Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 16:59
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
1.7MB
-
MD5
8427e384ea4951ee4a5f0b425fa5ad02
-
SHA1
08f6dd97b593d0bc86339e1a1b7dd405f7798d4e
-
SHA256
1498a63ecb4dab164c1b8287ea274408379e317874d7d05f41bc6209060326ba
-
SHA512
b62cea071d32ce26c8542fd718ccba61995a7807d73281c7ec066858052d3f7d3539baabafa5e2b0df42c1976f61fece4a7259c92282a3494f7a406c727eaf52
-
SSDEEP
49152:5TaSFKi7a7mCv13APYbS8Gsfc7fV7pgs93d/4saM:N0iuJmPWSRpLnN/
Malware Config
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://processhol.sbs/api
Signatures
-
Amadey family
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral1/memory/2400-437-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a67f6bc70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a67f6bc70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a67f6bc70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a67f6bc70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a67f6bc70d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a67f6bc70d.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7c2e4077e6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a67f6bc70d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DocumentsJEBKJDAFHJ.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a50eb207a3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d77a1098dd.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2952 chrome.exe 2964 chrome.exe 1216 chrome.exe 3048 chrome.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DocumentsJEBKJDAFHJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a50eb207a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DocumentsJEBKJDAFHJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a50eb207a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d77a1098dd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d77a1098dd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7c2e4077e6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a67f6bc70d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7c2e4077e6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a67f6bc70d.exe -
Executes dropped EXE 7 IoCs
pid Process 1628 DocumentsJEBKJDAFHJ.exe 2268 skotes.exe 2400 a50eb207a3.exe 2552 d77a1098dd.exe 812 7c2e4077e6.exe 2004 e312acadd9.exe 2992 a67f6bc70d.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine a50eb207a3.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine d77a1098dd.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 7c2e4077e6.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine a67f6bc70d.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine DocumentsJEBKJDAFHJ.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine skotes.exe -
Loads dropped DLL 12 IoCs
pid Process 2616 file.exe 2616 file.exe 1692 cmd.exe 1628 DocumentsJEBKJDAFHJ.exe 2268 skotes.exe 2268 skotes.exe 2268 skotes.exe 2268 skotes.exe 2268 skotes.exe 2268 skotes.exe 2268 skotes.exe 2268 skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a67f6bc70d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features a67f6bc70d.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\a67f6bc70d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007458001\\a67f6bc70d.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\d77a1098dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007455001\\d77a1098dd.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\7c2e4077e6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007456001\\7c2e4077e6.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\e312acadd9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007457001\\e312acadd9.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0005000000019c54-226.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 2616 file.exe 1628 DocumentsJEBKJDAFHJ.exe 2268 skotes.exe 2400 a50eb207a3.exe 2552 d77a1098dd.exe 812 7c2e4077e6.exe 2992 a67f6bc70d.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job DocumentsJEBKJDAFHJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a50eb207a3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d77a1098dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c2e4077e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a67f6bc70d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DocumentsJEBKJDAFHJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e312acadd9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a50eb207a3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a50eb207a3.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 5 IoCs
pid Process 1652 taskkill.exe 684 taskkill.exe 660 taskkill.exe 1616 taskkill.exe 2732 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2616 file.exe 2616 file.exe 2616 file.exe 3048 chrome.exe 3048 chrome.exe 2616 file.exe 2616 file.exe 1628 DocumentsJEBKJDAFHJ.exe 2268 skotes.exe 2400 a50eb207a3.exe 2552 d77a1098dd.exe 812 7c2e4077e6.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2992 a67f6bc70d.exe 2992 a67f6bc70d.exe 2992 a67f6bc70d.exe 2992 a67f6bc70d.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeShutdownPrivilege 3048 chrome.exe Token: SeDebugPrivilege 1652 taskkill.exe Token: SeDebugPrivilege 684 taskkill.exe Token: SeDebugPrivilege 660 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 2732 taskkill.exe Token: SeDebugPrivilege 2764 firefox.exe Token: SeDebugPrivilege 2764 firefox.exe Token: SeDebugPrivilege 2992 a67f6bc70d.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 3048 chrome.exe 1628 DocumentsJEBKJDAFHJ.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2764 firefox.exe 2764 firefox.exe 2764 firefox.exe 2764 firefox.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2764 firefox.exe 2764 firefox.exe 2764 firefox.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe 2004 e312acadd9.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2616 wrote to memory of 3048 2616 file.exe 31 PID 2616 wrote to memory of 3048 2616 file.exe 31 PID 2616 wrote to memory of 3048 2616 file.exe 31 PID 2616 wrote to memory of 3048 2616 file.exe 31 PID 3048 wrote to memory of 2088 3048 chrome.exe 32 PID 3048 wrote to memory of 2088 3048 chrome.exe 32 PID 3048 wrote to memory of 2088 3048 chrome.exe 32 PID 3048 wrote to memory of 2012 3048 chrome.exe 33 PID 3048 wrote to memory of 2012 3048 chrome.exe 33 PID 3048 wrote to memory of 2012 3048 chrome.exe 33 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1228 3048 chrome.exe 35 PID 3048 wrote to memory of 1676 3048 chrome.exe 36 PID 3048 wrote to memory of 1676 3048 chrome.exe 36 PID 3048 wrote to memory of 1676 3048 chrome.exe 36 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 PID 3048 wrote to memory of 1104 3048 chrome.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7259758,0x7fef7259768,0x7fef72597783⤵PID:2088
-
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:2012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1368,i,17285827660997567278,16534940477532560198,131072 /prefetch:23⤵PID:1228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1368,i,17285827660997567278,16534940477532560198,131072 /prefetch:83⤵PID:1676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1368,i,17285827660997567278,16534940477532560198,131072 /prefetch:83⤵PID:1104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2352 --field-trial-handle=1368,i,17285827660997567278,16534940477532560198,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2360 --field-trial-handle=1368,i,17285827660997567278,16534940477532560198,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:2964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1368,i,17285827660997567278,16534940477532560198,131072 /prefetch:23⤵PID:1376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2256 --field-trial-handle=1368,i,17285827660997567278,16534940477532560198,131072 /prefetch:13⤵
- Uses browser remote debugging
PID:1216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3724 --field-trial-handle=1368,i,17285827660997567278,16534940477532560198,131072 /prefetch:83⤵PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsJEBKJDAFHJ.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Users\Admin\DocumentsJEBKJDAFHJ.exe"C:\Users\Admin\DocumentsJEBKJDAFHJ.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\1007450001\a50eb207a3.exe"C:\Users\Admin\AppData\Local\Temp\1007450001\a50eb207a3.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\1007455001\d77a1098dd.exe"C:\Users\Admin\AppData\Local\Temp\1007455001\d77a1098dd.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\Users\Admin\AppData\Local\Temp\1007456001\7c2e4077e6.exe"C:\Users\Admin\AppData\Local\Temp\1007456001\7c2e4077e6.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\1007457001\e312acadd9.exe"C:\Users\Admin\AppData\Local\Temp\1007457001\e312acadd9.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2004 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:660
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵PID:2884
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2764 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2764.0.1073320381\2036523646" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1236 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {99526c8b-3ea7-475e-8dc2-cd84f2c6d763} 2764 "\\.\pipe\gecko-crash-server-pipe.2764" 1356 44da958 gpu8⤵PID:1336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2764.1.1444517968\522306360" -parentBuildID 20221007134813 -prefsHandle 1520 -prefMapHandle 1516 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd4d0daf-ef14-4b0f-9eb5-5a1b279585cb} 2764 "\\.\pipe\gecko-crash-server-pipe.2764" 1548 43f0b58 socket8⤵PID:2804
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2764.2.934866032\1828688273" -childID 1 -isForBrowser -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 664 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc6fc718-bc47-4702-9b21-5451d36813ff} 2764 "\\.\pipe\gecko-crash-server-pipe.2764" 2144 1a0a0f58 tab8⤵PID:1584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2764.3.944710103\1006616546" -childID 2 -isForBrowser -prefsHandle 2908 -prefMapHandle 2904 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 664 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65bc8aab-7b15-401e-bf6e-254243ca04ed} 2764 "\\.\pipe\gecko-crash-server-pipe.2764" 2920 1a2d0858 tab8⤵PID:2412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2764.4.2139675544\2135361471" -childID 3 -isForBrowser -prefsHandle 3772 -prefMapHandle 3768 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 664 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38e18c3b-03a3-469f-84ba-ed9d5dac73c0} 2764 "\\.\pipe\gecko-crash-server-pipe.2764" 3760 1c477358 tab8⤵PID:468
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2764.5.508301637\423014435" -childID 4 -isForBrowser -prefsHandle 3884 -prefMapHandle 3888 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 664 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {039f9f9c-42ca-4347-8a4d-3290705d8889} 2764 "\\.\pipe\gecko-crash-server-pipe.2764" 3872 1f028e58 tab8⤵PID:808
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2764.6.1743821169\1092025407" -childID 5 -isForBrowser -prefsHandle 4048 -prefMapHandle 4052 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 664 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {70ef02a4-2a6b-4132-9a9a-1cc4fbedfffa} 2764 "\\.\pipe\gecko-crash-server-pipe.2764" 4036 2115ae58 tab8⤵PID:1688
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007458001\a67f6bc70d.exe"C:\Users\Admin\AppData\Local\Temp\1007458001\a67f6bc70d.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2412
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD52ce8a27fe058ce50069a46096c89b1df
SHA1e1dbf081d09e8198eab65637155668d97a42be0a
SHA2561ec59ed99f80970ccbb029126bec27c40637830b051d831e9e015e0f63dab977
SHA512992f23206d2baf5be9a8c851b7e5e6c645cc9ec0663be1e16083fe3974cbb9c676338177e9f3c5e64ffa452d74018c9b22c1085b9daca8a7c2c53de08fbaa9bd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
4.2MB
MD5380a232d2a56b308ffda46696d44ca41
SHA1413ab9351c25403325fbaec6a549abbe41734417
SHA2562ead0592bdecc1b63818adb622ef0edc22a39f6855566f40d1aa7d2b1d00cc7f
SHA5121bbf6b4b546bf094b55707528b5a73783a1e1e50e7948d70cd1c251454cc1c7dd82d0981d030137f78ba14985784d8761eb702687dcf49d17a677ff19fbbd561
-
Filesize
1.8MB
MD5f6df237f8dc7d584d8836042966a0943
SHA18749f7bd027e624de82cfff581962b2eeb6a7dfb
SHA256e0ba78bf9b945f75349fd5a76290b9b8ff746abd24f15896a277676261499f55
SHA512a01d4fe202be936549f6a1d465234164a0e315c4725efa85569ce957782ccc904e833db3b2015b173288bfa353b155d649dcff1f2e371e8d010fc197d138f629
-
Filesize
1.7MB
MD58427e384ea4951ee4a5f0b425fa5ad02
SHA108f6dd97b593d0bc86339e1a1b7dd405f7798d4e
SHA2561498a63ecb4dab164c1b8287ea274408379e317874d7d05f41bc6209060326ba
SHA512b62cea071d32ce26c8542fd718ccba61995a7807d73281c7ec066858052d3f7d3539baabafa5e2b0df42c1976f61fece4a7259c92282a3494f7a406c727eaf52
-
Filesize
901KB
MD5ced448790328e3105c0cfc739ce1c049
SHA14e5d7352b4272867394b9a2c8878c108d833662d
SHA256b5aa55ab7b1267b5e806ab6a306816d8198655a7dd68c2af43e11d06e695fb62
SHA51274a181ce8cdef058a0637231822446ce0c7261f7bc9f0a52db90c357ba9d0046676308370501b925d4a039b0ab7540b21c6b08e963de80f1ec2494add6deee4e
-
Filesize
2.6MB
MD5233f648404abf3a913b830957f8bd1d5
SHA17dd39c8b950694bb87303aae1fc9e778b525a7e4
SHA256e6524526950e9fca8f5a7d001a678ca62cca94ff03491e8d45d58df263d6381a
SHA512dc9170603b2f4190496883ec7769c5dc6f1520ebe7be6b2f9b790047a6c92589a71d914887e7f2101807ab7ed1d3fb021ffe339f0e6ec38542df88c22d25b7b5
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5725eaadda1c4d7ca069144a020f235d5
SHA1e362e38d0f6e054751779fc59b0c2cb0d83c819f
SHA256d6e7c5000f1e330066a3e512cdb8f9d892aef18de7265af677760a7b6eca5d51
SHA51292cde257c80e23adbe6cb574e85cc65998664e6dc8fde1856909cd0c8c79222d05150f8917605c93ea0660d8e07132f11913dbadad134b21302f5cb1e15d5e50
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\3c218bcc-bb63-4a82-b6a4-fb425f766bc7
Filesize745B
MD5da2842a5d196a2b677b69331ab2e88b7
SHA12c340b5075aee18f8af2ecdd8da5a66296b56add
SHA2564638575fd814b27a273ebf60065eb8574d2d5aae1a52ae2d3a8398d9b121d1cb
SHA512a82e3dc371ab845ece4670fb19178a96160cbedfef344c4675f99751f0faae8d1f4ddaaa3083c80ba6de0911d15b874b86be1501cbb09d147ab36231ca3091eb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\datareporting\glean\pending_pings\f05bf135-d9d2-4716-a557-c11b2fa5d75b
Filesize12KB
MD581f666b0a553666b9ca3b928aaa58457
SHA1e08a42b2868d2600cbd5e11363768adaf90e36ce
SHA2567470f58706209ba794b88dfa9bb7c91ec71a33ae3b8c4f1dfbd32415de3d17c7
SHA512ecda890cd4def04d84922b412127ffa3e751660288bd5cd621443f3a86b28f86163ab15a46762b57bbdf66cf5eae0a26888616cf94f3e3450c85df1e7af8c5b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
7KB
MD5f9db5769f50ffe7245411ad9f86e0aa9
SHA1077d1fa551a8fb9877a9a5800d2d6f3237c3733c
SHA256b5ea13880c292b251bc61f25d14867c4809f87e9347eb8b9501524d0087e81fc
SHA51292d25fabed7075bffc38f0749c413fb657c230bc942076a9e352dd054e7a10b9fb9460859e14706e10d92eb4f07b6e93f2765c51ec46e9f799ca760115a4f17a
-
Filesize
6KB
MD578328a2891cf060d6ba77214d7b83c7f
SHA1931bd872f4ffa2a1fefd3aacd189bd8f6294b015
SHA256b44a647260870eb2e3630a2ec9ed26e0727764088185d182bfde33fcd3f8034a
SHA512abbf8d740145fd99d07ccd57f53cd33556c7591ab9b2aaad433a7badfbe1dbd1a7cb2855184c19dce23c2a2f367408144426195d453a0a084125cf475391d61a
-
Filesize
6KB
MD5f464b4c60f9254f4111ff729b9fe6240
SHA1ca1d71960366b9afd7f285aa7523d3908dc795e9
SHA256443ed4c8e7d6ec46bcf1fe6aa77efd36b24735cfd741853458c1b01b70322684
SHA51239fbecebe96b4eacf5861405866ec60b5d719609aa55efda204c1f6c392cad704714e8d748b069e4dd793296e538278c139f4832e52a804fcee1f6f20dfb4094
-
Filesize
6KB
MD5dbad89d52e27bf0584b05e14050d69ec
SHA18456d2a69ecbdb0255bfc35e1834258e19649aa1
SHA256555095f667ec243726fb1b2719b4b466d89f95e3dc9d146626989e6bb473b9c0
SHA512d0cf2809ca9d0a7e59adb04b4ce211824de5d4a1a06f894273443399e0cdbb56a3c555cc7cf5d08781be48d80083961535c2ee13b62941d4b8b563e491f08a78
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD524253d2edc7f64c944edb1e83853ead6
SHA1e0ce0aba123edfcd5e314ca08d2f65a540fbf939
SHA25660055af946a684a5f917a05de3a48b4595c49c9a07816b0a2c3764245be1cfe1
SHA512f024c15da6187578957a08037a2c7025796a9080b007efaf5f04432ad1b634a27059366450234452eb8129cac606a6a257fbbd6ffdb874bdef57e9c7c598d4e7
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.8MB
MD573897c497394d9f83b016e6377594c5d
SHA10243a0aa886487a7e9911aaf1ed5ddb28d983b71
SHA2568ef6cd5928d602f0011ba38eaada3c2a5a8e26930c9064400f81e7e182bc7aaa
SHA512e809ebb44765c671c703a61bb28e20f0383c8405a543b94ad88778e5c14682d57c5ffe866e690032b3b85cc500c4270be8452c5ac4a7b8ecca90440b9d4a736e