d4a529806cfdf6191c589e6fb6ebf471e9df0777fb74e9abbfe4e8cd8821944ad02b1f09775195e190ee8ca5d3fd151d20d9
-
Filesize
2.5MB
MD57ff947867bc70055adffa2164a741b01
SHA1cff424168c2f6bcef107ebc9bd65590f3ead76ae
SHA256b6d6628d2dc7dea808eef05180c27abe10a1af245d624aacdacccc52a1eb7b40
SHA512da507d1847056d0dc2c122c45ecbea4901a81c06890bcdbffc2f18ad4b96f0ac2c2fa9ebde1a315828c74a97af653062a8c50ce70c9b6d6966c48871150747ee
-
Filesize
5.0MB
MD5423365dd014e13ed83fddda2c7cb9670
SHA1fe32e867be3508991aaf2392e7f260c64b61d974
SHA25651207983d6a0f3ae1900020e12fa327d02cdd5ab67101f073896074270dd75cb
SHA5125bee75db401da96c44e1f2ccd0b23849d4f10f0a2acad43b587535dcf31809ce43bbad847159658838242979d98da537d11fcc49761fe1fe2fc751f38cf77e36
-
Filesize
3.1MB
MD5b2900bb54370f722c7d5ff79dea64cb2
SHA14c140033299737915a72b8fc4f978a4bfa91e6d8
SHA2568334da1069ff34b7e2686ccb6ce221843a1f42223d6309c39b6b3ea424597eec
SHA512fbb51080903674f78549b0630e036a0360047663bae639fa7f1190885e2ac3e21cee6c94686111ed890efdbab5c04279add10f538578f47c77914acb270ec46b
-
Filesize
1.8MB
MD5a64af25f7037918e8cc4ce712ec11123
SHA11be18d97a936a122c90ec7de1153b0900296ee67
SHA2568c5bd441d2210424158854cc50c5fe7acfd4648380d4374606f40c1a81bee91d
SHA5120588ed6534817bb294547d2eec50683aa3db9712aaf395b7bc33087de1b14c0bdd4c55c4b585fcc75993480949f4e6238e6ef81f5b2de23460db2ced8c9d886c
-
Filesize
4.3MB
MD5450295fbb1aa647744fd45cfebdffb8b
SHA18d530e9af2abb090e3f62dfb832379d186870dbb
SHA256624acc2b6a4fd1ca7d56e305b9bca9b0ae6fbf7e1c1fb4023770a10c3d26577c
SHA5124dcf82aeb3b48afe1778ab7bbb3005be7bd7c0e12f5bbc5a029e74ee7dd5d5699233c9bd7fe7ee13f053d9bc0e917ff398075d9142152d83fec81f4dcc8af929
-
Filesize
1.8MB
MD58a0feb447f024f32d1ee001a56d7ee23
SHA139086a8133462fbbdbaad4a313789d216497e68a
SHA256b474d829617220d8d949fa58a39d9eafde02ec488f0c7a4330950fefed66bd86
SHA51209efc757b29341d91d08619e8924b5cbb3acd73f2fe13b1aa21327c4133721102110b17f6717b09e703d1137d4266ab6e563f85bd34e98a1ee03b1b50e7ddbec
-
Filesize
520KB
MD581b5e34627858d87520f219c18cc5c7f
SHA1f2a58e0cfd375756c799112180deb3770cc55cf8
SHA25600297db7c9f2087e3c55b655df030155eedadd141ec2d31e47ff53aa82c43cc7
SHA512ceb2bdf9a1396c637bf946592661e816446df56e1ba46275aef10b09e8db385c78f39825153c1b74b37bb7750ba5a7a5afc82bf25b1a19a322fd8eae010eec08
-
Filesize
2.8MB
MD5b296da44c59164de8cd9896a823e7987
SHA1d34800f7042a41c5bdf0f8d7a21114f330f97787
SHA2565589a6c3ccccd66803bcf96c2c243f443329e08d130b2f455ff66c445b849f5a
SHA512474af4ede1693b44dba53c04bcc673a288ddd2574c740d0aa691c2b9d045fe57face99b33dafc1fe7520f637c84ba06a43563bdc85b142b2efdef620ee76826e
-
Filesize
2.5MB
MD587330f1877c33a5a6203c49075223b16
SHA155b64ee8b2d1302581ab1978e9588191e4e62f81
SHA25698f2344ed45ff0464769e5b006bf0e831dc3834f0534a23339bb703e50db17e0
SHA5127c747d3edb04e4e71dce7efa33f5944a191896574fee5227316739a83d423936a523df12f925ee9b460cce23b49271f549c1ee5d77b50a7d7c6e3f31ba120c8f
-
Filesize
528KB
MD59ab250b0dc1d156e2d123d277eb4d132
SHA13b434ff78208c10f570dfe686455fd3094f3dd48
SHA25649bfa0b1c3553208e59b6b881a58c94bb4aa3d09e51c3f510f207b7b24675864
SHA512a30fb204b556b0decd7fab56a44e62356c7102bc8146b2dfd88e6545dea7574e043a3254035b7514ee0c686a726b8f5ba99bcd91e8c2c7f39c105e2724080ef0
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.8MB
MD515709eba2afaf7cc0a86ce0abf8e53f1
SHA1238ebf0d386ecf0e56d0ddb60faca0ea61939bb6
SHA25610bff40a9d960d0be3cc81b074a748764d7871208f324de26d365b1f8ea3935a
SHA51265edefa20f0bb35bee837951ccd427b94a18528c6e84de222b1aa0af380135491bb29a049009f77e66fcd2abe5376a831d98e39055e1042ccee889321b96e8e9
-
Filesize
562KB
MD563c8c11ca850435d9b5ec2ea41e50c22
SHA109a92f137462216a052f2a819ce110a0ac2f4022
SHA25689f58c08d1ccdc0aa645f11fb84de4c8a1ee328fd8a847aca63523291465a3a4
SHA512abdb139e86a3268c4d2bb5581c804219eeefc992e1dab87b3eb059db24015c849ce64d16ed0745df43dc8ac7ae49dcd5fd5660e65924752e669deafa6bbaa803
-
Filesize
1.7MB
MD52b6d71bf9628fb892f3b29e8ba249e58
SHA124d17185d16e2236c4699d397d3cf0f78d7665b9
SHA25643197dc24b40cb5775140fc85a626b11e3aa63f4a00ff85409d30e55554e2fe1
SHA512fef9c29d84d3852315a2f4d39f56d3e27cca4475e7723df11d4fafc0e971ef13e8e02df02507dbb0097310800d893ed9992c7862b5f20af56e55a9f25a773343
-
Filesize
944KB
MD58fb0b309cfd7b54c77ea046622c50f00
SHA19667379e7fb9c85e37f780dc824745fb1d1a7616
SHA2563e95299b2982da8402e328000157f7aac122a6f14006365a3ac46b5ae44bae35
SHA51269719eeaf0fb4436143b82042afd99662f10fa0e8a99240419a58d947b618aa22996fa77de1d90d335cef0a31d67d4ba000a72ec5eb931f5b7c4cb606fab034e
-
Filesize
2.7MB
MD51eb9111f06d9adf612a6fc52eeb12f35
SHA160522c4daa1c04702ca442d59c9a738fda7be209
SHA2567c788e1a4fb74e4490275d941306dfd4d3dd0ae6d10b1133c5ff2a0854f81017
SHA5123c7fb9da366b17aaac65cf0f4be286253b8a1e5318e7e3836b6c2554813697f4c86c13d5872012377c11d2a9b0406846d5ec761906356b614ae46db90768300c
-
Filesize
591KB
MD53567cb15156760b2f111512ffdbc1451
SHA12fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA2560285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba
-
Filesize
1.8MB
MD5f6dda666a364b3ebd7628cbad0601cb8
SHA1e1b063a09268a6bcd74679d4d71118437fdcc986
SHA25651d36e8ab041d9bed637e4eb74400652bb95de582a0a178a8f5eab95bd0c22de
SHA512c9cbc87064c3e8054723eddb94235533c028ddfcab2d08c696bbd8e99aa351ae9f0797dfcd7797a05c2d2ac0b40020e526864422521e4a89b792be038e27d92c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NK3NISOC7GFY9KBQILM6.temp
Filesize7KB
MD50e7d1c6bb52282fdf509dcba43b0b4b0
SHA13f7c0cc471d14db1fdb09e8019b7bd32e7dcd1b5
SHA2565f08394b2f3baae58499f7120277636b514c6c4b9bbae23301dc486ebf10c590
SHA5122ba141ab12fc8a84f6cfb6cf936e0d4fd5f59976b917bb87e3f19ebf956fc776bb2bcfa67bb4a4aabb4f0ad3c8282f414b0337ac7623e49354b89a9b5fab7289
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD521d20d618c82aa396581669665c65429
SHA1fd149d177e0fdb263c67e8080122f46c4b2d003e
SHA256ac7a7da3fbe519fc4c223f8e84e134af8a7b1a82510aaf9961cfc17f90c76e5a
SHA512f9fe5bade17dc73326cb43d866ef2bb22908a333855d143e5b0f5e9f0b27f08e1e404b49225cb5b87a84da8130bce395adce9433d881970ab67be24cd5035308
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\datareporting\glean\pending_pings\cbf47be6-b81a-4ba7-b2a0-f39937687aad
Filesize733B
MD5608d894fe5533a2c9d0dbc5fcd4d9ecd
SHA14dd4d596026ef5a0ba2b4fec5eb75fabdc70a522
SHA256458e664d38edb9cc8285bc48e03e687ede7ecc68ea7191746213733e4bf23a1c
SHA512e3af579c9f5ec16c26d77d580cc2f276dc06321aba4899fbbb4fe071d3c3ef7d899c6fc9726b4bcfaea3ae4034f133e457c3f2fd0633433f6daeeda3be45ef89
-
Filesize
6KB
MD53524ae1e7e08491f5ab70c241e294835
SHA1deacf788d001cecc6ad4b9f7573075ec28f9b244
SHA256fafdab9b16fae009c83f22e88b4f29c58e8354630bad7545f682df5a49651c78
SHA5121bee8c282be772f1a5314546668b9001136d798d8fa3e23721f9c5e713ea212d4c9f43f04e69a52936c55a6f1e82455ad3cb16759a31c82b7d52998e68d1a3e9
-
Filesize
6KB
MD525af5b324e21480017ba92339b0d55f9
SHA1fef87aff5a99f2fb0805976290c7cdb2bdc9bcf1
SHA2568fdb3f7f992c0df1ccbda80f732f21801f91cec6a283a0dae0d5b09f491e6426
SHA51280ef609802701ac2549aaab065d2d7c836eafb61261507ace51c61dab119e94906e4cb4617a2ea68c11b6fe1a533fb150503478d4ab38092cc4d6e05009b7413
-
Filesize
6KB
MD5f12a95bcccee0ac06dd53498e0e44de2
SHA1325a3513d6222bbbbca44626bb242782843e1e26
SHA2561e2b003a53cb365d8b26c525defb4807215670f652c202450f57eda18fd949dc
SHA512587787149e1734e86281688e7ba56cb9a2849a936b05fa41e941c22f0e98afab77eafc746edd45ea40a5cb4852c8f23ed934acc828ded8326acdf35e8bb34d93
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z3l10m6w.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD59dc417aabce6a1a4717e2e0837457bd1
SHA1304f22726336711968348e6ea66fbf46a1a4e96c
SHA256724480d328206d6f20d38301f900eaae4c95815f95da5a2be8aca567bdc2d863
SHA512fb4c61c61c76fc4ab53b9ffe97cdaa694cb457ffa3b15b7aa7a8acebec6a6a9741c42c1b1b359dcf34ceaf6c48129913a3ffcf93a48f83283658ff07855e8297
-
Filesize
124KB
MD50d3418372c854ee228b78e16ea7059be
SHA1c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1
SHA256885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7
SHA512e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19
-
Filesize
758KB
MD52d6f91549d53930821ea4cf0fbd54b29
SHA18d22716e08327026fd0e0693eb4607008f189a79
SHA2565601bb520ce3526f6a6e23646183e822d531e402ba174225ce8541d57a8b8630
SHA512d8cc636347ddb97e596625a3ea61a6f3ad9083eedc3421f9e8d19b03c824a3bb2f582b689e341bfd951ec6ce13cf8fe3218325f97b337ed4e3314e23f1ef94c0