Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 11:34
Static task
static1
Behavioral task
behavioral1
Sample
17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe
Resource
win10v2004-20241007-en
General
-
Target
17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe
-
Size
5.6MB
-
MD5
d4ef93e944c530e8d69f292737094cc6
-
SHA1
509614716a18e53f58005050241e8b519a99af70
-
SHA256
17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61
-
SHA512
d59b8783165404cb396545ac3e89f56e1006e2ff47e9b701e6c761a60cade390200555babefe967d1fb1f793ea24361f780427dc52841061660dd6ea9ba2c583
-
SSDEEP
98304:LYIdc7r0Uwn54Qo6ALgkVX6cslvv77R3jytRh2eKU//:LYIdc7r0UG5boKk96cGJ3GnNKU//
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Processes:
c24f4c8e3f.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection c24f4c8e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c24f4c8e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c24f4c8e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c24f4c8e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c24f4c8e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c24f4c8e3f.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
Processes:
skotes.exe3j76M.exe258070e13b.exe769e22a2ae.exeskotes.exe1n77k6.exec24f4c8e3f.exeskotes.exe2g6291.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3j76M.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 258070e13b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 769e22a2ae.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1n77k6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c24f4c8e3f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2g6291.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 8 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
Processes:
msedge.exechrome.exechrome.exechrome.exechrome.exechrome.exemsedge.exemsedge.exepid Process 5588 msedge.exe 4480 chrome.exe 1524 chrome.exe 1884 chrome.exe 5048 chrome.exe 5628 chrome.exe 5252 msedge.exe 1720 msedge.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
skotes.exe769e22a2ae.exec24f4c8e3f.exe258070e13b.exeskotes.exe2g6291.exe3j76M.exeskotes.exe1n77k6.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 769e22a2ae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c24f4c8e3f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 258070e13b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 769e22a2ae.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2g6291.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3j76M.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3j76M.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c24f4c8e3f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1n77k6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 258070e13b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1n77k6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2g6291.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1n77k6.exeskotes.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 1n77k6.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 12 IoCs
Processes:
N4V78.exek3g26.exe1n77k6.exeskotes.exe2g6291.exe3j76M.exe258070e13b.exe769e22a2ae.exec24f4c8e3f.exe4v243K.exeskotes.exeskotes.exepid Process 1360 N4V78.exe 3636 k3g26.exe 2468 1n77k6.exe 3176 skotes.exe 3144 2g6291.exe 3572 3j76M.exe 4596 258070e13b.exe 4876 769e22a2ae.exe 5308 c24f4c8e3f.exe 872 4v243K.exe 2760 skotes.exe 6912 skotes.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
skotes.exe2g6291.exe3j76M.exe258070e13b.exec24f4c8e3f.exeskotes.exeskotes.exe1n77k6.exe769e22a2ae.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 2g6291.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 3j76M.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 258070e13b.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine c24f4c8e3f.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 1n77k6.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 769e22a2ae.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
c24f4c8e3f.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c24f4c8e3f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features c24f4c8e3f.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exeN4V78.exek3g26.exeskotes.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" N4V78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" k3g26.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\258070e13b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006190001\\258070e13b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\769e22a2ae.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006191001\\769e22a2ae.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c24f4c8e3f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006193001\\c24f4c8e3f.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0007000000023ca1-640.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
1n77k6.exeskotes.exe2g6291.exe3j76M.exe258070e13b.exe769e22a2ae.exec24f4c8e3f.exeskotes.exeskotes.exepid Process 2468 1n77k6.exe 3176 skotes.exe 3144 2g6291.exe 3572 3j76M.exe 4596 258070e13b.exe 4876 769e22a2ae.exe 5308 c24f4c8e3f.exe 2760 skotes.exe 6912 skotes.exe -
Drops file in Windows directory 1 IoCs
Processes:
1n77k6.exedescription ioc Process File created C:\Windows\Tasks\skotes.job 1n77k6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2380 3572 WerFault.exe 98 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
769e22a2ae.exetaskkill.exe17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exeskotes.exe2g6291.exe3j76M.exek3g26.exe1n77k6.exetaskkill.exetaskkill.exeN4V78.exe258070e13b.exe4v243K.exetaskkill.exec24f4c8e3f.exetaskkill.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 769e22a2ae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2g6291.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3j76M.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k3g26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1n77k6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N4V78.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 258070e13b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4v243K.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c24f4c8e3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 13 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
msedge.exefirefox.exe3j76M.exefirefox.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3j76M.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3j76M.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
Processes:
msedge.exechrome.exemsedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 6004 taskkill.exe 5628 taskkill.exe 5316 taskkill.exe 5392 taskkill.exe 1688 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133760576775536220" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
1n77k6.exeskotes.exe2g6291.exe3j76M.exe258070e13b.exechrome.exe769e22a2ae.exec24f4c8e3f.exemsedge.exemsedge.exemsedge.exe4v243K.exeskotes.exeskotes.exepid Process 2468 1n77k6.exe 2468 1n77k6.exe 3176 skotes.exe 3176 skotes.exe 3144 2g6291.exe 3144 2g6291.exe 3572 3j76M.exe 3572 3j76M.exe 3572 3j76M.exe 3572 3j76M.exe 4596 258070e13b.exe 4596 258070e13b.exe 3572 3j76M.exe 3572 3j76M.exe 4480 chrome.exe 4480 chrome.exe 4876 769e22a2ae.exe 4876 769e22a2ae.exe 3572 3j76M.exe 3572 3j76M.exe 3572 3j76M.exe 3572 3j76M.exe 5308 c24f4c8e3f.exe 5308 c24f4c8e3f.exe 5396 msedge.exe 5396 msedge.exe 5252 msedge.exe 5252 msedge.exe 5236 msedge.exe 5236 msedge.exe 5236 msedge.exe 5236 msedge.exe 5308 c24f4c8e3f.exe 5308 c24f4c8e3f.exe 5308 c24f4c8e3f.exe 5236 msedge.exe 5236 msedge.exe 5236 msedge.exe 5236 msedge.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 2760 skotes.exe 2760 skotes.exe 6912 skotes.exe 6912 skotes.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exemsedge.exepid Process 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 5252 msedge.exe 5252 msedge.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
chrome.exec24f4c8e3f.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exedescription pid Process Token: SeShutdownPrivilege 4480 chrome.exe Token: SeCreatePagefilePrivilege 4480 chrome.exe Token: SeShutdownPrivilege 4480 chrome.exe Token: SeCreatePagefilePrivilege 4480 chrome.exe Token: SeShutdownPrivilege 4480 chrome.exe Token: SeCreatePagefilePrivilege 4480 chrome.exe Token: SeShutdownPrivilege 4480 chrome.exe Token: SeCreatePagefilePrivilege 4480 chrome.exe Token: SeShutdownPrivilege 4480 chrome.exe Token: SeCreatePagefilePrivilege 4480 chrome.exe Token: SeShutdownPrivilege 4480 chrome.exe Token: SeCreatePagefilePrivilege 4480 chrome.exe Token: SeShutdownPrivilege 4480 chrome.exe Token: SeCreatePagefilePrivilege 4480 chrome.exe Token: SeDebugPrivilege 5308 c24f4c8e3f.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeDebugPrivilege 6004 taskkill.exe Token: SeDebugPrivilege 5628 taskkill.exe Token: SeDebugPrivilege 5316 taskkill.exe Token: SeDebugPrivilege 5392 taskkill.exe Token: SeDebugPrivilege 5612 firefox.exe Token: SeDebugPrivilege 5612 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
1n77k6.exechrome.exemsedge.exe4v243K.exefirefox.exepid Process 2468 1n77k6.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 4480 chrome.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 5252 msedge.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe -
Suspicious use of SendNotifyMessage 31 IoCs
Processes:
4v243K.exefirefox.exepid Process 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 5612 firefox.exe 872 4v243K.exe 872 4v243K.exe 872 4v243K.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid Process 5612 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exeN4V78.exek3g26.exe1n77k6.exeskotes.exe3j76M.exechrome.exedescription pid Process procid_target PID 740 wrote to memory of 1360 740 17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe 84 PID 740 wrote to memory of 1360 740 17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe 84 PID 740 wrote to memory of 1360 740 17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe 84 PID 1360 wrote to memory of 3636 1360 N4V78.exe 87 PID 1360 wrote to memory of 3636 1360 N4V78.exe 87 PID 1360 wrote to memory of 3636 1360 N4V78.exe 87 PID 3636 wrote to memory of 2468 3636 k3g26.exe 88 PID 3636 wrote to memory of 2468 3636 k3g26.exe 88 PID 3636 wrote to memory of 2468 3636 k3g26.exe 88 PID 2468 wrote to memory of 3176 2468 1n77k6.exe 89 PID 2468 wrote to memory of 3176 2468 1n77k6.exe 89 PID 2468 wrote to memory of 3176 2468 1n77k6.exe 89 PID 3636 wrote to memory of 3144 3636 k3g26.exe 90 PID 3636 wrote to memory of 3144 3636 k3g26.exe 90 PID 3636 wrote to memory of 3144 3636 k3g26.exe 90 PID 1360 wrote to memory of 3572 1360 N4V78.exe 98 PID 1360 wrote to memory of 3572 1360 N4V78.exe 98 PID 1360 wrote to memory of 3572 1360 N4V78.exe 98 PID 3176 wrote to memory of 4596 3176 skotes.exe 99 PID 3176 wrote to memory of 4596 3176 skotes.exe 99 PID 3176 wrote to memory of 4596 3176 skotes.exe 99 PID 3572 wrote to memory of 4480 3572 3j76M.exe 105 PID 3572 wrote to memory of 4480 3572 3j76M.exe 105 PID 4480 wrote to memory of 1124 4480 chrome.exe 106 PID 4480 wrote to memory of 1124 4480 chrome.exe 106 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 2324 4480 chrome.exe 107 PID 4480 wrote to memory of 5004 4480 chrome.exe 108 PID 4480 wrote to memory of 5004 4480 chrome.exe 108 PID 4480 wrote to memory of 4788 4480 chrome.exe 109 PID 4480 wrote to memory of 4788 4480 chrome.exe 109 PID 4480 wrote to memory of 4788 4480 chrome.exe 109 PID 4480 wrote to memory of 4788 4480 chrome.exe 109 PID 4480 wrote to memory of 4788 4480 chrome.exe 109 PID 4480 wrote to memory of 4788 4480 chrome.exe 109 PID 4480 wrote to memory of 4788 4480 chrome.exe 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe"C:\Users\Admin\AppData\Local\Temp\17b6d8cdf254e7845f31c17194d90b9a5e26f3627242913d88daf1df15281f61.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\N4V78.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\N4V78.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3g26.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3g26.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1n77k6.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1n77k6.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\1006190001\258070e13b.exe"C:\Users\Admin\AppData\Local\Temp\1006190001\258070e13b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\1006191001\769e22a2ae.exe"C:\Users\Admin\AppData\Local\Temp\1006191001\769e22a2ae.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"6⤵PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\1006193001\c24f4c8e3f.exe"C:\Users\Admin\AppData\Local\Temp\1006193001\c24f4c8e3f.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5308
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2g6291.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2g6291.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3j76M.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3j76M.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe76a1cc40,0x7ffe76a1cc4c,0x7ffe76a1cc585⤵PID:1124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:25⤵PID:2324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:35⤵PID:5004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2508 /prefetch:85⤵PID:4788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:15⤵
- Uses browser remote debugging
PID:1524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:15⤵
- Uses browser remote debugging
PID:1884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4552,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:15⤵
- Uses browser remote debugging
PID:5048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:85⤵PID:1408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:85⤵PID:5064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:85⤵PID:2724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:85⤵PID:4628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:85⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5284,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:85⤵PID:1464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5212,i,977219527170040658,8934659639194053045,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4240 /prefetch:25⤵
- Uses browser remote debugging
PID:5628
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5252 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe76a246f8,0x7ffe76a24708,0x7ffe76a247185⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:25⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2552 /prefetch:25⤵PID:5416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:85⤵PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:15⤵
- Uses browser remote debugging
PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:15⤵
- Uses browser remote debugging
PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2740 /prefetch:25⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2736 /prefetch:25⤵PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2720 /prefetch:25⤵PID:5700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2712 /prefetch:25⤵PID:5796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3644 /prefetch:25⤵PID:5848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3900 /prefetch:25⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13634677347591991804,8379225869168192889,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=3688 /prefetch:25⤵PID:5908
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 21284⤵
- Program crash
PID:2380
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4v243K.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4v243K.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:872 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5628
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5316
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking3⤵PID:5604
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking4⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5612 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d3ad5fc-e713-4a94-8e35-9ac24a204e77} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" gpu5⤵PID:5992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2492 -prefMapHandle 2488 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6b7eeff-f7b0-4fe2-961e-fb69ff73f41d} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" socket5⤵PID:3272
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3136 -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 2820 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14e0ba81-1943-436c-9a84-a72a5fb11263} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" tab5⤵PID:1704
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 3936 -prefMapHandle 3368 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2fc029d-e07c-4eb8-9448-b6d4a09c2217} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" tab5⤵PID:3636
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4708 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4732 -prefMapHandle 4728 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cbe4a4c-e85f-4495-95bf-97b8bb1f9eb4} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" utility5⤵
- Checks processor information in registry
PID:5312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 3 -isForBrowser -prefsHandle 5576 -prefMapHandle 5440 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7f0b4b8-af6b-427f-bc86-e1968d8abb34} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" tab5⤵PID:512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 4 -isForBrowser -prefsHandle 5768 -prefMapHandle 5776 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b63413b3-cb1b-44bd-b412-b658fced59a6} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" tab5⤵PID:2380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6032 -childID 5 -isForBrowser -prefsHandle 5952 -prefMapHandle 5956 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b680f6e0-85af-458f-a93a-1b7842d5566a} 5612 "\\.\pipe\gecko-crash-server-pipe.5612" tab5⤵PID:4556
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3256
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3572 -ip 35721⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2760
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:6912
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD502be62521786ffe6625410e8ffe18a36
SHA1b27940b52d05100d873e542d8a00ded4c200ee4a
SHA25639196d5247259a7d0d78dd2dc3910b76d14af1091b27053d22a3c91110e61843
SHA5125cfdd787bbfe8aa48e29850f6971e6e04435832d0874fdbeb45f16df5c798b3401e1d95530e509d9f6235977c0fc419d1fd81954805ce1b4c8060e5d7a7fa2a5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\17b6d033-d915-47ed-a213-1a8e8cb4acab.dmp
Filesize10.5MB
MD5f0b1a66618abfb7056d9e535276af8f0
SHA12be8910d6bc46b8aa2efbfb25cc9f1f480651b9c
SHA256fe5d0e6f474dcd7f18dd0d2e61be4d71f288f3e80fa30c48a1ddeaddcb072370
SHA512196b8bf0dc3476042c2137c9177a6459208580989c1aa5514c208c44bc5f0b2d591376c157c04be3b122e60bdedbd016d974f9776b69068b8ed33da81be4a24a
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\53584702-e1f6-4e6f-a369-f71c95d2b39d.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
5KB
MD5ae23b4add607f2f8bb2ac2e56ef28ea8
SHA1b35adfd05d60680f32a74d1c40be3890e913bd0d
SHA256b34c50ed4c569f240ea1054b386e4c3808343fa532f48e38788a8aafd3a0041a
SHA512363b5f6a2a6a8dd65f661c85a4964d3ce7d700b7ac6e8b9c97d7e5db6e00864a8bdbf58cf2a77e74f723b6b7b03691163bf15f4d7834ec817197916719e999fa
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json
Filesize19KB
MD5c3a92b87bd466d5ae660d5bf67e4a42a
SHA1e98b7058940b267a4a4ccd805239e97fe50c8349
SHA256375ec9beeacac7709a297162decbd3a810ed812440d4370c8d696aec5699b6b1
SHA51243ba510150fd20289ff7ea1f464eac8d589fc612d65d10c442bf2097aa9158ad278f020f72154cda786367ae40d827db5fbb853c9599bb65b99303847b059bb1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5c17c445678b7e2faf3500d5819d71bef
SHA12cbc81da4bef72a80a9728565a527c314b37cc4a
SHA256f303331192ecdd2a746977a3fd756006b80ed2e0f5a6161a612e92fa52a7e685
SHA5124b0814a9f7dee9e0069541c387dbcc4b5567d471a1b5c6b0d8f44603b66c7ab89e769dbd29e1e444632b0e629efbea3265ae3727301fd194f1f3e95801203ccd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\cache2\entries\D500AD994A7515157BB2A6ADD5B18B754E4D2F99
Filesize13KB
MD5cec3674ded3faf53981a5ec2a29370d7
SHA1fdc791c337a90abb0d755d12c482099f431410db
SHA256febf5b4be13bf11d8be4c5b51bd4cb781974111f1fc2bbd4a2393ab0230f8c6f
SHA512c67c04b562ed3a8c683a137a9b2dd93b2215cca7853d28aaeaabedbfc97518c3f2a525ce5fec352a325476bde85e3b0c17f4a274ac57ef1d1f789d45fb685b67
-
Filesize
2.7MB
MD5b646c5d23ea73f1d1b0fe3c7a69cef1a
SHA19f502ea22e3de7068720e9a89b925ab224703e61
SHA256b369b5525a2e5526fe4ac8da877d14dc9ea4a7cf34ca813047e1fef42edfe76a
SHA5128976315d0da5bc49d907548a45d7301bce3298d42e98a77627dac3daa6c9fbc6e0ad6398c90b93fc17f81ef87d6d308a952209cc445ec3b828ffed8b789a2fd1
-
Filesize
898KB
MD5de5445b08c1327a15ca42bbe5c9c3095
SHA10792e77b2a6bd9853a50414f1cca1be6a6243849
SHA256441fee748e7fd9ee4b1b540d46f62f2ab7c304b4aedcae6bdcabe137077ae305
SHA51262b27084b20ddebaed253026899be7d8285f11fa9d6067a25a1c76d1720cb63c6e298e5ef467c965c8fb72a3059489d0939c2eab1c6bd6bdff779de8b7d34e41
-
Filesize
5.2MB
MD5c101716ba06d88bc7ce96b02a5ac9589
SHA1a7798a746451e74b607ff35c0dfe208c409bc5f7
SHA256223322ecc5f8306c8a6cfd3582086fcd0f71c875cf706c10ea8f582157a511d4
SHA5122b338adf122953fc29b6de439a83477ae797a4edcf0b1b1cb1e3aa9d1877d6e8f1574365e588a87f5ae4e63137fa205d29bb54f78c801439df0cbedd5ccc8b3b
-
Filesize
1.7MB
MD54c71aa73dea7981c367ba1455748f131
SHA1d3540370140c2db696f5857de50ac09e9b3e21fb
SHA256fbd40c2ae57071b7144eadf53cf907e57d6045717b52c168b7d38b28bab4989e
SHA512d2d2a3b4aa1bf9103f1002c4108798c1cb190e5d797cae8020bb9d6afe3cda51052bc7d4f58b727fc6ab50c308f14e45d68254dfc87e4ba0e0d08722d425c5f6
-
Filesize
3.4MB
MD5066940717aa66545b835f951eeed8a2c
SHA16df90e8d15f55883dbf393260f0e55b782aa9106
SHA256ece4240596f2fe4491ecc8fd3211d0a0e6a9f55cbca2bdde9cefd03012adf145
SHA51265b90245b6b4203fc588b4001ad0b02bc88e0e1d5329b3b030bb997ebfa85d73ab5af431ffd38463a1a8b0ec226fdbdd57f09f1213c587fe1fb57cd2e82ddbc8
-
Filesize
3.0MB
MD5f7459dea8322ec4ceb90d5278d6a5176
SHA13b65a49efcb2aa86106884a3ecba1c5be8258261
SHA256e46ac01fd8849d00e934bffad52ff1df8cc1cbace3b0607a9a746d772d731162
SHA51211eca152bc65698f0acccf102e45fc05244369981ca1cfab721affd1d1a19e46efb9742d204d26a9d6c32ad74f0fade54b0721d15ddafb957be6fcb6c8921bda
-
Filesize
3.0MB
MD5fd80439642b730b676a0362ab6ef7afd
SHA189cdf9166b2987cd213e3b8cf6b183a16991fffa
SHA2565ecd1843055e4b56470f18d20eeedd19249a8c47a44e3cfabb83e61b58f24b35
SHA51279cb45bb48cc7dd4ab517a22839c47c5ed1539ab3caad00161578aebd785c41f171fba1cee07ae1c272b6d916c4fb3ad62a9ee684a61a1ee8d9e2b59edd2ba62
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
Filesize12KB
MD5e3d1292e3b2a6290dce094f7eb95d3e6
SHA134187c5e5cc23de856f1706aa113892fc0aa6098
SHA25611f41466f704284bc487f6d5d9067b6d4058672111edc884f0f545f14920d5a1
SHA512c22b1e825c9fc0bb843037677be809840d7191c199221b9a3e9b18d2ecbe6dbd49cc0399f18df75ba1ca9f22b8692bc7a20ceb805b8b1543a91d65fa5b7d65a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize23KB
MD5ddba25bfda8c1a3040ae4d2a7ba9b44c
SHA11aa8dfa6d88fca633ad38c459c13fe154a701ba1
SHA256bd89e089ed0c653e4480bc6e4bc0ac308e057dce41d9c3b694a79ed392bc98e9
SHA5122a9b94457d6d8e756c550edd41f420ba7e6157d1db1463e43cc7d1c148514933a34e5f55f30e242abeb79648b01e41942aa0a052d604e89846849d270914fd26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize5KB
MD541e51342bd5b6c5465c94a7525753e4f
SHA1e7a64d85103f4bf0bfa9bc514be492f96c7b619b
SHA256678a4853f86de105f142423c933d3e4aa4b7f55a43818b0c0e69cc3b9014be5b
SHA51214988e64171b1741e64707b2cf4eea02915837b3563dcb294d0e4409691e85342a5c38da3fc325dbd2c4d24c004d2092a507fe432a92907173878c1a0fd5732e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5f97869fd586852fed18f781af75d682d
SHA1fb8eea70b1ee080b162eae769a684ae69eb06fce
SHA256ba2f107b87a6b789ee7557cf5719decb207580a81bfd309a01516f705592f280
SHA512046edd84a40dc6a3842953b39981b9a4791dd707e1309b314265fc021c4e3b8321f66b7e6333b44ab258026b3d17d59840f3dfeddbdd8e86d674bd6632737742
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.bin
Filesize15KB
MD5c2efc9a3ca3c99c73d3d905ca4043c66
SHA14c68b549682f2b71fe165f135d8aa9040174aafe
SHA256fe8559e15cce5cf64dabd96d3ba7bfc1f9b5699c91c26dc1ab9b1245e551d4b4
SHA51284d5e2675f0b209d1dcfecc5c327e45ce3dd839c95267dbf9be2bc62005a49dc38951bf640603c4c0125072ee820da40f2b820bacbc8a39ad802d134a60b0d04
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5debf23bf5a52847b913b2c2ba1f39d74
SHA11377392149bc91540ce3ce2d10bee738ee03998b
SHA256bcc5a67ac03e394da6e8eea437c2b9ce0d6a3d9b5515031ec988a76c45f9821b
SHA51290e014aa6900c1ac71d687a7bfb4c5d0986899cdeae52511525c79cffe86ffeb4103a40cb2f4b28039e89fbea82a7e0f5eda37c395e29bc15e1d58962168e91b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c50ea7964fb255345fca816c7466f952
SHA16f4c547d1ef2d3ef483bd2bbb8813418da71d25e
SHA256343d6cb8e270d5c3f84a43939a053a7b2489e48920a2487a88ecd42b70bbd3ef
SHA5121ce53df0921e57661dc7a1088769cff082f9c9f3165074a3450f6e504623f90d6077f18f41ba4ecb11c9235690954735abbbe778466df57ea5e5b80cf95d6e26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize15KB
MD53abf0b09784c7140fe39aca4690e1947
SHA11153fde926da062f2e6a426a7bc3483999338916
SHA256bb8d3dc55c903728882b03d36c1706b50b741c36ba0493feb3ea1202f75238f1
SHA512eb3bae478e9173a3ac8a8e923da519f5a4ae1feda69a3f31299333bfa23c6dda07908784a91f1e95e63771059f06bcbd562e93b44c6ca9ac9d6c00d4b44e3665
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD52c3eb7d017eeec1e0700574feadbff64
SHA1902bda458048f82dc93c1120dce17b7357fd206e
SHA256d70f8e9ee55e862322398d0a0c1f286fc9c6904fde3551a54ac403985a8bd85e
SHA512e7e6596fff582fe95d74515d6c58f44ea09c8bd29502938924adae942107652e836efa57d701c600fbbf2a3f8b58959dbc03879729b2fb346aad80189285f9cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\3119cfad-1484-4640-ba47-61c543c023c6
Filesize982B
MD5ae89d5ac523b376960f62941644bd65a
SHA1134a5928032131c08edc339fa7afbed125adf0c7
SHA25660baac4861371d009ad052c63ce0215da68909e566d1115a64d8b62901c6e053
SHA512efabafddac6853b97caa75aadcb2c4ee0badd4b988c98cd741d71cec1481b84b7726fdf7fe06ba7fced43cf90ee9951155857b0c90f821145f577f977a1abf64
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\6b617e23-1d65-48f4-b6a2-5e7b6b3c5306
Filesize671B
MD5500ad66d0aa9cb6b61d5537990e7904f
SHA14aa6f8ae8be19ce85f94d8eb9d0e4d6cded4bbab
SHA2561925ab402acd8ea33902fa162736a8ad68bc4bde5cdb98466833abaf66d60bc8
SHA5127a3f909477b89247bb17155a7ab02423c92592a9e8de0d9bf1bd1d34d3014a83e9fdddc2a091a8a97e90e2281b48704df944930f280811b4767690ae3aa6c7bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\94797d57-bd97-4679-a0c1-f62bbf85108f
Filesize26KB
MD5a40f3c700b5e862f0fb6277a0d7c1486
SHA1293daf9415bad9c0fad4614f5a1c6a5ff0287db7
SHA256144a1d36caa4212db53c3866cc8c778a18680f4065f7cb42c5eddcd75f4bb213
SHA5129825db121c93a3808e1184ae44a0b97c046d3392aaca0d0d1069efea99c46cf8720781187627403d4014f58d4a7e60e7c80b934e6f3b5bfc3c07a1bb14bdf9c9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5bb27fa19a09c35b12cdcd2dae2ba4afc
SHA13e80b33f2efa5d3c3265f5ee1e9ce04acce04950
SHA25600a170ff0f316a63ec19b81cfae719a37b922a01ac1e47134811c5784fb42994
SHA512ce32751664f7aab3b9f3aeae23b9d4d0f9f5f4f4dabd58a6a01fa4c955a3001b3e7547ebbc7a15d8b55556fb9926a8212b8a6028f9c30c8a56121f053addda1b
-
Filesize
16KB
MD59b0794eed1a42f6a8fc83c9d57a1cddd
SHA1b5fe17d5980cbdf3207411808a7903a6e973ebc8
SHA256b40d5a2b00a0c770aef5211f6e1b2faffeaed17904ce4bb65d263363ca11e2e9
SHA512645fc9638613c2e11ff1072ab412ffc35923d67810ee2b6c2711b38eb8550c0ccf56b71d957911af80f6d871c730727d6345d96a3b29b1a740a0e0e5af2355a4
-
Filesize
10KB
MD50afe44f1fc50321301c74f8d33ace74c
SHA10fe85d00ba643615d7c9abb77149a184d7623dea
SHA25689e70331281ce4e5f603eacb127a105756bc9a448aca86be46574fed5cbda582
SHA51248a432b9857528ea89ba6b5fa84b2a2c1309ae505c7d2c6d4fb76a6ceba104976d140e8d3f585812085e0fa0b1488b03b7c81b5e56df5a8fd3a11cc76b4f9fc8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e