Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 09:12
Static task
static1
General
-
Target
27804d55f185edb91ed8ec5c15066fe5.exe
-
Size
5.5MB
-
MD5
27804d55f185edb91ed8ec5c15066fe5
-
SHA1
6b5339943f113562612b929604f850ccdfa2681a
-
SHA256
26309ceffdfb8ef91a3d435a569841ed8532f855557aeee54620a54e2c2dceca
-
SHA512
4f458ad6580ef5a266f36b194d7a32b31a686ab7d88ced7b42c5ac972f17496b5fbb755359bc553d75533f03dd54b1feee01b470e42488ba66ea67050b901838
-
SSDEEP
98304:yfz+nFIl9jheluAfkir3x/rgoihJGK1GVkY+Qd8snFRT66C5K8MSvnGdv8WGCP:yL+nGvhe8AxrXiPyVk19b91CP
Malware Config
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 3926bce057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 3926bce057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 3926bce057.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 3926bce057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 3926bce057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 3926bce057.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2h6379.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 86c6a39802.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6415429333.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3926bce057.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3S96n.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4w017y.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 7 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 4580 chrome.exe 1260 chrome.exe 1868 msedge.exe 1504 msedge.exe 4824 msedge.exe 2772 chrome.exe 1124 chrome.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6415429333.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3926bce057.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3S96n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4w017y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 86c6a39802.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2h6379.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6415429333.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3926bce057.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3S96n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2h6379.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4w017y.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 86c6a39802.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 4w017y.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 12 IoCs
pid Process 224 j1C74.exe 4840 2h6379.exe 2124 3S96n.exe 4048 4w017y.exe 644 skotes.exe 2644 DLER214.exe 2612 86c6a39802.exe 1612 6415429333.exe 3560 63f889fbcd.exe 7124 3926bce057.exe 6100 skotes.exe 1516 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 3S96n.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 86c6a39802.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 6415429333.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 3926bce057.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 2h6379.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 4w017y.exe -
Loads dropped DLL 1 IoCs
pid Process 2124 3S96n.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 3926bce057.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 3926bce057.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 27804d55f185edb91ed8ec5c15066fe5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" j1C74.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86c6a39802.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004062001\\86c6a39802.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6415429333.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004063001\\6415429333.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63f889fbcd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004064001\\63f889fbcd.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3926bce057.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004065001\\3926bce057.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023c57-261.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 4840 2h6379.exe 2124 3S96n.exe 4048 4w017y.exe 644 skotes.exe 2612 86c6a39802.exe 1612 6415429333.exe 7124 3926bce057.exe 6100 skotes.exe 1516 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 4w017y.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 1176 4840 WerFault.exe 86 4352 2124 WerFault.exe 97 3376 2644 WerFault.exe 146 3356 2612 WerFault.exe 150 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6415429333.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27804d55f185edb91ed8ec5c15066fe5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86c6a39802.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 63f889fbcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language j1C74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2h6379.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3S96n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4w017y.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DLER214.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3926bce057.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3S96n.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3S96n.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 5 IoCs
pid Process 2372 taskkill.exe 5116 taskkill.exe 1364 taskkill.exe 1516 taskkill.exe 3112 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752715393261335" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 4840 2h6379.exe 4840 2h6379.exe 2124 3S96n.exe 2124 3S96n.exe 2124 3S96n.exe 2124 3S96n.exe 2124 3S96n.exe 2124 3S96n.exe 2772 chrome.exe 2772 chrome.exe 2124 3S96n.exe 2124 3S96n.exe 2124 3S96n.exe 2124 3S96n.exe 428 msedge.exe 428 msedge.exe 1868 msedge.exe 1868 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 2052 msedge.exe 4048 4w017y.exe 4048 4w017y.exe 644 skotes.exe 644 skotes.exe 2612 86c6a39802.exe 2612 86c6a39802.exe 1612 6415429333.exe 1612 6415429333.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 7124 3926bce057.exe 7124 3926bce057.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 7124 3926bce057.exe 7124 3926bce057.exe 7124 3926bce057.exe 6100 skotes.exe 6100 skotes.exe 1516 skotes.exe 1516 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 1868 msedge.exe 1868 msedge.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeShutdownPrivilege 2772 chrome.exe Token: SeCreatePagefilePrivilege 2772 chrome.exe Token: SeDebugPrivilege 2644 DLER214.exe Token: SeDebugPrivilege 3112 taskkill.exe Token: SeDebugPrivilege 2372 taskkill.exe Token: SeDebugPrivilege 5116 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 1516 taskkill.exe Token: SeDebugPrivilege 3656 firefox.exe Token: SeDebugPrivilege 3656 firefox.exe Token: SeDebugPrivilege 7124 3926bce057.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 2772 chrome.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 4048 4w017y.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3560 63f889fbcd.exe 3656 firefox.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3560 63f889fbcd.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3656 firefox.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe 3560 63f889fbcd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3656 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1668 wrote to memory of 224 1668 27804d55f185edb91ed8ec5c15066fe5.exe 84 PID 1668 wrote to memory of 224 1668 27804d55f185edb91ed8ec5c15066fe5.exe 84 PID 1668 wrote to memory of 224 1668 27804d55f185edb91ed8ec5c15066fe5.exe 84 PID 224 wrote to memory of 4840 224 j1C74.exe 86 PID 224 wrote to memory of 4840 224 j1C74.exe 86 PID 224 wrote to memory of 4840 224 j1C74.exe 86 PID 224 wrote to memory of 2124 224 j1C74.exe 97 PID 224 wrote to memory of 2124 224 j1C74.exe 97 PID 224 wrote to memory of 2124 224 j1C74.exe 97 PID 2124 wrote to memory of 2772 2124 3S96n.exe 100 PID 2124 wrote to memory of 2772 2124 3S96n.exe 100 PID 2772 wrote to memory of 980 2772 chrome.exe 101 PID 2772 wrote to memory of 980 2772 chrome.exe 101 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 4328 2772 chrome.exe 103 PID 2772 wrote to memory of 2264 2772 chrome.exe 104 PID 2772 wrote to memory of 2264 2772 chrome.exe 104 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 PID 2772 wrote to memory of 2304 2772 chrome.exe 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\27804d55f185edb91ed8ec5c15066fe5.exe"C:\Users\Admin\AppData\Local\Temp\27804d55f185edb91ed8ec5c15066fe5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1C74.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j1C74.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h6379.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2h6379.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 15884⤵
- Program crash
PID:1176
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S96n.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3S96n.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd4522cc40,0x7ffd4522cc4c,0x7ffd4522cc585⤵PID:980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1952 /prefetch:25⤵PID:4328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:35⤵PID:2264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2472 /prefetch:85⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:15⤵
- Uses browser remote debugging
PID:4580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3480,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3492 /prefetch:15⤵
- Uses browser remote debugging
PID:1124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:15⤵
- Uses browser remote debugging
PID:1260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4664,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:85⤵PID:3936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:85⤵PID:3420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:85⤵PID:3356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,5057608808627996002,5021245485151695504,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:85⤵PID:3452
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd452346f8,0x7ffd45234708,0x7ffd452347185⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:25⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 /prefetch:25⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2608 /prefetch:25⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:85⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2828 /prefetch:25⤵PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:15⤵
- Uses browser remote debugging
PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:15⤵
- Uses browser remote debugging
PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2824 /prefetch:25⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2712 /prefetch:25⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2712 /prefetch:25⤵PID:3112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3364 /prefetch:25⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,1371072294251123523,17211396252363500780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2808 /prefetch:25⤵PID:2468
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 21164⤵
- Program crash
PID:4352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4w017y.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4w017y.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:644 -
C:\Users\Admin\AppData\Local\Temp\1004053001\DLER214.exe"C:\Users\Admin\AppData\Local\Temp\1004053001\DLER214.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 17565⤵
- Program crash
PID:3376
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004062001\86c6a39802.exe"C:\Users\Admin\AppData\Local\Temp\1004062001\86c6a39802.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 16005⤵
- Program crash
PID:3356
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004063001\6415429333.exe"C:\Users\Admin\AppData\Local\Temp\1004063001\6415429333.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\1004064001\63f889fbcd.exe"C:\Users\Admin\AppData\Local\Temp\1004064001\63f889fbcd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3560 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:3908
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3656 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2040 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {782c7dd8-7a1b-458b-9264-c9e267f47503} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" gpu7⤵PID:468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2476 -parentBuildID 20240401114208 -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8562033c-732f-4f32-947a-0ef3633c3aa4} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" socket7⤵PID:2096
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 2820 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4340f1c4-bfc9-42c1-a1f7-5eec29009967} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab7⤵PID:2008
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -childID 2 -isForBrowser -prefsHandle 4136 -prefMapHandle 4132 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9391251a-0890-453f-92b6-9226d0550cc7} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab7⤵PID:4940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6efcc04-47f7-4fde-8b04-d2bdb871c490} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" utility7⤵
- Checks processor information in registry
PID:5808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5264 -prefMapHandle 5260 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11c2ef74-037b-43af-9ba5-04919660e483} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab7⤵PID:5168
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4264 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5404 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a2d3803-ffd9-4428-9e84-24d9197a9215} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab7⤵PID:5180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93cfa470-a8eb-49b0-a7f9-59107b120d41} 3656 "\\.\pipe\gecko-crash-server-pipe.3656" tab7⤵PID:5192
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004065001\3926bce057.exe"C:\Users\Admin\AppData\Local\Temp\1004065001\3926bce057.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7124
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4840 -ip 48401⤵PID:5064
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2124 -ip 21241⤵PID:2356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2644 -ip 26441⤵PID:4892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2612 -ip 26121⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6100
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85
-
Filesize
649B
MD53019e84c20d23c5dfa3380d0614637fb
SHA1c08032a12ff2fa745d7ef5b187181160420ebaed
SHA2567d8c1ea1c9bc33f25a8ba84a709f31dfd733a85a3e90b925a593c060257e63c3
SHA51277a18742fffbd67dc9cef64698dce5e1f7ee63f1f3518b748455e523c48c1a07547747d878f312eceeb66b3ab48df627764dcbb3d5303d7bbcfa901e5092defc
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\905aaf25-6805-4f33-b711-e82f5309b688.dmp
Filesize10.5MB
MD51ea016526d9acd3127fa75d78417af13
SHA13db9fd99f2895fbef8c146a06c17219c59e1380c
SHA25662ac0271e506f5e29b991808e7982a371f548d04c821e00e8b99664f5e9cab7f
SHA5128d4da4a0f04c8af5eebde196eb9eb132a508a60916a1bd0d8ed28b009ef97dd3d115fa7c033976f0ee932e68eb4fb3e9cc9e2bdcf8885f95671759e6fa250ddd
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
5KB
MD5e9d5e2e247e08af67f4717f6750d994b
SHA1e5db97992345eecca0948b24442b4a6553341df1
SHA2560bd779b24cd106663fca96fca66b8535e2f0050c78ebb4145fdde00fdeb17f2a
SHA51287ebb59c6b5f9536f8749bc85ac1c706dc9f94615bd7107d7eb88301f7328e1ba650f76d39a8c359fdb4afaf32127653acc4f6f0bbe9bc531ea34d47d95319d4
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD55922c445843dfffadf826a486f990604
SHA18b8edff836444494739613b81f22a608f76dc33b
SHA256867ecc4fc766a79a1cbc528a4b9c5461de4fd045e23546b315a0a350111db095
SHA5125d0e7df342bcb17c2aa13d6082f915f5eaaae15a48f0240c02cac725119c921e1f67203b7deb0e581d1c80f2e3243966bd044b250b0e9fc1097805b75d7d93bd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD5455a74c2ecd56b58f82e38ccf3118267
SHA12695ae95afe048477c69159295f9101af071845e
SHA256631a7764af43e2869b6da5e5a6b7821ac68a6d9c973c999e115fef08b01e71ca
SHA51299662308ab412ef86a2052404b5ad76b4ca37c2e3390aaef572e5fff99166b9efe356a6f6b15c16b49a8f884a2557ffecd7ea2add6dad47fcf15ad160de5d7a2
-
Filesize
16KB
MD554ec587044fdff4bfd0029946041a109
SHA1242cc5fdd5c75a02776f1f5e526cc42cf138b313
SHA256e666b2644c35f564041ad18c5125f1677255f05421ad18785aed42bfb3ac5adf
SHA5126e2c9f3b3850c021b0db78af02f37e6fe1b32bd046ba5767b0499f2c4af11586e167c80235258b5536bcfece567a18f2e2eca6a107e60d5efb62a65175049046
-
Filesize
898KB
MD5565b879f452ad66ae6ed1a812247a7e1
SHA1feb4025c529a18e555a3df1004bb8330318d779d
SHA2565b5c5fd205eb910b1588ccf45e7b442ddaac4aa496cf61cdf697c224697db77c
SHA512d9b912b2b17f79cf9146947eae0a1208a7b6c35aa7cccfe75353f6b044ff9e0ab89593b0c4b925d5860b2398bcfd46611e67b02e6236294f3f8d45dbb2639a0b
-
Filesize
2.7MB
MD55edfa82d1af0c0769da3b063f9d1ce7b
SHA1679d03e3fe9aa0c43dfa8ec9f2664ce00fd2b294
SHA2569df9359b92c62cdfeb6c8ac4b3daf2457145577c7e511fa14d0391fd2a2e31e5
SHA51228c61fd5665485522fb8ed2e650a6bbfeca2036a5d2c7948dc082582db16e07301c41e5ed2f6caa72f6eac68f1be9e856ef02e84ef5168ee80321ad3e5f717b0
-
Filesize
3.1MB
MD52f2a8968bcdc26dc26f35a7f0e741b94
SHA18ff2c4c2bac54fc34c12ee6e8b2349141ae1703c
SHA256b4ed53947a407459822c5d352bb5300a5885b9dec2b6c319c48f54b57a02e2eb
SHA5126288b580f9da2760f2b30565cfa6b5c57c2e9c776e3f04ad7ac1f5c5630678aea869f5f0d494aa244e2dbeb17615936fb29f68a20b0f23325238a5c417568ef9
-
Filesize
3.8MB
MD5be4cd825680f7e4844f9a8c61f7cecbf
SHA166e394e730bbc4b5d51e32954fa2872f3971b64d
SHA2561145f46f15c58ea7effd2900dde5a9bc9fc6e69783e74189e348d7eca867612f
SHA5122fa4f7a9e393e0f814840e9fedd14787a76d564e81ce6dc17f12e1d9e882c1b0acdd2551e03d941e6f9a6ed5d5985087e7cf69000fb530c6fc7735ab31342055
-
Filesize
2.9MB
MD5781c92234ad3fa7fafda08c434d9a50e
SHA1eae985ceabb46b58a7460c29620288535e7bb5ce
SHA25674495c23ae1c2767bc43b39a3f4cea3a6414280dbcf9610d66b4faeaf31b6724
SHA512b6dbd83e54f87e3223312a36d7276dfd2a09ae0689a48ba689d5c99b37d222a2ba8c534b89176227ce1b6d1ccec8d7d9c50fae78065d8c3af312aee8dc05aa6e
-
Filesize
2.0MB
MD57e2272452770fce26baaaf4fca490edf
SHA1f7415b286c2ce27fd9b1d2de81fa13634cb6da15
SHA256edde457b0a32e570c98fcd0868170dfa06990bccd396c4b38b4e8d69bd72d500
SHA512dec16f81df500beda931441c42349483e5058f241da53021c0cade0471a2fcd7fa102efa1c0bd7bdbbfbff1f75d5100302cb4a30c647b99715b962b3217fca26
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize12KB
MD5185b4ce0baf5d8735fb46ed1eeeb6dfe
SHA1b4307a989c7723647fb9dccb2955365f67705573
SHA2565c4e78bad27264ee86b734236ea5101e9678530fdda5f235840b5d64518f057f
SHA512080da624ee960119d66556b4af5e71b074d4db92529b1be9a23f4731b7307bf39a0f4889476397e4e2e1baf6e533feb02f09c4015fc10c654286a64acaf361ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD57861e938eea57bcd8c4ef4058eb7d75a
SHA1766c79d3d513088b06df2f62389356e9c8f141a9
SHA256ad40c33101ad13fc83a6a9179ec7af4e135dec0bbd79e332cfe93bfcd1b124ba
SHA5128ea71f888f8cd8d005639bfc7b58922f59a58d0ae5c97e8db6487b55abc4223f00978433971ff92348a588c52b8969b6722bf596cafe232432e517f2d063385b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD5c6746c403d47b2f973e53410bd856f28
SHA157829b18d881285ee18e719eeb32f0605b3e6a61
SHA25677d9904d33b746dcd467d19a8992a52f5ed7f50e98d67469cd55e5519e8a49c4
SHA5123f27712af99bac30999ad64b06ddea1411cf7855815001feba90e684b81df0b72039ed79b0ff3a4ad616c3164f06de15f6f65a4c37331761b8c64bd18bfefa55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD58eb1b1789934ccd437fb93fcebb6b827
SHA1d8d92e4c42d258775c86c2ed104c6b16fd20a1f5
SHA256c755e1aa4339dcc1ffd92ef19f7feae7343e6e4a761513f1d246d88ab6e265f1
SHA512c342be2e3ea19d7855eda7e201ddd064f18b9001d7bd585d0844e294219dc46a44d4ac6f84affc83e395f18d8f37ea4d946634f7f8572ca13eb630258f68efef
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5d67274bbf41ee16d7f67f1dfbf10fe6a
SHA1be996312176c63075ea8442f291d1c709cbce7ac
SHA25693639659630591a9c046bee02aef67cd5bc4f85a944e98e8971232780f9f04e7
SHA512082f17dafaf3a59991ad89998c8e821e0d663d17340ed31012bbe0d42db5e4be27dbbc93721a819386b1ef4d4902528300f28fe346785008686934bf5a97c4a5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5e379c775044c4e5bbc4c7a8bcab1088b
SHA1ca53a872912150fbf7734cb687c1fd66cb228561
SHA256c09ebbe7809a6cb002a94604881d71e5ed80399d398ea817fe931d8b7e42035c
SHA5122fe5b0be7b1ea3674e124a748667d5a31f0b381d4e1bf2a255f37df1b639eaf3ac7e96df654a333372bc7abea846fc7f408550d7afeaad9e0ae6af4eb6205fd3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5425a85e6afc56599cf7f5f8c76c861fd
SHA155371d3b02e721e7c91aadba6a57189b9e6b388d
SHA256ebe78cd2341aaf16e9715e2487f73a9d7f5af77c886a53172d58e353b7f3e798
SHA512979e0528c583f2b0c82c4ee371f6216132f207cebbced8fce12dff69095c639d0f814cc3f2a55493413472858957f11742c7a192ecb75bcf63af01c3d2a708b8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5f825795d740b27d6fb828f2501025f89
SHA1df59821b15dc0abf460848557a068873c1ce013e
SHA256ad4f63120e550efd426621d88d9e7a5b71a4daf050734ebf01f4e6cbf881c76b
SHA51275b683889e641e3ded0b623114669924723420b9aac1c6666e5f3075810f67236981b28740095ffa841ef24a9f0b25f3dbcd71a4cb7c25cdc7d7806467a0bb69
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5cafa105e9c9b0810805d413f3dd1e209
SHA10238685eefcf758efb6b783abc114472afec0459
SHA25622349ff69b91d59d83fc4b7227187bc5d4549e7f0735e200a9b3c9b0dcfd3516
SHA5120b8a09f3afa402712b402f774c1e567fc5f6ef9f63c25aee5e28b7262dc75f1894b0226a843e467aa4523270e6ddfad8736ee1d41ff322eee3b31dcc6302635c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\a5f5e496-3937-463e-a5f0-a1da7565f2ac
Filesize27KB
MD55ab66fa464eb11116ffd62f01e36e315
SHA1b61b8c7b214919f077ff5ec3bf3f2a694f3efa3c
SHA256cb2403b9e243393b32ca017a4ec3916931b58ed36912a5f5488656216cd1527c
SHA5120fa732c9d4310550e6a8d36b4ebdb6655392ecf004203d2cd696f938de1f32d4a439111d3b31d4c980af5176f0f252712f265e661e0b97f45760d5d410ed6b7d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\e1cde739-2039-4677-bf24-67f5d0e95943
Filesize671B
MD5a6d0a4532476fbad57ef189e4fb4d469
SHA13e005573a6b13a977f52e4f4365648f609ff2e16
SHA2564ea7c8e27816de986f44cff04fd4108204b62f5f037b848d919fcfc4ca25ce14
SHA512650c7a9fdaf85acab1e4aa5b2d14797e7153c093b659eb43f4cce5e58b5e72c2ffbb315c52d599136c9dbb962936461810fc5167905bd70fbcca1bdbf65425f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\e7636a39-725b-49c6-8df9-87f1dcfbe21a
Filesize982B
MD54a964c5bfa721b9a666be8593cf70605
SHA144cdb054eec7568f491943d34a697285ef07dd58
SHA256ac574c80b72b08e9d31e3e9d910c38e43dcda85732d3dc776a6ebe2b7c7c279d
SHA51265fd4825a7d147e74cb3ad853ab4e0dbc875c75117b464da3a83617f28142f6f745bf9022b0102eed7db888fc472f4639a0855a2620d77687feae7609952e8a4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5bcb792c310cdc48aed061c67f1fcded4
SHA122dc96a5223dcda574f4dfb711efb1542aa0e266
SHA256e6efb08f2ac1f676addec5d95ad74e71dd8bc673921df766f6e75e115b0aacea
SHA512a8694c577234c84ff7b4a9a0d0fc356970988c9b1160d15b1aa931449dd7761d2e1b00df737e5d6bb14375bbe358265e9226644ee6454e67cb5e725d3272bf2c
-
Filesize
12KB
MD5be933c0230bd2988f5c42c73e88b029b
SHA1edc389cb78968298ce73168d2b7a186b9840836a
SHA2567befccfb416f7355b37976a966d1c29afd857ac836a59f8c126951ff1c2d8986
SHA5129f08cb9497925ea4eee98bb1572c8ac1678dbcaa7491bbfaad5853c58e0bc1412f7887fd383166dfd9d1a2ccc3c1ac39aa4d2d1751b0d08a3400bfbf5cf663dd
-
Filesize
15KB
MD5b882eb2ab50a6bd0e60d60fa06dc81cc
SHA1fd29a21a52d03f3ea96c95fee70a1cfd2305fe74
SHA256fe69d9163d5989c0f08f6fc928a5679c07bea50bb5cf3cddb07720aa51cee565
SHA512419c25e2adc1e7b20a410eb855f9b6e6a9ddeff832aa6025027396727dc1c0e90f86b0392e98aac2db225966ab89f1366f0951a4e5d78ac41a7ae0a87af91ec5
-
Filesize
11KB
MD573d5053f791a71d3f3bd52f87b6dd96f
SHA1333cf64a5b1784d635fc621270b4fae87cd33e93
SHA256f69d97d3205e1a2380686f48a7ed353e7322e195c178276593aa41573bfdfd21
SHA5126c8ed253b4d111981ea1ff04be9650040f15af44ebc2af2e0d9d95bf28cfae6e7f38608a6da79fd7f621de603a441fd133f608d6aba0b562bb5f9b467025c05a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD5ec62b6b0828cc18e6964995969dc039a
SHA1fd7c7e15171c6aec7626f3da652afafb2c80effc
SHA256566db2d2315822f3e9f640df67c93f6a53945c08381ba82bbc52afc1ea00da62
SHA51227bda7e1562f183dd36b6514543d6b3f90494192d9040a6d2976a80cf7d3a9aa9bf1f6f5ee80463e4b02ddcd39141d1384c2fb86da129abc567914cfa6f52664