Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 04:57
Static task
static1
General
-
Target
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe
-
Size
1.8MB
-
MD5
b3d3107faf89ed1b14eba469e5f6442c
-
SHA1
8c3ceda065d74eda75374cf6fd10bca04ac9a745
-
SHA256
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd
-
SHA512
e9f27839f957ad699f4cb6546e66805f47e8e924d576cb8bb200b5235bbf5bc47402177668d2a624b9b5ba5d277f8d69c5414e36a61c40fb91a644bcc536ae86
-
SSDEEP
24576:zbvASigrLPOWtFShEsrZTD8UeNeDpDV5Wv/YUqivrJ64Pc6p9C+NrTh7K:gzQPFvyfTGNWpOvECE76fFT
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exec713e3bde0.exe090e9c32a4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c713e3bde0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 090e9c32a4.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2412 powershell.exe 1132 powershell.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 1 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
chrome.exepid process 1872 chrome.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
skotes.exec713e3bde0.exe090e9c32a4.exe05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c713e3bde0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c713e3bde0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 090e9c32a4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 090e9c32a4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Executes dropped EXE 7 IoCs
Processes:
skotes.exewintoolsone64.exeSession.exec713e3bde0.exe090e9c32a4.exe7ef385d5ba.exenum.exepid process 2724 skotes.exe 2028 wintoolsone64.exe 2904 Session.exe 1916 c713e3bde0.exe 872 090e9c32a4.exe 264 7ef385d5ba.exe 1812 num.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exec713e3bde0.exe090e9c32a4.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine c713e3bde0.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine 090e9c32a4.exe -
Loads dropped DLL 14 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exe090e9c32a4.exeWerFault.exepid process 1228 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 872 090e9c32a4.exe 2724 skotes.exe 2724 skotes.exe 2724 skotes.exe 3280 WerFault.exe 3280 WerFault.exe 3280 WerFault.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\c713e3bde0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002539001\\c713e3bde0.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\090e9c32a4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002540001\\090e9c32a4.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\7ef385d5ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002541001\\7ef385d5ba.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002542001\\num.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1002541001\7ef385d5ba.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exec713e3bde0.exe090e9c32a4.exepid process 1228 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe 2724 skotes.exe 1916 c713e3bde0.exe 872 090e9c32a4.exe -
Drops file in Windows directory 1 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exedescription ioc process File created C:\Windows\Tasks\skotes.job 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3280 872 WerFault.exe 090e9c32a4.exe -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeSession.exe090e9c32a4.exetaskkill.exepowershell.exetaskkill.exeskotes.exewintoolsone64.exepowershell.exetaskkill.exec713e3bde0.exe7ef385d5ba.exetaskkill.exetaskkill.exenum.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Session.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 090e9c32a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wintoolsone64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c713e3bde0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ef385d5ba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language num.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
090e9c32a4.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 090e9c32a4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 090e9c32a4.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 568 taskkill.exe 2040 taskkill.exe 1640 taskkill.exe 1972 taskkill.exe 2044 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exeSession.exepowershell.exec713e3bde0.exepowershell.exe090e9c32a4.exe7ef385d5ba.exepid process 1228 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe 2724 skotes.exe 2904 Session.exe 2412 powershell.exe 1916 c713e3bde0.exe 1132 powershell.exe 872 090e9c32a4.exe 872 090e9c32a4.exe 872 090e9c32a4.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Session.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exedescription pid process Token: SeDebugPrivilege 2904 Session.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1132 powershell.exe Token: SeDebugPrivilege 568 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 1640 taskkill.exe Token: SeDebugPrivilege 1972 taskkill.exe Token: SeDebugPrivilege 2044 taskkill.exe Token: SeDebugPrivilege 1516 firefox.exe Token: SeDebugPrivilege 1516 firefox.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe7ef385d5ba.exefirefox.exepid process 1228 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 1516 firefox.exe 1516 firefox.exe 1516 firefox.exe 1516 firefox.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe -
Suspicious use of SendNotifyMessage 13 IoCs
Processes:
7ef385d5ba.exefirefox.exepid process 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 1516 firefox.exe 1516 firefox.exe 1516 firefox.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe 264 7ef385d5ba.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exeskotes.exeSession.exepowershell.exe7ef385d5ba.exe090e9c32a4.exechrome.exefirefox.exedescription pid process target process PID 1228 wrote to memory of 2724 1228 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe skotes.exe PID 1228 wrote to memory of 2724 1228 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe skotes.exe PID 1228 wrote to memory of 2724 1228 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe skotes.exe PID 1228 wrote to memory of 2724 1228 05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe skotes.exe PID 2724 wrote to memory of 2028 2724 skotes.exe wintoolsone64.exe PID 2724 wrote to memory of 2028 2724 skotes.exe wintoolsone64.exe PID 2724 wrote to memory of 2028 2724 skotes.exe wintoolsone64.exe PID 2724 wrote to memory of 2028 2724 skotes.exe wintoolsone64.exe PID 2724 wrote to memory of 2904 2724 skotes.exe Session.exe PID 2724 wrote to memory of 2904 2724 skotes.exe Session.exe PID 2724 wrote to memory of 2904 2724 skotes.exe Session.exe PID 2724 wrote to memory of 2904 2724 skotes.exe Session.exe PID 2904 wrote to memory of 2412 2904 Session.exe powershell.exe PID 2904 wrote to memory of 2412 2904 Session.exe powershell.exe PID 2904 wrote to memory of 2412 2904 Session.exe powershell.exe PID 2904 wrote to memory of 2412 2904 Session.exe powershell.exe PID 2724 wrote to memory of 1916 2724 skotes.exe c713e3bde0.exe PID 2724 wrote to memory of 1916 2724 skotes.exe c713e3bde0.exe PID 2724 wrote to memory of 1916 2724 skotes.exe c713e3bde0.exe PID 2724 wrote to memory of 1916 2724 skotes.exe c713e3bde0.exe PID 2412 wrote to memory of 1132 2412 powershell.exe powershell.exe PID 2412 wrote to memory of 1132 2412 powershell.exe powershell.exe PID 2412 wrote to memory of 1132 2412 powershell.exe powershell.exe PID 2412 wrote to memory of 1132 2412 powershell.exe powershell.exe PID 2724 wrote to memory of 872 2724 skotes.exe 090e9c32a4.exe PID 2724 wrote to memory of 872 2724 skotes.exe 090e9c32a4.exe PID 2724 wrote to memory of 872 2724 skotes.exe 090e9c32a4.exe PID 2724 wrote to memory of 872 2724 skotes.exe 090e9c32a4.exe PID 2724 wrote to memory of 264 2724 skotes.exe 7ef385d5ba.exe PID 2724 wrote to memory of 264 2724 skotes.exe 7ef385d5ba.exe PID 2724 wrote to memory of 264 2724 skotes.exe 7ef385d5ba.exe PID 2724 wrote to memory of 264 2724 skotes.exe 7ef385d5ba.exe PID 264 wrote to memory of 568 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 568 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 568 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 568 264 7ef385d5ba.exe taskkill.exe PID 872 wrote to memory of 1872 872 090e9c32a4.exe chrome.exe PID 872 wrote to memory of 1872 872 090e9c32a4.exe chrome.exe PID 872 wrote to memory of 1872 872 090e9c32a4.exe chrome.exe PID 872 wrote to memory of 1872 872 090e9c32a4.exe chrome.exe PID 1872 wrote to memory of 2848 1872 chrome.exe chrome.exe PID 1872 wrote to memory of 2848 1872 chrome.exe chrome.exe PID 1872 wrote to memory of 2848 1872 chrome.exe chrome.exe PID 264 wrote to memory of 2040 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 2040 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 2040 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 2040 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1640 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1640 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1640 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1640 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1972 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1972 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1972 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1972 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 2044 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 2044 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 2044 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 2044 264 7ef385d5ba.exe taskkill.exe PID 264 wrote to memory of 1144 264 7ef385d5ba.exe firefox.exe PID 264 wrote to memory of 1144 264 7ef385d5ba.exe firefox.exe PID 264 wrote to memory of 1144 264 7ef385d5ba.exe firefox.exe PID 264 wrote to memory of 1144 264 7ef385d5ba.exe firefox.exe PID 1144 wrote to memory of 1516 1144 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe"C:\Users\Admin\AppData\Local\Temp\05fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\1002431001\wintoolsone64.exe"C:\Users\Admin\AppData\Local\Temp\1002431001\wintoolsone64.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\1002474001\Session.exe"C:\Users\Admin\AppData\Local\Temp\1002474001\Session.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\1002539001\c713e3bde0.exe"C:\Users\Admin\AppData\Local\Temp\1002539001\c713e3bde0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\1002540001\090e9c32a4.exe"C:\Users\Admin\AppData\Local\Temp\1002540001\090e9c32a4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6809758,0x7fef6809768,0x7fef68097785⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 9884⤵
- Loads dropped DLL
- Program crash
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\1002541001\7ef385d5ba.exe"C:\Users\Admin\AppData\Local\Temp\1002541001\7ef385d5ba.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.0.1028746837\623842329" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {129721a4-ea94-42ff-ac69-d324f883a6eb} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 1296 121f4858 gpu6⤵PID:1628
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.1.1557633282\1549024532" -parentBuildID 20221007134813 -prefsHandle 1468 -prefMapHandle 1464 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b78dc440-789c-46db-87cc-77cb461807ef} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 1480 e72158 socket6⤵PID:3004
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.2.1204404382\63348027" -childID 1 -isForBrowser -prefsHandle 2088 -prefMapHandle 2084 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {39437afe-874b-4986-8d07-d29d679fdd87} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 2100 1a3d7358 tab6⤵PID:2588
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.3.113572283\1903753093" -childID 2 -isForBrowser -prefsHandle 2684 -prefMapHandle 2680 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {761697ed-7cea-4b67-ba93-423bf8c5ac34} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 2696 e69558 tab6⤵PID:1360
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.4.124173084\800878360" -childID 3 -isForBrowser -prefsHandle 3940 -prefMapHandle 3928 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cabff96b-cab1-4885-81f2-02ad94ba4a73} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 3944 205a8d58 tab6⤵PID:884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.5.2012167625\1303332837" -childID 4 -isForBrowser -prefsHandle 4040 -prefMapHandle 4048 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f6be1d3-7c22-4d64-80cb-9695b0d11ad7} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 3960 211d5258 tab6⤵PID:2116
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1516.6.773994443\1329095902" -childID 5 -isForBrowser -prefsHandle 4220 -prefMapHandle 4224 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d3366d6-044c-4241-bfa9-8edb04e93037} 1516 "\\.\pipe\gecko-crash-server-pipe.1516" 4208 211d5e58 tab6⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\1002542001\num.exe"C:\Users\Admin\AppData\Local\Temp\1002542001\num.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Authentication Process
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp
Filesize35KB
MD52840f0e07f3c80b09430a1271ce30b3d
SHA14f1014424eb44e48cb8c56d4c98416596e5fa27d
SHA2566c16d4c0c562c4efe64fafbec3ff3ec0dcaec4629e7a0d7c143e83e3a1480bc6
SHA512c1705645ddf46e1f384364b0cdf73a732430f9a700377fa72ee15bb2200f75298c7225d42dd1efb9b8527fa32918cc4417b661f8765d7cd0cc24bc3426a87948
-
Filesize
11.3MB
MD53a408188540d593a618c37ff3b9fa378
SHA17298ef70541efda3185b81dbfada7f8c1998e75c
SHA256883170fb01d121dd32d3de0c16f987429da0cf1d137e3ce6a92fef44947ae53a
SHA512b2399171504df008ca2d3007d33858002c704cb0d892b78ea41e751051f8ccd96b8e887ba5c393daa4124132dce96daf631808d96e70b4a799b282f9133d477a
-
Filesize
21KB
MD53ba35e9d091539ec658813e3d15e4b89
SHA13baf91a24418399f05d99206f8f004ae48d6a134
SHA256aa133af788a57f91449a01402067a28f744172154f3a5d3f8d0d47f350037ec8
SHA512a815b64909b9a81c39385c98f00666644d9f0281dcf53582752f84da1eaab3a76fb16d76ff4b47057bab0a9249eb3263bf7fecf88a554daa986c8935281393cd
-
Filesize
2.9MB
MD57f339d0252f408065abe57ac23eed91c
SHA11f07e6f292500fd235ec540cb56045a3081efa6d
SHA256c94e84bee19b31c4663f8df36368ed87dd16e2021b5727a45c973ed8cf04dc0d
SHA512b9e8c24fdce5011437d4080baf884065656c1f8d3760914580307ff0ada32b008c5e44e6b0ce4bbfd7f43471ddcd8ee1e82f2dd40d776afbaf7359c54033a4db
-
Filesize
2.0MB
MD50d30eb6a4023a6dce770ce3d6388cb9b
SHA183e8c18d4ad2b7c36d6699e7a9e25a7b552b9779
SHA2567ea542ed634733c045e8d30777ae4f1c9a0a87d532f336158d36887483a6af7c
SHA512a961fae055e2f8e69e8f0e2501b38d03282c522435e51d1a8c484c2997df0c571aae580d8c1d6e0efdf95fcd32686d0badca1a772250efc9e42941ae8eebe66f
-
Filesize
898KB
MD590ea7d80c37af043396d189144583971
SHA1baf234de90b9fcc4f4a13cad020b854faaecea91
SHA256cdb7076e6706a7a45a01db49f26851d9b4682732fbb53f320111c48003d7379b
SHA512e37fe88a8ea39d4fd339dbafb7215f68887b28ef3f833d6b2a2a837bbd3609cac523736e2aa5b48c206ea33e84d1689c8f3267913a06f2972a2829d49c2fa327
-
Filesize
868KB
MD5f793d9e588c6bf51f1daf523ab2df1ce
SHA1f63ce1f9eee9f3ae643e270c7fc854dc51d730d0
SHA256a8addc675fcc27c94ff9e4775bb2e090f4da1287aae6b95cecc65ccf533bc61d
SHA5124d0d8bf366f4b4793154f31aee4983df307b97edc83608b76628168418d48227eb46f6213469eb4d3a088d891a143b30b3b02acbb194df834da1b61d182607eb
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
1.8MB
MD5b3d3107faf89ed1b14eba469e5f6442c
SHA18c3ceda065d74eda75374cf6fd10bca04ac9a745
SHA25605fe4628ec1c9b88873bc3f3d3285657cc2b7bb7c380f9587009f09f1e55c6bd
SHA512e9f27839f957ad699f4cb6546e66805f47e8e924d576cb8bb200b5235bbf5bc47402177668d2a624b9b5ba5d277f8d69c5414e36a61c40fb91a644bcc536ae86
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5fba263c60f966913d1c1e66efd1acb4a
SHA19c3440a3f2131794ce46835c6a6af08fd7e704fd
SHA256ab9ae388ff9d68b2b4becb4699e0f2e85a30c2ff53cab27801d2d252ea5230d9
SHA5127f366b4f05c97fc289bf78406386d90a27096bc5aa94b0e304c72fa29ab529c4cd964ee606c36defaed6f01acf6add975aac080f32385aa871136f0007ac7c8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5b3d8452d72530025c76436efa85aec9c
SHA1b7aeee0a3057f8e6d2867b46d3303296957cc450
SHA256ab11d5efe6e0ac935c07c65589909ca68dd2c0d59bf381df7e5b1cd91e2104bd
SHA5129ede7995715048bdebc48df24bf7a42b59599a2f944830806abebee6a2944cda32ed1da7f6a30861a31834a6de12b98b4dfb65b72dad79bd94b87b27585a1756
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\995cabd3-701c-4e5f-823c-a3a1eda30a2a
Filesize745B
MD5b6f4b7005a65f03981ea3d777f1e5531
SHA1352ab68c06f68853bf63f8443a4a22279edf7d58
SHA256bf15cc45e8b7f52b4c43f7baf413286a8f339cf62ed509a5204306a5445461dd
SHA512c92226ad3ff51d6e141765a93338609d59941c21fb4cb8486e235f14321a532e9ed97fa58baa60aa8e261a3876bb32d1343c7cd277ad51fd2b25c151c4abbf42
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\9e711724-342f-4b28-aef8-b7af02937228
Filesize12KB
MD584f1f67e6f69061f82a8d03b32a0537a
SHA1032cd2e92581d0127005fa5bec4952c807d7f1c6
SHA256de3c49409cb4bc16993e42edd0b7d4c6a110859874352b4900a986b8b504779b
SHA51220a984cfb3b4ec6a6399a57c057b610dc180cb2ddee03fe531a29943883db05a1579293bbfae06c7baaf8af79aa2fe9e1cd129d472e12162862d23573c4126a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5d74b8313a431679de8962bfd9a0c40ca
SHA1753acd3cac79a45b00fe090dd2ac57a394eefdd5
SHA2566d2ebf9b6dcd39687b867d25db10ea97d248d64af56eb6e169f92865b2c797cb
SHA5124658c79901cc622a10a751119c001a28e0b55c351e7dfbc03f1ac741dbd0579c6687ea9b489f2e93b40c35414aa5d582e9793234e1f395fe0e5c97ce55ada677
-
Filesize
6KB
MD5c8b5b8ac1c43f0c08e685e2b402ce6d2
SHA15e85998709e73b9b5b0e16ea17ebe3d643cb781c
SHA256782a2a3865db3163bbf182d4cb59f61b689fb090c56591bfed9f2d4daa216393
SHA512a01c3e574302768c937b8aa4216ecb0e0da26b655961b926a42f3ceee1ec5b82f32be820d5064249d692f041e9c3ac32a41e9377c0e37befda2b67f436a8f6ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD553c4faa8a068ce7421389a67788f18da
SHA1599acc5343f2e85755c048e23fd52564928a267d
SHA25687cab3b7c2b5a1c23bf89730714f515625b8e1e223fd4f9df2cc97b5dbaba259
SHA5125e4833e2f2f77e71f903a29bca7c4e3c67c662971f8930dd0749ebe2379e8dd0165b9e18ab877a37a86b30a1bcc64a34244276933d1a192a972033fa4eec76c2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD50584fa52a0ba3f20c45d1eabf82a1be0
SHA1b78423b9dde01c545d3da94b871265005c13c856
SHA256d42b41a7f66fb56294218c566a6077276d4bfbfa251cf9d6a0244dd8fc12f3ea
SHA5127ba0e21d1258965e3bc60efafebdefda9ab6765028a318b0de223e37ed4fc5f4c3096bdaf91b631d760f9cb1d7cb94c039d43527fad572a230c339ce95152a22
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85