Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 09:27
Static task
static1
Behavioral task
behavioral1
Sample
08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe
Resource
win10v2004-20241007-en
General
-
Target
08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe
-
Size
4.0MB
-
MD5
8155645093aca3a65f993e3ce4dd2d21
-
SHA1
3f8b75087dde61dfd5938dd6b68eb716ec881016
-
SHA256
08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0
-
SHA512
922094282390b49ece18c62ff0e846a62e8fcea6c38824e6a0d7fece7f51743b86cd76ef088f6fc7097e2f98c46000719502280739cf83b121c6653e0a457444
-
SSDEEP
98304:lu28+w6W+u+bw3XM8VxuC1T7uqa69AHt+v7ToVBJm9krklgpjmaL/7:Ar+Nw3Xb/T7ta69AEvgVBJLkupjR
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Processes:
4c4b265ae0.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4c4b265ae0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4c4b265ae0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4c4b265ae0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4c4b265ae0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4c4b265ae0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4c4b265ae0.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
Processes:
skotes.exe1A07n7.exeskotes.exe2l6580.exe7d3c54ec67.exe4c4b265ae0.exeskotes.exeskotes.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1A07n7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2l6580.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7d3c54ec67.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4c4b265ae0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
msedge.exemsedge.exemsedge.exechrome.exechrome.exechrome.exechrome.exechrome.exepid Process 5888 msedge.exe 5204 msedge.exe 5176 msedge.exe 1048 chrome.exe 1756 chrome.exe 2084 chrome.exe 4292 chrome.exe 2956 chrome.exe -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
skotes.exe2l6580.exe7d3c54ec67.exeskotes.exe4c4b265ae0.exeskotes.exe1A07n7.exeskotes.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2l6580.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7d3c54ec67.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2l6580.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4c4b265ae0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1A07n7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1A07n7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7d3c54ec67.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4c4b265ae0.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1A07n7.exeskotes.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 1A07n7.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 10 IoCs
Processes:
s7E64.exe1A07n7.exeskotes.exe2l6580.exe7d3c54ec67.exe4c4b265ae0.exe3f12c.exeskotes.exeskotes.exeskotes.exepid Process 2896 s7E64.exe 1432 1A07n7.exe 3048 skotes.exe 4696 2l6580.exe 4012 7d3c54ec67.exe 5700 4c4b265ae0.exe 4060 3f12c.exe 5764 skotes.exe 5996 skotes.exe 6936 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1A07n7.exeskotes.exe2l6580.exe7d3c54ec67.exe4c4b265ae0.exeskotes.exeskotes.exeskotes.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 1A07n7.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 2l6580.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 7d3c54ec67.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 4c4b265ae0.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
4c4b265ae0.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4c4b265ae0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4c4b265ae0.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exes7E64.exeskotes.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" s7E64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d3c54ec67.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005722001\\7d3c54ec67.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c4b265ae0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005724001\\4c4b265ae0.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0007000000023c97-624.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
1A07n7.exeskotes.exe2l6580.exe7d3c54ec67.exe4c4b265ae0.exeskotes.exeskotes.exeskotes.exepid Process 1432 1A07n7.exe 3048 skotes.exe 4696 2l6580.exe 4012 7d3c54ec67.exe 5700 4c4b265ae0.exe 5764 skotes.exe 5996 skotes.exe 6936 skotes.exe -
Drops file in Windows directory 1 IoCs
Processes:
1A07n7.exedescription ioc Process File created C:\Windows\Tasks\skotes.job 1A07n7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1668 4696 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1A07n7.exeskotes.exe2l6580.exe7d3c54ec67.exe4c4b265ae0.exetaskkill.exetaskkill.exetaskkill.exe08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exes7E64.exe3f12c.exetaskkill.exetaskkill.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1A07n7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2l6580.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d3c54ec67.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4c4b265ae0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s7E64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3f12c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exe2l6580.exemsedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2l6580.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2l6580.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
msedge.exemsedge.exechrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 4348 taskkill.exe 2692 taskkill.exe 3228 taskkill.exe 5316 taskkill.exe 4824 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133758772603968657" chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
1A07n7.exeskotes.exe2l6580.exechrome.exe7d3c54ec67.exe4c4b265ae0.exemsedge.exemsedge.exemsedge.exe3f12c.exeskotes.exeskotes.exeskotes.exepid Process 1432 1A07n7.exe 1432 1A07n7.exe 3048 skotes.exe 3048 skotes.exe 4696 2l6580.exe 4696 2l6580.exe 4696 2l6580.exe 4696 2l6580.exe 4696 2l6580.exe 4696 2l6580.exe 1048 chrome.exe 1048 chrome.exe 4012 7d3c54ec67.exe 4012 7d3c54ec67.exe 4696 2l6580.exe 4696 2l6580.exe 5700 4c4b265ae0.exe 5700 4c4b265ae0.exe 4696 2l6580.exe 4696 2l6580.exe 6124 msedge.exe 6124 msedge.exe 5888 msedge.exe 5888 msedge.exe 5908 msedge.exe 5908 msedge.exe 5908 msedge.exe 5908 msedge.exe 5700 4c4b265ae0.exe 5700 4c4b265ae0.exe 5700 4c4b265ae0.exe 5908 msedge.exe 5908 msedge.exe 5908 msedge.exe 5908 msedge.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 5764 skotes.exe 5764 skotes.exe 5996 skotes.exe 5996 skotes.exe 6936 skotes.exe 6936 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exemsedge.exepid Process 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 5888 msedge.exe 5888 msedge.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
chrome.exe4c4b265ae0.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exedescription pid Process Token: SeShutdownPrivilege 1048 chrome.exe Token: SeCreatePagefilePrivilege 1048 chrome.exe Token: SeShutdownPrivilege 1048 chrome.exe Token: SeCreatePagefilePrivilege 1048 chrome.exe Token: SeShutdownPrivilege 1048 chrome.exe Token: SeCreatePagefilePrivilege 1048 chrome.exe Token: SeShutdownPrivilege 1048 chrome.exe Token: SeCreatePagefilePrivilege 1048 chrome.exe Token: SeShutdownPrivilege 1048 chrome.exe Token: SeCreatePagefilePrivilege 1048 chrome.exe Token: SeShutdownPrivilege 1048 chrome.exe Token: SeCreatePagefilePrivilege 1048 chrome.exe Token: SeShutdownPrivilege 1048 chrome.exe Token: SeCreatePagefilePrivilege 1048 chrome.exe Token: SeDebugPrivilege 5700 4c4b265ae0.exe Token: SeDebugPrivilege 2692 taskkill.exe Token: SeDebugPrivilege 3228 taskkill.exe Token: SeDebugPrivilege 5316 taskkill.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeDebugPrivilege 6096 firefox.exe Token: SeDebugPrivilege 6096 firefox.exe Token: SeDebugPrivilege 6096 firefox.exe Token: SeDebugPrivilege 6096 firefox.exe Token: SeDebugPrivilege 6096 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
1A07n7.exechrome.exemsedge.exe3f12c.exefirefox.exepid Process 1432 1A07n7.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 1048 chrome.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 5888 msedge.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe -
Suspicious use of SendNotifyMessage 30 IoCs
Processes:
3f12c.exefirefox.exepid Process 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 6096 firefox.exe 4060 3f12c.exe 4060 3f12c.exe 4060 3f12c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid Process 6096 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exes7E64.exe1A07n7.exe2l6580.exechrome.exedescription pid Process procid_target PID 4216 wrote to memory of 2896 4216 08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe 88 PID 4216 wrote to memory of 2896 4216 08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe 88 PID 4216 wrote to memory of 2896 4216 08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe 88 PID 2896 wrote to memory of 1432 2896 s7E64.exe 90 PID 2896 wrote to memory of 1432 2896 s7E64.exe 90 PID 2896 wrote to memory of 1432 2896 s7E64.exe 90 PID 1432 wrote to memory of 3048 1432 1A07n7.exe 92 PID 1432 wrote to memory of 3048 1432 1A07n7.exe 92 PID 1432 wrote to memory of 3048 1432 1A07n7.exe 92 PID 2896 wrote to memory of 4696 2896 s7E64.exe 93 PID 2896 wrote to memory of 4696 2896 s7E64.exe 93 PID 2896 wrote to memory of 4696 2896 s7E64.exe 93 PID 4696 wrote to memory of 1048 4696 2l6580.exe 97 PID 4696 wrote to memory of 1048 4696 2l6580.exe 97 PID 1048 wrote to memory of 3128 1048 chrome.exe 98 PID 1048 wrote to memory of 3128 1048 chrome.exe 98 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4348 1048 chrome.exe 102 PID 1048 wrote to memory of 4220 1048 chrome.exe 103 PID 1048 wrote to memory of 4220 1048 chrome.exe 103 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 PID 1048 wrote to memory of 4980 1048 chrome.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe"C:\Users\Admin\AppData\Local\Temp\08292e2c4cb1752322363bc282e6dc09b1bdf16258e53e55f1a2618952859fd0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7E64.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s7E64.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1A07n7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1A07n7.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\1005722001\7d3c54ec67.exe"C:\Users\Admin\AppData\Local\Temp\1005722001\7d3c54ec67.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵PID:4688
-
-
C:\Users\Admin\AppData\Local\Temp\1005724001\4c4b265ae0.exe"C:\Users\Admin\AppData\Local\Temp\1005724001\4c4b265ae0.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5700
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2l6580.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2l6580.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x17c,0x180,0x184,0x158,0x188,0x7ffba10acc40,0x7ffba10acc4c,0x7ffba10acc585⤵PID:3128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:25⤵PID:4348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2192,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:35⤵PID:4220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:85⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:15⤵
- Uses browser remote debugging
PID:1756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:15⤵
- Uses browser remote debugging
PID:2084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3440,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:15⤵
- Uses browser remote debugging
PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4548,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:85⤵PID:4016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:85⤵PID:2264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:85⤵PID:2992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3660,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:85⤵PID:2268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:85⤵PID:1324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:85⤵PID:4016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:85⤵PID:816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5080 /prefetch:85⤵PID:4268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5364,i,9433722418918639173,13686968243947476584,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:25⤵
- Uses browser remote debugging
PID:2956
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5888 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffba10b46f8,0x7ffba10b4708,0x7ffba10b47185⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:25⤵PID:6116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2524 /prefetch:25⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:85⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2708 /prefetch:25⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3120 /prefetch:25⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2412 /prefetch:15⤵
- Uses browser remote debugging
PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:15⤵
- Uses browser remote debugging
PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3380 /prefetch:25⤵PID:5212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3384 /prefetch:25⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3084 /prefetch:25⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3380 /prefetch:25⤵PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8609001070476046447,15663362861276881758,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3084 /prefetch:25⤵PID:1844
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 21084⤵
- Program crash
PID:1668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f12c.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f12c.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4060 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5316
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking3⤵PID:5980
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6096 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2076 -parentBuildID 20240401114208 -prefsHandle 2000 -prefMapHandle 1992 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {256956b5-d3d8-473f-baa0-34d966556a8f} 6096 "\\.\pipe\gecko-crash-server-pipe.6096" gpu5⤵PID:5272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2500 -prefMapHandle 2496 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61755923-3a3a-4920-a86e-3fea51b494ae} 6096 "\\.\pipe\gecko-crash-server-pipe.6096" socket5⤵PID:5392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3236 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4decb102-f9be-42e0-acbd-15c96f8d23a4} 6096 "\\.\pipe\gecko-crash-server-pipe.6096" tab5⤵PID:404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60f9b586-4112-4016-87e5-2f400e6670b0} 6096 "\\.\pipe\gecko-crash-server-pipe.6096" tab5⤵PID:2060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4224 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4176 -prefMapHandle 4056 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6372e4c3-71c1-488c-9eae-589282c9244b} 6096 "\\.\pipe\gecko-crash-server-pipe.6096" utility5⤵
- Checks processor information in registry
PID:6540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 3 -isForBrowser -prefsHandle 5660 -prefMapHandle 5656 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f39626d0-5daa-4e3b-976a-dcb45d61cbc1} 6096 "\\.\pipe\gecko-crash-server-pipe.6096" tab5⤵PID:5504
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5800 -prefMapHandle 5804 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c812b9c-9d7d-4c05-9eec-c921caa0390e} 6096 "\\.\pipe\gecko-crash-server-pipe.6096" tab5⤵PID:3396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5972 -childID 5 -isForBrowser -prefsHandle 5976 -prefMapHandle 5980 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18e3ed85-04d4-4f65-9a36-fc816430a090} 6096 "\\.\pipe\gecko-crash-server-pipe.6096" tab5⤵PID:5456
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4696 -ip 46961⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5764
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5996
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD57ed28dd33790766b10757b79278c7737
SHA1604eaa88657a66452f4f380f04f45b6fbaf62baf
SHA2564c342e66dc1cb13aced98557658560c73e1070acaf3cb76b7d686af89aa9baec
SHA51237d2a7df321c934f51520af815af10b9c35ae2893392ead80fd82529cfd466667ae74eba9d09bac47559b8d9c65283ebecce73ad83707f507669485fca8dc08d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\49b6d2bc-6582-4a8e-b101-ced1e13b94c0.dmp
Filesize10.4MB
MD5b502d394eb669eaf7db53fd54886bf25
SHA15504524e172ea97356bfdbf1aead9c9f8c32f50c
SHA25610615cc25530f9a0908ac10a268418f1467fd0f894d9ca9d1059f2eb8a26ce29
SHA512dfa958a61934e4d076ce5b3fd25e6af0ae90bf51d4880c094d984be1a46907b33d12c492dac0649a17a861542f015254b93d913d1d5a7aa971dd580e6a3381dd
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1d7932a4-277f-4c0b-aa68-dac0cf01c25a.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2d5e706a-4d2f-4de9-86eb-d22828f41f54.tmp
Filesize5KB
MD501928e223963b9beb19651fdb5338825
SHA1052aada5321cec62caff057a8727a5a1d45f0a6a
SHA256611ea88363a272da83a2cc5e7fcb718ba10029ee2e8f26c4e4129abb6af72f45
SHA51226e588f9206b9ca34711e4a2c11dec8101de6486386c436f605f17387488d326ff62d13c2044a12050f89bfc30a86f5ad937791928538651d1c871eb5f35bf3d
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD57ddf5bdb65116070f690f793333adff6
SHA13c9acfae4f9cf3ff5e97bf841f5e8d20a5ac89a8
SHA256556a55ad1d51d7016c2b36a3ecd300726ca849ce273a58133fda3084ddb8c8ba
SHA512dfac57d28ac60dfcb3115d8d43c692c05280bc82cc7f3001bef740a72864855fc28422aa6b2af2191814a4a727745bbfcb6f8b034ae569a5394fa5c909826271
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5943819808dfb12469015feefd7622401
SHA18b0209e1249f038b2c8313a864439064cf15406e
SHA25640f2514304b1e50de6f2cf2eaa8c58c1d25b6c4d0437848c4459406ca188134b
SHA512d3debeb7ba953ddb869a4dda5337374a7b93912630fd3d51b653c6699ad68a923f5924762af014cd48194042fb3bc9812d79c6f7e61c6eb2afa93cc8db468bc8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD53268606a6a3ddb3b310c5a26b8e85d1e
SHA1f6ccfbdeafba6000ce5d848ba3245dc94d460e55
SHA25657557adef41da329de8a6af79da92d5ab33cf2ef6d46902cfebe73aaf0715485
SHA51264872cb59fdef26ac44e5e8dcb35a7de866e73d8890e96004c0504d7897731c0664e44c320507bd2236378e90f7c9505157293eee6967bfef351bdb6ea73c981
-
Filesize
1.7MB
MD5ba4b1f7686f54035029326b69b13145c
SHA1f200ea6b1574eadf38af7f23cc30f475ac4e3a2f
SHA2563d827bc28190cddf5e51c6f6183cf936f88276ff6854c2e87013902e85f9493e
SHA5126bb6598564c7aa643700eecde1ddf5178ec1777547ac18a1937f29994aea103869134bf88686a1e86a0234f3ba2ccedafee757196b2b63a3ceb5f55c5f3fb0d6
-
Filesize
2.7MB
MD57b8ff73b71bc4d7c309ebc71ff5acf2e
SHA1794854fb81039ddd38c56d16f3e606d3849122d9
SHA2560cb8bed00deba682438cb1935be2751d686b7b7884211a82d6e23bcb12046050
SHA5121ac78670d477ea8dc0d850ba5fba3577ecd623da140da20daac8aa4179aa1fc5746028bee2ed28fcd295df6dd26f9a06a439bd5b4583ddab0b5d204336562317
-
Filesize
898KB
MD51ccc014af04a42e2313361f031e35b66
SHA1ca3b1be4b095e7b0d4dc9a873e3fe4b864b95c23
SHA256278a921c2c0b0d5673b79146f52afbe743aa558598664cfa5a7e10086bcc67a0
SHA512d321d2c7e6de572b93582de16a5c27dd54948d5b043ce0a025d3197ed2f22418949924e303bee17dac207f0de17117ba46185eeba7154acc7ee4f21066419cda
-
Filesize
3.5MB
MD51a8dfa19efc694cc70a3611d6ef19366
SHA19d640cce4d5516a976c2503b7083993e5d9ebfd2
SHA256ef78f31957bedefc911921c255ea7f7c9900156e217554f8ef0f0c8f3d1d502d
SHA512828a20fa044a74b91281aa09a6c763c8157582496005a579ecd6c33152951e471e5f018fe950dbf8cf792009e2128c1c28ee5716173c00f78c958e4c235562fd
-
Filesize
3.1MB
MD53d7916cc01f7b2b2118f1d678f0ffbe0
SHA15eed93d5c1121f7bb5298f00194dc68c91661f93
SHA256d314c96474cd7dd3ebe67bc5d1896c25972aa7bac77cb786587e5b3170d7d18b
SHA512d80399f6b2bbdafaa1316d34087fee0c94c84fdd0eb51783805c65a81be6d0869b131dbf7e301ded870fea9843a1bf15922e1599a9a38c120a107fc151ff9acd
-
Filesize
1.8MB
MD54d96b5380222e08182929c4aef0598e7
SHA1aa4ee404f2aa9c5d3db53aeb6360f05b5b21a85f
SHA2562f302ec982b6fca803868ffb656226cbac77e83ae4d5568309b41e63b156ba7e
SHA512400344d4d0069758305188ebcb57d8c69353acb75ea9f793e3d653149a54730647cbfb2ba5b222ccb49b7cf7f8c7483476481ab78279bbef85558ea8efefa468
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize6KB
MD5e764cfe793f624c24cfea56e3b06aa9e
SHA1957c96c2db556a53e15f7b0782ac268025a70df8
SHA256736c114c08de8102771b718c51acd7cee892610b025d39e77c4d0c0a5a740d4d
SHA512c0b28ee61a15492b2a3ed54587a569d89e639ddea7b08dfa5cb59be9e22629c332ecc9b38a386186b1e6d65a1624eed896036aa69c9ebf7c779879ce3ec47816
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize8KB
MD57214b9822a73e11e1329faf9edc3199e
SHA1db5845d221bdf2d13ae6621c8dd4b32b4a3d38b0
SHA256ff5182800c133584ef1f79e1116016c3a108ad7cfeb299455768627f690df8bc
SHA51207ca60c798edc6598aca9a88f7264af73a49c19916f8458323a328085e9542d8e3a82bee855b86359fb2509b284c971c71f384318e5fc94fa4244d7736b6afa5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\AlternateServices.bin
Filesize12KB
MD5ada036402e4892d0e433165c02bb09ee
SHA19cac8bcde6e793b9f0ea6dfb98fdbb5e7908d671
SHA2562ca63c1a33019146ef8b15230304e497fb2160bb45e0630db4a88c0850a33f2a
SHA51297e8bf61b13e6512b1d77cc6c608e916f5faff4c177eb4e690cad2c00d3b2a1bf522a4e995fb78cf408d3a8129cb8d4fb5014ad2ef0eaadbad8af08397bca88c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize24KB
MD5fa979f98dca6e2145269ef1fc3857e2f
SHA1c4149611f8ccd523a0098309719cb26eeaec1372
SHA256b63e4973e03ea23aa11d21f2c972fa71e7c563ff68394b61e6df9fd715101602
SHA512bc3abe312e5e283b0061471144bef8b6fb3852cd73bb980757b4688ec96bc3566f486b1e896f3138a60bf0d49a0d542d62b7b2b7d1f320bfa9ca201102a4bdb0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize6KB
MD56a7902c00f5b7bbc5f274fffaf49173f
SHA1f13e106fdfc62dff77c2aa317a5cfeb984abad53
SHA256f6160b732f59de6dfd7284dc91c878656ec43c97cf935a9c121b026f13414469
SHA5125276bbe2a97db9b873119ff1a46e0695e26a588c8325055a1c71130ee3e41e4b531a180a87d046c54571e10716a9405a9360110e8cf813dafdacf9d4bc2cd462
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD59c3119ef74abb2661bbc7c7ab9df53e8
SHA11bd60215876ed015ce1f5f4d58c52e723e8fb59f
SHA256b3225845f8213ae595b66a655ea68f32c90a424573267ac5a7f3aa141d6d2484
SHA512f4097fe324d9c4f8c8b8ac1ea92761a681394ae1a228bdef2129c3509d1b724ba0e8792b709ee5c0d67e1bb845f14f81220df84b6154e2765c3f10e3bee031ca
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5ea3cc7c919ceb8d73a68bb2c896a75e7
SHA1f7cd71def23e3d7f5cb1ae864aa1c11ff14ebea5
SHA256761188a90ced0d5767548d30ff2902fef3f9da92853ddf6900dd052c2c73db63
SHA512b529075c04e84c79785c97a1aee93ef4d6af9651f30433889ccf8edd5de60d84b66e5fa7d1e6da3ea884d169e79bc46a142ae1891e7e9a2baca1a36ec7bae6d9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD523b08535a408cabdda38f1f9dad8da53
SHA151b47e0bed9b0b1f64a1edd0d9d99b41033ef4d1
SHA25662f971239141e01b1b5f0f0b2b0b7d8bd740847d1e3de38fbc4eaa86a22aea49
SHA5122dbbdc106db43048086e2bf43dece8f25e42b8fdd79906f87d6ce81076b3cc488d9e50b21e7b8c1e054b526ed615f18c5ef2c1954542f4f536577d0d8ec37b86
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5921a7e925a497ab8d7e54390f6af9173
SHA15e5b88336b64c8e433ad11d9b2467dd4fec66c32
SHA256cab90dc3ed78fe39a64617bc8229b232ef58d152303926693730224219ec3ba4
SHA512537d9caa0eb2f54294585572b46f88f3a37e29b8451c845529af958ad5ee3275ef45f5178a6446c578383f6c1fe506b591f0df1d7f961f5ff6a17b16ec7a8eb5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5118bf8776dd80ebfab5bf7be0c3da102
SHA16ea2ff36ed8a44daf6c86a949ac2d767e55a81a2
SHA256e91e5a1943ac18ae8e7a5813565ff82e07beb5ee10193d24b7f90f6c7beb78fb
SHA512c4e0cea8d02506839d8679aec5af1c0df7d032dfc4365a7e162881b8b305f88289858e4f89f0ba9002e3b13b2102d8c94bd62d78d1f7090cb207c5c1600ab060
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD5b60dd9d20d837d8c66db19e8ba3c2e82
SHA12df53f4e0d81dc8e168d7331cd594df19858830f
SHA2569bf919f3120962395d55821d6ae66dc7b146e115b9a5522e4183998b131a4994
SHA5124613ce62e5f278fe145d1453bd3b96397a248e1fb23bee447079bc8a71f9c487950217fbbd024197d70f54926beb88fa13b359adbcc28f728de2e1f765357f13
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\693dd6db-58db-4cd6-acc3-91fee8753e42
Filesize27KB
MD55528c91f8eecb2e7148ad21459803f61
SHA1265fd58ab6b6bc9237e1549edd33c00ec45f0079
SHA2563c3fe8bf58f3792078eac496818dafc1ab652ee0b873d4e7918311b71e3ce6f7
SHA512f4990b518df8371b81c3cc4cf99371f1e0b2136da11cf831e5e53658c4cdaeda0bc5d4f09c2505b8a741241587697909e5f6ecade2ebd9746c8cc5559c04af04
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\994c85ee-3aa9-4976-9ae8-593c01e6ac02
Filesize671B
MD5a00fec08e2a39f6349e6697b1b8aee6a
SHA162655dfaa83873d5973221f66e3b0d563f2aa60f
SHA2568838a302136b08fb843c2a08297893741c07b253746db7c98323ffdb1d796676
SHA5126f34d6b737679be72c56ca2844e24278d7c0554f8ede7758aafb7bd810dbf3e576360a2bbcace4a098c49587bca00996486520082f5e30e9cb87fa63201998e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\bbee3e27-e0d6-4751-aa9c-eabca93e10b6
Filesize982B
MD57cd626cf37db1459e7f763b2a7d449cc
SHA1bc3e96bf0aefc6acc73cb319387d5b97ab6fa5ef
SHA256a672b1aac48cbf5051fbaa8aafd22626ff80b686e1185d3587c42a3e86b2e7d6
SHA51280943af7874359d90c4b951a71b47de1e30bc975820997b02c4ac78cf37621ad56dc8d272fd17ead065eb23ef17aa1ffac0e8d5db48bdc5fa4bb87b80ab45fb7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD56d935111efd6225a6d9ce54e76fa3c7e
SHA19b4c4e3116210b5c8c23555a32fe1e60804113fc
SHA256b5c8e2473fce57c99071c0477645c1419bdae8fd950c195254a2610fda9a7a42
SHA5124816e01ea8dd6311f4205601e8a3e8de87004662683ce08b7297949d9c6325dabecf39781baf9273f797e95b0cb66d8eac63d0035218ba2a6994827e10fd7bca
-
Filesize
12KB
MD58f73db7d1518d5721212d2216fb3e052
SHA1bcbd50e8de1bfcfd039aa3bc457b9baf440454f2
SHA256e4a56f1041b73d636be2a9307f6936d9b296910b150169084db31230efda42f7
SHA5128444e16a18924ebea020f7806def0945ab8bda45b1bfea2f8bf8bf596212b81c8d0dd13116e7cbce3c16d4b729c2b8a171b267a841b9187046958219449c343e
-
Filesize
15KB
MD507e6ab33e6fd0c8be9aba9ae23645312
SHA14187fd919c775254af5fc1b7c4ea1bb43c94c459
SHA2560116c68fc272423198c085c3d563cce0668243cc1ff39954ef2910ebd0cc7042
SHA5129e163eac729def730370cc6d581a0073b5f13945eca5118beb3528a23965c736813042c47ce1aee1f4e6779af66c547c2ed83a589f35f5dadb87bc1e5df1919c
-
Filesize
11KB
MD57dd38f4d8f1b870e9d45e18cf177bdda
SHA17f6796e697154dd2e3458165e20932e65623892d
SHA256883e36eff9aaa6b989f157710f6594d55cc560e6c526cc2564a49f56297f2d97
SHA51246a3b0046fdb749987561caec3d72082b0b32add7a8c4962bc9ebbe38c1356d16fe396e07e2527c7c2773f5b933bb2a43e7d66c984ec75a1455f05d514a3be7f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.8MB
MD5922252f6459f1da2844c5cdedd5e8f1c
SHA1f4b5822ad80221fc52a771851bae41ef8af1aa9a
SHA256a6150a31a322fed15c49769c6b4a44bc6aaf750c1d097d248b2e0d56d6886e50
SHA5126ea069d54f3c38a93873358950936f33e488cf4c0cc78944ec257d1a13ff0c524bfcd0b3f866a527bd1e90ff122395a26d3f8f2906a8695298bf9fe52ed9889a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e