Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 17:44
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
80780678447355a2bc3157723d80033b
-
SHA1
3ca0030f2582c21959f2b5d25cf57a926a4314a1
-
SHA256
def526b2c332d0019092a86b5686c4ed246779cd8e3235aef94c4901dfc7d361
-
SHA512
90fade4ec430ffd1f165d6cbef9ae8d4d9f93f17200c0907f85e5c653484d72e0c7471a32bd42544dff4350e96a4c16521c87e5779b8b068f9f8c85a662ee546
-
SSDEEP
49152:tRCiNmW7ggey/6JYzvfqTkGkJHi9Eu+0yp++IhT/W/oa/EiS:6sj9eM6JYzvfYkGkJC2u+08++IaDEi
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" fff9efc9cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" fff9efc9cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" fff9efc9cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection fff9efc9cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" fff9efc9cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" fff9efc9cf.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ca599d31b8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f3edb45431.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fff9efc9cf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2132 chrome.exe 3824 chrome.exe 4704 chrome.exe 1632 chrome.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f3edb45431.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fff9efc9cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ca599d31b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ca599d31b8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f3edb45431.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fff9efc9cf.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 8 IoCs
pid Process 3964 skotes.exe 3456 freecam.exe 3480 ca599d31b8.exe 644 f3edb45431.exe 592 9d195f995f.exe 4808 fff9efc9cf.exe 5196 skotes.exe 5568 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine ca599d31b8.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine f3edb45431.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine fff9efc9cf.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe -
Loads dropped DLL 1 IoCs
pid Process 644 f3edb45431.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features fff9efc9cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" fff9efc9cf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ca599d31b8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004154001\\ca599d31b8.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f3edb45431.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004155001\\f3edb45431.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9d195f995f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004156001\\9d195f995f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fff9efc9cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004157001\\fff9efc9cf.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023c68-85.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3228 file.exe 3964 skotes.exe 3480 ca599d31b8.exe 644 f3edb45431.exe 4808 fff9efc9cf.exe 5196 skotes.exe 5568 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2640 3480 WerFault.exe 103 6040 644 WerFault.exe 110 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d195f995f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fff9efc9cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3edb45431.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language freecam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca599d31b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f3edb45431.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f3edb45431.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 2496 taskkill.exe 2168 taskkill.exe 5024 taskkill.exe 2128 taskkill.exe 2164 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 3228 file.exe 3228 file.exe 3964 skotes.exe 3964 skotes.exe 3480 ca599d31b8.exe 3480 ca599d31b8.exe 644 f3edb45431.exe 644 f3edb45431.exe 644 f3edb45431.exe 644 f3edb45431.exe 644 f3edb45431.exe 644 f3edb45431.exe 2132 chrome.exe 2132 chrome.exe 592 9d195f995f.exe 592 9d195f995f.exe 4808 fff9efc9cf.exe 4808 fff9efc9cf.exe 592 9d195f995f.exe 592 9d195f995f.exe 4808 fff9efc9cf.exe 4808 fff9efc9cf.exe 4808 fff9efc9cf.exe 5196 skotes.exe 5196 skotes.exe 5568 skotes.exe 5568 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2496 taskkill.exe Token: SeShutdownPrivilege 2132 chrome.exe Token: SeCreatePagefilePrivilege 2132 chrome.exe Token: SeShutdownPrivilege 2132 chrome.exe Token: SeCreatePagefilePrivilege 2132 chrome.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 5024 taskkill.exe Token: SeDebugPrivilege 2128 taskkill.exe Token: SeDebugPrivilege 2164 taskkill.exe Token: SeDebugPrivilege 3648 firefox.exe Token: SeDebugPrivilege 3648 firefox.exe Token: SeDebugPrivilege 4808 fff9efc9cf.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 3228 file.exe 592 9d195f995f.exe 592 9d195f995f.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 2132 chrome.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 592 9d195f995f.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 592 9d195f995f.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 3648 firefox.exe 592 9d195f995f.exe 592 9d195f995f.exe 592 9d195f995f.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3648 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3228 wrote to memory of 3964 3228 file.exe 87 PID 3228 wrote to memory of 3964 3228 file.exe 87 PID 3228 wrote to memory of 3964 3228 file.exe 87 PID 3964 wrote to memory of 3456 3964 skotes.exe 102 PID 3964 wrote to memory of 3456 3964 skotes.exe 102 PID 3964 wrote to memory of 3456 3964 skotes.exe 102 PID 3964 wrote to memory of 3480 3964 skotes.exe 103 PID 3964 wrote to memory of 3480 3964 skotes.exe 103 PID 3964 wrote to memory of 3480 3964 skotes.exe 103 PID 3964 wrote to memory of 644 3964 skotes.exe 110 PID 3964 wrote to memory of 644 3964 skotes.exe 110 PID 3964 wrote to memory of 644 3964 skotes.exe 110 PID 3964 wrote to memory of 592 3964 skotes.exe 113 PID 3964 wrote to memory of 592 3964 skotes.exe 113 PID 3964 wrote to memory of 592 3964 skotes.exe 113 PID 644 wrote to memory of 2132 644 f3edb45431.exe 114 PID 644 wrote to memory of 2132 644 f3edb45431.exe 114 PID 2132 wrote to memory of 3952 2132 chrome.exe 115 PID 2132 wrote to memory of 3952 2132 chrome.exe 115 PID 592 wrote to memory of 2496 592 9d195f995f.exe 116 PID 592 wrote to memory of 2496 592 9d195f995f.exe 116 PID 592 wrote to memory of 2496 592 9d195f995f.exe 116 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 2928 2132 chrome.exe 118 PID 2132 wrote to memory of 4960 2132 chrome.exe 119 PID 2132 wrote to memory of 4960 2132 chrome.exe 119 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 PID 2132 wrote to memory of 4956 2132 chrome.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\1004149001\freecam.exe"C:\Users\Admin\AppData\Local\Temp\1004149001\freecam.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3456
-
-
C:\Users\Admin\AppData\Local\Temp\1004154001\ca599d31b8.exe"C:\Users\Admin\AppData\Local\Temp\1004154001\ca599d31b8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 14844⤵
- Program crash
PID:2640
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004155001\f3edb45431.exe"C:\Users\Admin\AppData\Local\Temp\1004155001\f3edb45431.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff98b23cc40,0x7ff98b23cc4c,0x7ff98b23cc585⤵PID:3952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,5321036821563336760,8694305411522764528,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:25⤵PID:2928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,5321036821563336760,8694305411522764528,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:35⤵PID:4960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,5321036821563336760,8694305411522764528,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2456 /prefetch:85⤵PID:4956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,5321036821563336760,8694305411522764528,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:15⤵
- Uses browser remote debugging
PID:3824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,5321036821563336760,8694305411522764528,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:15⤵
- Uses browser remote debugging
PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4308,i,5321036821563336760,8694305411522764528,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4576 /prefetch:15⤵
- Uses browser remote debugging
PID:1632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3636,i,5321036821563336760,8694305411522764528,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4312 /prefetch:85⤵PID:4324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,5321036821563336760,8694305411522764528,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:85⤵PID:4312
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 15364⤵
- Program crash
PID:6040
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004156001\9d195f995f.exe"C:\Users\Admin\AppData\Local\Temp\1004156001\9d195f995f.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4312
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵PID:3892
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3648 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc14d9a4-e8eb-4499-b4d1-8dcbe1c568df} 3648 "\\.\pipe\gecko-crash-server-pipe.3648" gpu6⤵PID:1092
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {020c21be-2f84-4110-b080-ba544e762a9b} 3648 "\\.\pipe\gecko-crash-server-pipe.3648" socket6⤵PID:2052
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2924 -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2952 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c16dfff-57bc-478e-97fd-1355198c975b} 3648 "\\.\pipe\gecko-crash-server-pipe.3648" tab6⤵PID:4888
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4160 -childID 2 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {900473ff-f08c-4649-a4a8-4b06b54eb782} 3648 "\\.\pipe\gecko-crash-server-pipe.3648" tab6⤵PID:2180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4852 -prefMapHandle 4848 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bafb70c6-ec57-47ce-b70c-25a15210d7c0} 3648 "\\.\pipe\gecko-crash-server-pipe.3648" utility6⤵
- Checks processor information in registry
PID:5896
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4904 -childID 3 -isForBrowser -prefsHandle 4892 -prefMapHandle 4884 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {786ce8df-90b6-479a-b318-6a808b045412} 3648 "\\.\pipe\gecko-crash-server-pipe.3648" tab6⤵PID:6112
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 4 -isForBrowser -prefsHandle 5108 -prefMapHandle 5320 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6bbe5739-3488-43d9-bb76-b5e0484f45dd} 3648 "\\.\pipe\gecko-crash-server-pipe.3648" tab6⤵PID:1980
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5544 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1016 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da6f6791-932a-4c5e-bd9e-8e26ae39bc0d} 3648 "\\.\pipe\gecko-crash-server-pipe.3648" tab6⤵PID:4360
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004157001\fff9efc9cf.exe"C:\Users\Admin\AppData\Local\Temp\1004157001\fff9efc9cf.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3480 -ip 34801⤵PID:3760
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 644 -ip 6441⤵PID:6020
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5196
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5568
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\b22084ae-49ce-4f8c-ad0e-6847c8f378b0.tmp
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
Filesize18KB
MD50c6a9ff454d94d6b55aeb78e04ae465c
SHA1c2ac2be6ecebbf57cf692bbb98cd13ce43b80685
SHA256c2926d14bd0526bc75d4413b30ff4e3bc4dfab97bc0d9f71fcaaedb3fa40ce84
SHA512999673a90e1ce20310f72f1ecddaf9dd630d6245bd22b7e746ac54c4d433c3a71bbdb76f41f517ef59c6ae5867bd0f3e16604be4a962caaa406fde1483f3537b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD5ac2f2e7886d4dc6e9e816e62669db0ec
SHA1da605af109d062ea62f9985918a66d8ae03f7560
SHA2563d9d5923e429f3af8fb8ba20ba13d2145a9dfbd9746954b3b4f1b2b712eef6e0
SHA51258d6d1962a5242164bec7f9d3e2614dedd267b5e10faacd4199415ce615476a6ddaaf4ad89efff028ce080b968d8500b51ea42ad26c1975a6fc1f0264eb2d2db
-
Filesize
12.9MB
MD5704d12a2e64a9b3ebe375594a11f3ee6
SHA1e6e45cd1926de46bfa0832de19ddeb29c8c0f629
SHA256b5975c9eb7e34161ae63eab8518b130d4fdcc1526ca512d2e5452c6d701fe912
SHA512b72689628014a48976672427d0470d8e024dac4d3b266bc9398a8dadd72f1b4d4dc1a4429847a45956ae604cf072cf5419cf3036a4e6d5373517db38a9d3ffb4
-
Filesize
3.0MB
MD5bd02fbc4f962284aa8c9b6f50781ea8a
SHA1105abaa0a053bf102dfbc24dd2d93ef7173d46dd
SHA2562e82cdc1ce6a5b075cf2f50c00b4fdb458daa0351502ef654c3d6bf868b51504
SHA512ca060eb94ef596bc235f3c9bd9e1bfd412a6cdcc8c9f3ed69a2359e9d5059ef7cdb19df11337e791e0a04059b95f5b1f6dc2c133cb521cb30e7e8e9112dc25ef
-
Filesize
2.0MB
MD50625bfb508155bf72c447f0819c545a5
SHA1fb030eced8eb89cb25dbb78712cf38476bb959a0
SHA25642321395d0e8e8706391651a061c178878218698ebc6c1a6e2aaaa0d38c23b2b
SHA512b19347b046267d036c735bb4c60d66611caab634c878f8d6b104738dcd617d22de377f87cd35a1b2a25be42e30a8ba25cbee4b6293d5d048a0291815c7ba7c05
-
Filesize
898KB
MD59bdca68b008c8506e9070aa48676d172
SHA168852a9063ed26d8a19e22d68042585df7b0858b
SHA256a1fef53b423845e83b565d6f2990d458dbceeeab88c083e1078c01ef469335a2
SHA5123d7135f3a3a7ce6c31eddc0b2c89ca9fc2734e7855e8728d8602ac63ef6bfbcdc0489984e940551215eeb6537a04b434ed23c26bc09afcab6d1db614c4b4f835
-
Filesize
2.6MB
MD56d60ee79cbe29830a8f4c2f7541d3e6c
SHA147e98d4e24a51a9ff43b306b34b2f943ff2a4c25
SHA256a9cc4f8bc22bf66ecb50dabe3cfa108728c53b8dda35878ecb98d547454c180a
SHA5123ce4021601ee733110ae1b8c3970ec2355c4b99f004e506c79980a26ffb0d4b20dd10266c306e1033deec5278e8a11f7f38651a98529cd85a24a0919e449341c
-
Filesize
3.1MB
MD580780678447355a2bc3157723d80033b
SHA13ca0030f2582c21959f2b5d25cf57a926a4314a1
SHA256def526b2c332d0019092a86b5686c4ed246779cd8e3235aef94c4901dfc7d361
SHA51290fade4ec430ffd1f165d6cbef9ae8d4d9f93f17200c0907f85e5c653484d72e0c7471a32bd42544dff4350e96a4c16521c87e5779b8b068f9f8c85a662ee546
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize13KB
MD542e739c9d5f2b184b92d67be28389c5f
SHA18e0ba7da34d58a0671dffd0cff3080c80eb1fdd3
SHA25689e68374dcbce5735f64bb059ce3d02b8f5a46ca360f094daa31ccdde235da71
SHA512579a6bd904a3f857d74023a41f85449f180362601a924f20e1a0ebdb52f4b212a253a722024e551d353e0d9c65307240033d75ae4cdb82fe8bf85b91c298a813
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5095acc819f745844f86fb189533b3205
SHA11ff8a162ff74775c78fea0134614c366a326c109
SHA25639ac146e2aae4b93f42b07983ab7c02740ef96a86387fd96c1d14b04eb326b1c
SHA5122a26c1cf2cf466f64e995988383a5a931c55a54031117ec4e383663f5b687d7d50dbee7e5d8f21b2222f9fb51031294a33cd3bd6d3f7f18b80238ca5b31045a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize14KB
MD5b6e83f8eaaa9792903468429f8375f88
SHA1c2848cd1144787bcf8663ee0beaa4b6bf4e2b083
SHA2568a1bfa49a7579df08a8ebf532663f8bd81aa10e850d3a02940e57d745d4c88a8
SHA512d6ca8a41db3e65f3b0a25b94d593e1af39974f63d18534a6203e4dacca8f3603ac3b7ae10199ab8bc75f4a80ea27f2862d4ec8708508cb68f74d72c917046b68
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD53099beeee8e04d8ff4245fd9a7a57f56
SHA1416c1bef163af1a4da517595d7db2a0bd408f660
SHA2565a8f752157bf559b71c80cef6cafc4ab4e4c4b0da478ed996ded711e7d4d98a1
SHA5121e7933f3445fabe60fd3064280500def84dac38b8a26887ece5461f3a8c4027f5874120d1b375bfde1d273f9f5af657fc33463cb2ff62c8b8f5cde2bb54689f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5359e75bd7109a922d68226ddcb82d201
SHA1a506a152d7cd50e9931f4ae3c8a22112225e9186
SHA2561a741e0ea1d16c7993e0596bc58d009352b682090c9e288df307456656e78aab
SHA512420d6196c167f5a90bea03f3fa17bafc73476859abd260be8f126d3d1bfe53e005e1cd90edf695f90702376a51e18a057ed8641eec17f9eccba94c85a7acb799
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\221bdb24-3503-4d36-83e3-11fad2b5b06a
Filesize27KB
MD516a5d67f942e65f3d3abcde53228f377
SHA1e9afef1c89bb631722126ec5f29087c7d6584f31
SHA256c0f5ea8148f75291e78b104facc4d19302ddc63e945999ac5f7dc228f277b749
SHA5122ef9c2d44770c269e69cddc960b6b5bfdbb84cb74ff854ebbce09502de6b0509690fd69a9dd4ee3d1f8c4f32ce53c0f7b56744a0717fd7135b03740b2ee1f285
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\7e446752-8f0c-40ae-addb-23d72a008b2f
Filesize982B
MD565808c28a2392bd5d393f3d9ee37b5ae
SHA1de61513078201bc13823d86b5a9b82b5e4031cda
SHA25638ddc161d9f877bd670e2a27fcbc80baf885ae122341c9e9932e2c138c89f0aa
SHA5125357d2f1eb0224f4cef9560c42b2d82e014722a52b33b7d922ffb5776d0c003676a48f31668a4917325cbba545c00ea2b338848b0123d40448ea40c97ef54958
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\d68975ee-64fc-4b70-b23f-cf94528c6425
Filesize671B
MD5ef98afe323b103fbebf4b8cb57c962ea
SHA11bf998379ee12f85dfd7157f9064091c31d07434
SHA256324056a4b4090ea0976d3f6c5d3eec4176e687b89bdcddd19724288f3987308a
SHA5120d26a2f8402b0109496390778cab6c1ece2d0ae0d6ab263165322e8182e70999c29e9be708ce0745723ab701809d82c5c23684d43ddc35c061a8331dfd6e4765
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD525b4f92d5594f562058743204d6225c3
SHA18da92f1efb95d865192132b51714e2c988c9a9df
SHA256ed2f0bb36f19a26bbdc878c840421e7a16c38636f3f1127bf47aa239690e4e0c
SHA51292739a93dca04713b9e2f7e3d3cd136ad32b2b6c0bf9b20aa2e5f7f9a84418705a8dda28a54d05349d81cc6666a5512df3c18dc97bf03bb203ed93eb2b601198
-
Filesize
12KB
MD5590cafe56d185dc8e46976addad7e465
SHA1bd14621c4a400d2442b039cbddd147d78c58c604
SHA25608ba1fb15c276b947a170672851182d58eaa37268b4d96464ec9c92a9f792c10
SHA5121a9305cb06bc2f4b19c4dc9b43211b2653b832d4250a6061cdd4910dcbf6144dc24d352e81db93492d68e44f85cc6afb742062881011570fc205cc87582fcfbe
-
Filesize
15KB
MD5192e9fabc9d652b590f05f6f84d721ff
SHA118b38f00c16e3d39ecb0d79ae0110ef58fa93749
SHA2565db2e0713c8d104453fd94002a8731ec43d384c52e5dbc0d084d03f7563f70ac
SHA5127d4201f30b25ea1815468274d7d39debce6cb12313bdd5f2a33181124ab3dfc3d0ae17c13d93ea64ddc666369e257b1b7e07c7b0df76aba9c0d8d0a8677ccae0
-
Filesize
10KB
MD5803b20700f0afd0bfffc194166817609
SHA11744a4ed7d3ddfb4d84f887a5024de14d7f18fd2
SHA2567968010fa9dca951b59527afea08044c66476393111af0948050bb9a2fefb185
SHA512ad040635dc824788e878909b332cb67bb62855e5162ffe8c568467c3c468d1e845de1f064a692c43e4fef2a92cabde11c6661a0dfc1d8aaca25fdd708937fba4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize584KB
MD5c37ea4d2891c38fb503c2dd69de9c04f
SHA1018dd13bfacf0c3c049e4bb51611bd85ea4eccc4
SHA2562c9ad1f3e7f2c8f95654da10b42a98caa5ceff6aecc6776800d6e44514c03ff3
SHA512bce0106caa0312e515ee7bb9eba3381489ebded92e2e70cf5aa276a8b437a35970b6f21caa4ead251ba7870a9182b3cbbb0daf197b053047c0d219852a756c78
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD569366f520454062151924146ab8a1385
SHA1f7841fed9892fbfa2d4fc3a9a2968f513cf7f5e4
SHA2568854b6f4614e39eeeba67fc71d0f27ecc9d848e4a8c80e92862823b90b4308ec
SHA512d2d7599eea5ef6f2207b9e72c43ed3497911977ae2e135a208de5fe9d042e1ed3cb9bb9ecc2fa63acb758fee51bbccfb97fe2df8b794c3939180ba5c66580110